OASIS Cyber Threat Intelligence (CTI) TC

CTI-TC: During the Thursday, June 18 call there was a suggestion that we form a Sub-Committee for outreach, specifically to the international community. Later, after the call another suggestion was made for a Sub-Committee specifically for ISAO-Outreach. Here is a thread we can use for nominations and discussions on this topic. Jane Ginn CTIN

Along these lines, Jane, attached is an updated presentation at next week's dual international events at ETSI Headquarters in France - the annual global security workshop and the 4th meeting to its Cyber Security Technical Committee.  There are presently about 150 people attending from around the world, and it brings together a very wide swath of telecom, IT, and infrastructure protection communities.  It is also a major home for the global mobile community and NFV development. It'll be a good test for outreach! --tony On 2015-06-18 4:41 PM, jg@ctin.us wrote: CTI-TC: During the Thursday, June 18 call there was a suggestion that we form a Sub-Committee for outreach, specifically to the international community.  Later, after the call another suggestion was made for a Sub-Committee specifically for ISAO-Outreach. Here is a thread we can use for nominations and discussions on this topic. Jane Ginn CTIN Yaana Technologies LLC 542 Gibraltar Drive Milpitas CA 95035 USA Attachment: CYBER(15)004016r1_TR103331_Structured_threat_sharing_Briefing.pptx Description: application/vnd.openxmlformats-officedocument.presentationml.presentation

I'm very much interested in participating in the  Sub-Committee for outreach.  Suggest consideration of a broader strategic assessment of all major impediments to adoption/blocking issues especially where outreach efforts may provide effective  mitigation for non-technical issues.  Conversely a consideration of key partnership  opportunities to accelerate adoption (i.e., opportunities for deployment of representative operational reference implementations).  Not envisioning more than a high level inventory of the immediate challenges/opportunities and then a very general road map of key  objectives and priorities for outreach as a  sustained multi-faceted component of   strategy. In any case, volunteering to participate in the efforts to form and sustain the sub- committee. Patrick Maroney President Integrated Networking Technologies, Inc. P.O. Box 569 Marlton, NJ 08053 Office:    (856)983-0001 Cell:        (609)841-5104 Email:     pmaroney@specere.org From: < cti@lists.oasis-open.org > on behalf of Tony Rutkowski < tony@yaanatech.com > Organization: Yaana Technologies Reply-To: " tony@yaanatech.com " < tony@yaanatech.com > Date: Thursday, June 18, 2015 at 4:57 PM To: " jg@ctin.us " < jg@ctin.us >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion Along these lines, Jane, attached is an updated presentation at next week's dual international events at ETSI Headquarters in France - the annual global security workshop and the 4th meeting to its Cyber Security Technical Committee.  There are presently about 150 people attending from around the world, and it brings together a very wide swath of telecom, IT, and infrastructure protection communities.  It is also a major home for the global mobile community and NFV development. It'll be a good test for outreach! --tony On 2015-06-18 4:41 PM, jg@ctin.us wrote: CTI-TC: During the Thursday, June 18 call there was a suggestion that we form a Sub-Committee for outreach, specifically to the international community.  Later, after the call another suggestion was made for a Sub-Committee specifically for ISAO-Outreach. Here is a thread we can use for nominations and discussions on this topic. Jane Ginn CTIN Yaana Technologies LLC 542 Gibraltar Drive Milpitas CA 95035 USA

You would do really amazing work in this group.  You always have such great ideas.  Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 62A6 5999 0F7D 0D61 4C66 D59C 2DB5 111D 63BC A303 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Jun 18, 2015, at 21:10, Patrick Maroney < Pmaroney@Specere.org > wrote: I'm very much interested in participating in the  Sub-Committee for outreach.  Suggest consideration of a broader strategic assessment of all major impediments to adoption/blocking issues especially where outreach efforts may provide effective  mitigation for non-technical issues.  Conversely a consideration of key partnership  opportunities to accelerate adoption (i.e., opportunities for deployment of representative operational reference implementations).  Not envisioning more than a high level inventory of the immediate challenges/opportunities and then a very general road map of key  objectives and priorities for outreach as a  sustained multi-faceted component of   strategy. In any case, volunteering to participate in the efforts to form and sustain the sub- committee. Patrick Maroney President Integrated Networking Technologies, Inc. P.O. Box 569 Marlton, NJ 08053 Office:    (856)983-0001 Cell:        (609)841-5104 Email:     pmaroney@specere.org From: < cti@lists.oasis-open.org > on behalf of Tony Rutkowski < tony@yaanatech.com > Organization: Yaana Technologies Reply-To: tony@yaanatech.com < tony@yaanatech.com > Date: Thursday, June 18, 2015 at 4:57 PM To: jg@ctin.us < jg@ctin.us >, cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion Along these lines, Jane, attached is an updated presentation at next week's dual international events at ETSI Headquarters in France - the annual global security workshop and the 4th meeting to its Cyber Security Technical Committee.  There are presently about 150 people attending from around the world, and it brings together a very wide swath of telecom, IT, and infrastructure protection communities.  It is also a major home for the global mobile community and NFV development. It'll be a good test for outreach! --tony On 2015-06-18 4:41 PM, jg@ctin.us wrote: CTI-TC: During the Thursday, June 18 call there was a suggestion that we form a Sub-Committee for outreach, specifically to the international community.  Later, after the call another suggestion was made for a Sub-Committee specifically for ISAO-Outreach. Here is a thread we can use for nominations and discussions on this topic. Jane Ginn CTIN Yaana Technologies LLC 542 Gibraltar Drive Milpitas CA 95035 USA Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

CTI-TC: Keeping the substantive input from Tony in mind, plus all of the significant on-going inputs from Patrick Maroney, I'd like to nominate the two of them as Co-Chairs of this yet-to-be-defined Sub-Committee... I think with the global engagement of both of these individuals we will be able to reach out to the broader international community and gain significant adoption and legitimacy as we move for more widespread adoption. Jane Ginn CTIN Quoting Tony Rutkowski <tony@yaanatech.com>: Along these lines, Jane, attached is an updated presentation at next week's dual international events at ETSI Headquarters in France - the annual global security workshop and the 4th meeting to its Cyber Security Technical Committee. There are presently about 150 people attending from around the world, and it brings together a very wide swath of telecom, IT, and infrastructure protection communities. It is also a major home for the global mobile community and NFV development. It'll be a good test for outreach! --tony On 2015-06-18 4:41 PM, jg@ctin.us wrote: CTI-TC: During the Thursday, June 18 call there was a suggestion that we form a Sub-Committee for outreach, specifically to the international community. Later, after the call another suggestion was made for a Sub-Committee specifically for ISAO-Outreach. Here is a thread we can use for nominations and discussions on this topic. Jane Ginn CTIN ** *Yaana Technologies LLC * 542 Gibraltar Drive Milpitas CA 95035 USA

I would be comfortable committing either time and resource as a member or a chair/co-chair for this committee: - Large network and reach in Europe, which is our main focus and needs allot of work for STIX/TAXII - Passioned about compatibility and the community we need to create around it (certifications, tooling, summer of code, etc.) - Been- and will be evangelizing STIX/TAXII across the intel supply and tech vendor space J- On 6/18/15, 10:41 PM, "jg@ctin.us" <jg@ctin.us> wrote: > >CTI-TC: > >During the Thursday, June 18 call there was a suggestion that we form >a Sub-Committee for outreach, specifically to the international >community. Later, after the call another suggestion was made for a >Sub-Committee specifically for ISAO-Outreach. > >Here is a thread we can use for nominations and discussions on this topic. > >Jane Ginn >CTIN > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >

I would officially like to nominate the creation of the Outreach Sub-committee, for discussion at the next CTI TC meeting. I think having a group dedicated to evangelizing STIX/TAXII and CybOX and finding how we can best integrate with other work being performed by other groups around the world would be substantially beneficial. I would like to second Patrick as co-chair for the community outreach sub-committee if one is formed. He always has such a broad vision, identifying ways that STIX / TAXII and CybOX could integrate cohesively with others efforts. I think he is a great candidate. I would also like to nominate Joep Gommers as co-chair for this sub-committee (if it eventually exists). Joep and his team have provided the community with free libraries to encourage the creation of tools. He has taken every opportunity to help increase awareness of STIX/TAXII/CybOX within the security community within Europe, and his selection would help give the committee some international flavour. Cheers Terry MacDonald STIX, TAXII, CybOX Consultant M: +61-407-203-026 E:  terry.macdonald@threatloop.com W:  www.threatloop.com Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers. On 19 June 2015 at 19:51, Joep Gommers < joep@intelworks.com > wrote: I would be comfortable committing either time and resource as a member or a chair/co-chair for this committee: - Large network and reach in Europe, which is our main focus and needs allot of work for STIX/TAXII - Passioned about compatibility and the community we need to create around it (certifications, tooling, summer of code, etc.) - Been- and will be evangelizing STIX/TAXII across the intel supply and tech vendor space J- On 6/18/15, 10:41 PM, " jg@ctin.us " < jg@ctin.us > wrote: > >CTI-TC: > >During the Thursday, June 18 call there was a suggestion that we form >a Sub-Committee for outreach, specifically to the international >community.  Later, after the call another suggestion was made for a >Sub-Committee specifically for ISAO-Outreach. > >Here is a thread we can use for nominations and discussions on this topic. > >Jane Ginn >CTIN > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

This is an arena that has stovepipes everywhere. People's understanding of "international" tends to be a product of their experiences - that tend to be compartmentalized by their associated institutions and career. I strongly suggest this activity be characterized as a group that develops an continuing understanding of the ecosystem and the value proposition of TC CTI specifications. A starter diagram is attached. The approach has worked well for NFV and CYBER. Either this group or another adhoc one also needs to attend to the large elephant in the room - ISAO formation and discovery - or you'll find those "international" folks reticent on the uptake. --tony Attachment: ecosystem_diagram_0.5.pptx Description: application/vnd.openxmlformats-officedocument.presentationml.presentation

Terry I really like that idea.  And that gives us another international person.  Joep also has a lot of contacts in key areas in Europa that would be really good for this sort of thing.  So +1 there. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 62A6 5999 0F7D 0D61 4C66 D59C 2DB5 111D 63BC A303 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Jun 19, 2015, at 05:45, Terry MacDonald < terry.macdonald@threatloop.com > wrote: I would officially like to nominate the creation of the Outreach Sub-committee, for discussion at the next CTI TC meeting. I think having a group dedicated to evangelizing STIX/TAXII and CybOX and finding how we can best integrate with other work being performed by other groups around the world would be substantially beneficial. I would like to second Patrick as co-chair for the community outreach sub-committee if one is formed. He always has such a broad vision, identifying ways that STIX / TAXII and CybOX could integrate cohesively with others efforts. I think he is a great candidate. I would also like to nominate Joep Gommers as co-chair for this sub-committee (if it eventually exists). Joep and his team have provided the community with free libraries to encourage the creation of tools. He has taken every opportunity to help increase awareness of STIX/TAXII/CybOX within the security community within Europe, and his selection would help give the committee some international flavour. Cheers Terry MacDonald STIX, TAXII, CybOX Consultant M: +61-407-203-026 E:  terry.macdonald@threatloop.com W:  www.threatloop.com Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers. On 19 June 2015 at 19:51, Joep Gommers < joep@intelworks.com > wrote: I would be comfortable committing either time and resource as a member or a chair/co-chair for this committee: - Large network and reach in Europe, which is our main focus and needs allot of work for STIX/TAXII - Passioned about compatibility and the community we need to create around it (certifications, tooling, summer of code, etc.) - Been- and will be evangelizing STIX/TAXII across the intel supply and tech vendor space J- On 6/18/15, 10:41 PM, jg@ctin.us < jg@ctin.us > wrote: > >CTI-TC: > >During the Thursday, June 18 call there was a suggestion that we form >a Sub-Committee for outreach, specifically to the international >community.  Later, after the call another suggestion was made for a >Sub-Committee specifically for ISAO-Outreach. > >Here is a thread we can use for nominations and discussions on this topic. > >Jane Ginn >CTIN > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

I graciously accept the nomination on proviso that everyone is patient until such time as I can safely remove my OASIS "training wheels". I'm not confident that I am sufficiently competent in OASIS processes and procedures, but have a number of  highly qualified Mentors to guide me.  Please free to do so as well when/if I stumble. Patrick Maroney Office: (856)983-0001 Cell: (609)841-5104 pmaroney@specere.org From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@threatloop.com> Sent: Friday, June 19, 2015 7:45:53 AM To: Joep Gommers Cc: jg@ctin.us; cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion   I would officially like to nominate the creation of the Outreach Sub-committee, for discussion at the next CTI TC meeting. I think having a group dedicated to evangelizing STIX/TAXII and CybOX and finding how we can best integrate with other work being performed by other groups around the world would be substantially beneficial. I would like to second Patrick as co-chair for the community outreach sub-committee if one is formed. He always has such a broad vision, identifying ways that STIX / TAXII and CybOX could integrate cohesively with others efforts. I think he is a great candidate. I would also like to nominate Joep Gommers as co-chair for this sub-committee (if it eventually exists). Joep and his team have provided the community with free libraries to encourage the creation of tools. He has taken every opportunity to help increase awareness of STIX/TAXII/CybOX within the security community within Europe, and his selection would help give the committee some international flavour. Cheers Terry MacDonald STIX, TAXII, CybOX Consultant M: +61-407-203-026 E:  terry.macdonald@threatloop.com W:  www.threatloop.com Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers. On 19 June 2015 at 19:51, Joep Gommers < joep@intelworks.com > wrote: I would be comfortable committing either time and resource as a member or a chair/co-chair for this committee: - Large network and reach in Europe, which is our main focus and needs allot of work for STIX/TAXII - Passioned about compatibility and the community we need to create around it (certifications, tooling, summer of code, etc.) - Been- and will be evangelizing STIX/TAXII across the intel supply and tech vendor space J- On 6/18/15, 10:41 PM, " jg@ctin.us " < jg@ctin.us > wrote: > >CTI-TC: > >During the Thursday, June 18 call there was a suggestion that we form >a Sub-Committee for outreach, specifically to the international >community.  Later, after the call another suggestion was made for a >Sub-Committee specifically for ISAO-Outreach. > >Here is a thread we can use for nominations and discussions on this topic. > >Jane Ginn >CTIN > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

You and Joep will be great on this effort. Bret  Sent from my Commodore 64 On Jun 19, 2015, at 10:11 AM, Patrick Maroney < Pmaroney@Specere.org > wrote: I graciously accept the nomination on proviso that everyone is patient until such time as I can safely remove my OASIS "training wheels". I'm not confident that I am sufficiently competent in OASIS processes and procedures, but have a number of  highly qualified Mentors to guide me.  Please free to do so as well when/if I stumble. Patrick Maroney Office: (856)983-0001 Cell: (609)841-5104 pmaroney@specere.org From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Terry MacDonald < terry.macdonald@threatloop.com > Sent: Friday, June 19, 2015 7:45:53 AM To: Joep Gommers Cc: jg@ctin.us ; cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion   I would officially like to nominate the creation of the Outreach Sub-committee, for discussion at the next CTI TC meeting. I think having a group dedicated to evangelizing STIX/TAXII and CybOX and finding how we can best integrate with other work being performed by other groups around the world would be substantially beneficial. I would like to second Patrick as co-chair for the community outreach sub-committee if one is formed. He always has such a broad vision, identifying ways that STIX / TAXII and CybOX could integrate cohesively with others efforts. I think he is a great candidate. I would also like to nominate Joep Gommers as co-chair for this sub-committee (if it eventually exists). Joep and his team have provided the community with free libraries to encourage the creation of tools. He has taken every opportunity to help increase awareness of STIX/TAXII/CybOX within the security community within Europe, and his selection would help give the committee some international flavour. Cheers Terry MacDonald STIX, TAXII, CybOX Consultant M: +61-407-203-026 E:  terry.macdonald@threatloop.com W:  www.threatloop.com Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers. On 19 June 2015 at 19:51, Joep Gommers < joep@intelworks.com > wrote: I would be comfortable committing either time and resource as a member or a chair/co-chair for this committee: - Large network and reach in Europe, which is our main focus and needs allot of work for STIX/TAXII - Passioned about compatibility and the community we need to create around it (certifications, tooling, summer of code, etc.) - Been- and will be evangelizing STIX/TAXII across the intel supply and tech vendor space J- On 6/18/15, 10:41 PM, " jg@ctin.us " < jg@ctin.us > wrote: > >CTI-TC: > >During the Thursday, June 18 call there was a suggestion that we form >a Sub-Committee for outreach, specifically to the international >community.  Later, after the call another suggestion was made for a >Sub-Committee specifically for ISAO-Outreach. > >Here is a thread we can use for nominations and discussions on this topic. > >Jane Ginn >CTIN > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Would love to team up @Patrick! Sent from my iPhone On 19 Jun 2015, at 18:16, Jordan, Bret < bret.jordan@bluecoat.com > wrote: You and Joep will be great on this effort. Bret  Sent from my Commodore 64 On Jun 19, 2015, at 10:11 AM, Patrick Maroney < Pmaroney@Specere.org > wrote: I graciously accept the nomination on proviso that everyone is patient until such time as I can safely remove my OASIS "training wheels". I'm not confident that I am sufficiently competent in OASIS processes and procedures, but have a number of  highly qualified Mentors to guide me.  Please free to do so as well when/if I stumble. Patrick Maroney Office: (856)983-0001 Cell: (609)841-5104 pmaroney@specere.org From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Terry MacDonald < terry.macdonald@threatloop.com > Sent: Friday, June 19, 2015 7:45:53 AM To: Joep Gommers Cc: jg@ctin.us ; cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion   I would officially like to nominate the creation of the Outreach Sub-committee, for discussion at the next CTI TC meeting. I think having a group dedicated to evangelizing STIX/TAXII and CybOX and finding how we can best integrate with other work being performed by other groups around the world would be substantially beneficial. I would like to second Patrick as co-chair for the community outreach sub-committee if one is formed. He always has such a broad vision, identifying ways that STIX / TAXII and CybOX could integrate cohesively with others efforts. I think he is a great candidate. I would also like to nominate Joep Gommers as co-chair for this sub-committee (if it eventually exists). Joep and his team have provided the community with free libraries to encourage the creation of tools. He has taken every opportunity to help increase awareness of STIX/TAXII/CybOX within the security community within Europe, and his selection would help give the committee some international flavour. Cheers Terry MacDonald STIX, TAXII, CybOX Consultant M: +61-407-203-026 E:  terry.macdonald@threatloop.com W:  www.threatloop.com Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers. On 19 June 2015 at 19:51, Joep Gommers < joep@intelworks.com > wrote: I would be comfortable committing either time and resource as a member or a chair/co-chair for this committee: - Large network and reach in Europe, which is our main focus and needs allot of work for STIX/TAXII - Passioned about compatibility and the community we need to create around it (certifications, tooling, summer of code, etc.) - Been- and will be evangelizing STIX/TAXII across the intel supply and tech vendor space J- On 6/18/15, 10:41 PM, " jg@ctin.us " < jg@ctin.us > wrote: > >CTI-TC: > >During the Thursday, June 18 call there was a suggestion that we form >a Sub-Committee for outreach, specifically to the international >community.  Later, after the call another suggestion was made for a >Sub-Committee specifically for ISAO-Outreach. > >Here is a thread we can use for nominations and discussions on this topic. > >Jane Ginn >CTIN > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

I think it’s great to have Joep and Patrick lead this effort. I would be glad to help, but NOT in a leadership role. On Jun 19, 2015, at 12:45 PM, Joep Gommers < joep@INTELWORKS.COM > wrote: Would love to team up @Patrick! Sent from my iPhone On 19 Jun 2015, at 18:16, Jordan, Bret < bret.jordan@bluecoat.com > wrote: You and Joep will be great on this effort. Bret  Sent from my Commodore 64 On Jun 19, 2015, at 10:11 AM, Patrick Maroney < Pmaroney@Specere.org > wrote: I graciously accept the nomination on proviso that everyone is patient until such time as I can safely remove my OASIS training wheels . I'm not confident that I am sufficiently competent in OASIS processes and procedures, but have a number of  highly qualified Mentors to guide me.  Please free to do so as well when/if I stumble. Patrick Maroney Office: (856)983-0001 Cell: (609)841-5104 pmaroney@specere.org From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Terry MacDonald < terry.macdonald@threatloop.com > Sent: Friday, June 19, 2015 7:45:53 AM To: Joep Gommers Cc: jg@ctin.us ; cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion   I would officially like to nominate the creation of the Outreach Sub-committee, for discussion at the next CTI TC meeting. I think having a group dedicated to evangelizing STIX/TAXII and CybOX and finding how we can best integrate with other work being performed by other groups around the world would be substantially beneficial. I would like to second Patrick as co-chair for the community outreach sub-committee if one is formed. He always has such a broad vision, identifying ways that STIX / TAXII and CybOX could integrate cohesively with others efforts. I think he is a great candidate. I would also like to nominate Joep Gommers as co-chair for this sub-committee (if it eventually exists). Joep and his team have provided the community with free libraries to encourage the creation of tools. He has taken every opportunity to help increase awareness of STIX/TAXII/CybOX within the security community within Europe, and his selection would help give the committee some international flavour. Cheers Terry MacDonald STIX, TAXII, CybOX Consultant M: +61-407-203-026 E:  terry.macdonald@threatloop.com W:  www.threatloop.com Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers. On 19 June 2015 at 19:51, Joep Gommers < joep@intelworks.com > wrote: I would be comfortable committing either time and resource as a member or a chair/co-chair for this committee: - Large network and reach in Europe, which is our main focus and needs allot of work for STIX/TAXII - Passioned about compatibility and the community we need to create around it (certifications, tooling, summer of code, etc.) - Been- and will be evangelizing STIX/TAXII across the intel supply and tech vendor space J- On 6/18/15, 10:41 PM, jg@ctin.us < jg@ctin.us > wrote: > >CTI-TC: > >During the Thursday, June 18 call there was a suggestion that we form >a Sub-Committee for outreach, specifically to the international >community.  Later, after the call another suggestion was made for a >Sub-Committee specifically for ISAO-Outreach. > >Here is a thread we can use for nominations and discussions on this topic. > >Jane Ginn >CTIN > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php Attachment: smime.p7s Description: S/MIME cryptographic signature

Not looking to put Joep or myself out of a job, but want to nominate Tony Rutkowski as a good candidate to co-chair the yet to be named Outreach & Engagement SC. Patrick Maroney Office: (856)983-0001 Cell: (609)841-5104 pmaroney@specere.org From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Eric Burger <Eric.Burger@georgetown.edu> Sent: Monday, June 22, 2015 10:21:53 AM To: cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion   I think it’s great to have Joep and Patrick lead this effort. I would be glad to help, but NOT in a leadership role. On Jun 19, 2015, at 12:45 PM, Joep Gommers < joep@INTELWORKS.COM > wrote: Would love to team up @Patrick! Sent from my iPhone On 19 Jun 2015, at 18:16, Jordan, Bret < bret.jordan@bluecoat.com > wrote: You and Joep will be great on this effort. Bret  Sent from my Commodore 64 On Jun 19, 2015, at 10:11 AM, Patrick Maroney < Pmaroney@Specere.org > wrote: I graciously accept the nomination on proviso that everyone is patient until such time as I can safely remove my OASIS "training wheels". I'm not confident that I am sufficiently competent in OASIS processes and procedures, but have a number of  highly qualified Mentors to guide me.  Please free to do so as well when/if I stumble. Patrick Maroney Office: (856)983-0001 Cell: (609)841-5104 pmaroney@specere.org From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Terry MacDonald < terry.macdonald@threatloop.com > Sent: Friday, June 19, 2015 7:45:53 AM To: Joep Gommers Cc: jg@ctin.us ; cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion   I would officially like to nominate the creation of the Outreach Sub-committee, for discussion at the next CTI TC meeting. I think having a group dedicated to evangelizing STIX/TAXII and CybOX and finding how we can best integrate with other work being performed by other groups around the world would be substantially beneficial. I would like to second Patrick as co-chair for the community outreach sub-committee if one is formed. He always has such a broad vision, identifying ways that STIX / TAXII and CybOX could integrate cohesively with others efforts. I think he is a great candidate. I would also like to nominate Joep Gommers as co-chair for this sub-committee (if it eventually exists). Joep and his team have provided the community with free libraries to encourage the creation of tools. He has taken every opportunity to help increase awareness of STIX/TAXII/CybOX within the security community within Europe, and his selection would help give the committee some international flavour. Cheers Terry MacDonald STIX, TAXII, CybOX Consultant M: +61-407-203-026 E:  terry.macdonald@threatloop.com W:  www.threatloop.com Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers. On 19 June 2015 at 19:51, Joep Gommers < joep@intelworks.com > wrote: I would be comfortable committing either time and resource as a member or a chair/co-chair for this committee: - Large network and reach in Europe, which is our main focus and needs allot of work for STIX/TAXII - Passioned about compatibility and the community we need to create around it (certifications, tooling, summer of code, etc.) - Been- and will be evangelizing STIX/TAXII across the intel supply and tech vendor space J- On 6/18/15, 10:41 PM, " jg@ctin.us " < jg@ctin.us > wrote: > >CTI-TC: > >During the Thursday, June 18 call there was a suggestion that we form >a Sub-Committee for outreach, specifically to the international >community.  Later, after the call another suggestion was made for a >Sub-Committee specifically for ISAO-Outreach. > >Here is a thread we can use for nominations and discussions on this topic. > >Jane Ginn >CTIN > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

I’m confident any number of people would have their hands full ;-) +1 on Tony. J- From: Patrick Maroney < Pmaroney@Specere.org > Date: Monday, June 22, 2015 at 7:43 PM To: Eric Burger < Eric.Burger@georgetown.edu >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion Not looking to put Joep or myself out of a job, but want to nominate Tony Rutkowski as a good candidate to co-chair the yet to be named Outreach & Engagement SC. Patrick Maroney Office: (856)983-0001 Cell: (609)841-5104 pmaroney@specere.org From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Eric Burger < Eric.Burger@georgetown.edu > Sent: Monday, June 22, 2015 10:21:53 AM To: cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion   I think it’s great to have Joep and Patrick lead this effort. I would be glad to help, but NOT in a leadership role. On Jun 19, 2015, at 12:45 PM, Joep Gommers < joep@INTELWORKS.COM > wrote: Would love to team up @Patrick! Sent from my iPhone On 19 Jun 2015, at 18:16, Jordan, Bret < bret.jordan@bluecoat.com > wrote: You and Joep will be great on this effort. Bret  Sent from my Commodore 64 On Jun 19, 2015, at 10:11 AM, Patrick Maroney < Pmaroney@Specere.org > wrote: I graciously accept the nomination on proviso that everyone is patient until such time as I can safely remove my OASIS "training wheels". I'm not confident that I am sufficiently competent in OASIS processes and procedures, but have a number of  highly qualified Mentors to guide me.  Please free to do so as well when/if I stumble. Patrick Maroney Office: (856)983-0001 Cell: (609)841-5104 pmaroney@specere.org From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Terry MacDonald < terry.macdonald@threatloop.com > Sent: Friday, June 19, 2015 7:45:53 AM To: Joep Gommers Cc: jg@ctin.us ; cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion   I would officially like to nominate the creation of the Outreach Sub-committee, for discussion at the next CTI TC meeting. I think having a group dedicated to evangelizing STIX/TAXII and CybOX and finding how we can best integrate with other work being performed by other groups around the world would be substantially beneficial. I would like to second Patrick as co-chair for the community outreach sub-committee if one is formed. He always has such a broad vision, identifying ways that STIX / TAXII and CybOX could integrate cohesively with others efforts. I think he is a great candidate. I would also like to nominate Joep Gommers as co-chair for this sub-committee (if it eventually exists). Joep and his team have provided the community with free libraries to encourage the creation of tools. He has taken every opportunity to help increase awareness of STIX/TAXII/CybOX within the security community within Europe, and his selection would help give the committee some international flavour. Cheers Terry MacDonald STIX, TAXII, CybOX Consultant M: +61-407-203-026 E:  terry.macdonald@threatloop.com W:  www.threatloop.com Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers. On 19 June 2015 at 19:51, Joep Gommers < joep@intelworks.com > wrote: I would be comfortable committing either time and resource as a member or a chair/co-chair for this committee: - Large network and reach in Europe, which is our main focus and needs allot of work for STIX/TAXII - Passioned about compatibility and the community we need to create around it (certifications, tooling, summer of code, etc.) - Been- and will be evangelizing STIX/TAXII across the intel supply and tech vendor space J- On 6/18/15, 10:41 PM, " jg@ctin.us " < jg@ctin.us > wrote: > >CTI-TC: > >During the Thursday, June 18 call there was a suggestion that we form >a Sub-Committee for outreach, specifically to the international >community.  Later, after the call another suggestion was made for a >Sub-Committee specifically for ISAO-Outreach. > >Here is a thread we can use for nominations and discussions on this topic. > >Jane Ginn >CTIN > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

We just need to make sure that for the outreach and the STIX subcommittees we get international representation.   So getting Joep Gommers on the outreach subcommittee and getting Terry MacDonald on the STIX subcommittee is vitally important.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 62A6 5999 0F7D 0D61 4C66 D59C 2DB5 111D 63BC A303 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Jun 22, 2015, at 11:43, Patrick Maroney < Pmaroney@Specere.org > wrote: Not looking to put Joep or myself out of a job, but want to nominate Tony Rutkowski as a good candidate to co-chair the yet to be named Outreach & Engagement SC. Patrick Maroney Office: (856)983-0001 Cell: (609)841-5104 pmaroney@specere.org From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Eric Burger < Eric.Burger@georgetown.edu > Sent: Monday, June 22, 2015 10:21:53 AM To: cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion   I think it’s great to have Joep and Patrick lead this effort. I would be glad to help, but NOT in a leadership role. On Jun 19, 2015, at 12:45 PM, Joep Gommers < joep@INTELWORKS.COM > wrote: Would love to team up @Patrick! Sent from my iPhone On 19 Jun 2015, at 18:16, Jordan, Bret < bret.jordan@bluecoat.com > wrote: You and Joep will be great on this effort. Bret  Sent from my Commodore 64 On Jun 19, 2015, at 10:11 AM, Patrick Maroney < Pmaroney@Specere.org > wrote: I graciously accept the nomination on proviso that everyone is patient until such time as I can safely remove my OASIS training wheels . I'm not confident that I am sufficiently competent in OASIS processes and procedures, but have a number of  highly qualified Mentors to guide me.  Please free to do so as well when/if I stumble. Patrick Maroney Office: (856)983-0001 Cell: (609)841-5104 pmaroney@specere.org From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Terry MacDonald < terry.macdonald@threatloop.com > Sent: Friday, June 19, 2015 7:45:53 AM To: Joep Gommers Cc: jg@ctin.us ; cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion   I would officially like to nominate the creation of the Outreach Sub-committee, for discussion at the next CTI TC meeting. I think having a group dedicated to evangelizing STIX/TAXII and CybOX and finding how we can best integrate with other work being performed by other groups around the world would be substantially beneficial. I would like to second Patrick as co-chair for the community outreach sub-committee if one is formed. He always has such a broad vision, identifying ways that STIX / TAXII and CybOX could integrate cohesively with others efforts. I think he is a great candidate. I would also like to nominate Joep Gommers as co-chair for this sub-committee (if it eventually exists). Joep and his team have provided the community with free libraries to encourage the creation of tools. He has taken every opportunity to help increase awareness of STIX/TAXII/CybOX within the security community within Europe, and his selection would help give the committee some international flavour. Cheers Terry MacDonald STIX, TAXII, CybOX Consultant M: +61-407-203-026 E:  terry.macdonald@threatloop.com W:  www.threatloop.com Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers. On 19 June 2015 at 19:51, Joep Gommers < joep@intelworks.com > wrote: I would be comfortable committing either time and resource as a member or a chair/co-chair for this committee: - Large network and reach in Europe, which is our main focus and needs allot of work for STIX/TAXII - Passioned about compatibility and the community we need to create around it (certifications, tooling, summer of code, etc.) - Been- and will be evangelizing STIX/TAXII across the intel supply and tech vendor space J- On 6/18/15, 10:41 PM, jg@ctin.us < jg@ctin.us > wrote: > >CTI-TC: > >During the Thursday, June 18 call there was a suggestion that we form >a Sub-Committee for outreach, specifically to the international >community.  Later, after the call another suggestion was made for a >Sub-Committee specifically for ISAO-Outreach. > >Here is a thread we can use for nominations and discussions on this topic. > >Jane Ginn >CTIN > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

Hi Rich, There is a great symmetry occurring here on a global scale. The first day of the annual cybersecurity workshop was held this afternoon here in Sophia Antipolis in France's approximation of Silicon Valley in the hills of Valbonne, France. There are people here from around the world, but this afternoon was somewhat Euro centric with key officials describing what was essential to regional and national cybersecurity. Perhaps not by coincidence, cyber threat intelligence sharing was at the top of their lists - along with security assurance. The four people who were engaged at this session were: o Florent Frederix who heads the key Network Information Security (NIS) initiative of the the European Commission and has some responsibilities at the Directorate level similar to Rich Struse's as the execution arm of the EU cybersecurity strategy - the analog of the White House's framework initiatives. o Chris Ensor who heads up cybersecurity work in the UK's CESG organization - also similar to Rich's responsibilities. o Marc Henauer of Switzerland's MELANI organization that is similar the principal Swiss threat intelligence sharing body. o Edri an Belmonte, who plays the lead role in this area in ENISA All of the presentations except Cris Ensor's are available at: http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SETTINGTHESCENE/ In the discussion session following the presentations, speaking at the ETSI TC CYBER threat intelligence sharing rapporteur, I had the opportunity to explain the creation of the new TC CTI committee and how the platforms being pursued in CTI were proven best-of-breed models and structured information sharing specifications that provided an ideal match to each of their objectives. It was quite amazing how each of the parties - even in Europe - was rather independently pursuing similar objectives. We also discussed how the work of TC CYBER was to survey the global cybersecurity ecosystem and make use of the most successful existing standards and not pursue duplicative work. Everyone seemed in agreement, and going forward, there seems like an excellent basis for convergence with the CTI work now getting underway. There will be further discussion at the workshop over the next two days as well as definitive actions at the TC CYBER meeting on Thursday and Friday. It was a good beginning that was continued usefully over local provence wine and hors d'oeuves this evening (and setting a useful precedent for future TC CTI physical gatherings). --tony

+1 Also agree with comment in an earlier thread that this SC ought to have engagement as a core focus rather than outreach - and that ought to be reflected in the name of any proposed SC. Regards, Peter
Original Message----- From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On Behalf Of Tony Rutkowski Sent: 22 June, 2015 13:08 To: Rich Struse Cc: cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion Hi Rich, There is a great symmetry occurring here on a global scale. The first day of the annual cybersecurity workshop was held this afternoon here in Sophia Antipolis in France's approximation of Silicon Valley in the hills of Valbonne, France. There are people here from around the world, but this afternoon was somewhat Euro centric with key officials describing what was essential to regional and national cybersecurity. Perhaps not by coincidence, cyber threat intelligence sharing was at the top of their lists - along with security assurance. The four people who were engaged at this session were: o Florent Frederix who heads the key Network Information Security (NIS) initiative of the the European Commission and has some responsibilities at the Directorate level similar to Rich Struse's as the execution arm of the EU cybersecurity strategy - the analog of the White House's framework initiatives. o Chris Ensor who heads up cybersecurity work in the UK's CESG organization - also similar to Rich's responsibilities. o Marc Henauer of Switzerland's MELANI organization that is similar the principal Swiss threat intelligence sharing body. o Edri an Belmonte, who plays the lead role in this area in ENISA All of the presentations except Cris Ensor's are available at: http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SETTINGTHESCENE/ In the discussion session following the presentations, speaking at the ETSI TC CYBER threat intelligence sharing rapporteur, I had the opportunity to explain the creation of the new TC CTI committee and how the platforms being pursued in CTI were proven best-of-breed models and structured information sharing specifications that provided an ideal match to each of their objectives. It was quite amazing how each of the parties - even in Europe - was rather independently pursuing similar objectives. We also discussed how the work of TC CYBER was to survey the global cybersecurity ecosystem and make use of the most successful existing standards and not pursue duplicative work. Everyone seemed in agreement, and going forward, there seems like an excellent basis for convergence with the CTI work now getting underway. There will be further discussion at the workshop over the next two days as well as definitive actions at the TC CYBER meeting on Thursday and Friday. It was a good beginning that was continued usefully over local provence wine and hors d'oeuves this evening (and setting a useful precedent for future TC CTI physical gatherings). --tony --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

All, I agree with need this SC and am happy to help. I have been doing a lot this as part of my role as DTCC's CISO in addition to my Soltra role. I have been presenting/meeting in the US, Europe and Asia. I spend a lot of time with legislators, policy makers, and global financial regulators on information sharing and why automation is a key part of capablity needs. By the same token most of the challenges in the global context are not purely technical but national and regualtory impediments. Not to say the technical things we are doing in CTI commitee in Oasis isn't also critical as it certianly is, but that if we only address the technical side of this problem we won't achieve the risk mitigation benefits we all desire. So at some level what do we think "engagement" means vs. "outreach"? -Mark Mark Clancy Chief Executive Officer SOLTRA An FS-ISAC and DTCC Company +1.813.470.2400 office +1.610.659.6671 US mobile ? +44 7823 626 535 UK mobile mclancy@soltra.com soltra.com One organization's incident becomes everyone's defense. ? ________________________________________ From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Peter F Brown <peter@peterfbrown.com> Sent: Tuesday, June 23, 2015 6:37 PM To: tony@yaanatech.com; Rich Struse Cc: cti@lists.oasis-open.org Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion +1 Also agree with comment in an earlier thread that this SC ought to have engagement as a core focus rather than outreach - and that ought to be reflected in the name of any proposed SC. Regards, Peter
Original Message----- From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On Behalf Of Tony Rutkowski Sent: 22 June, 2015 13:08 To: Rich Struse Cc: cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion Hi Rich, There is a great symmetry occurring here on a global scale. The first day of the annual cybersecurity workshop was held this afternoon here in Sophia Antipolis in France's approximation of Silicon Valley in the hills of Valbonne, France. There are people here from around the world, but this afternoon was somewhat Euro centric with key officials describing what was essential to regional and national cybersecurity. Perhaps not by coincidence, cyber threat intelligence sharing was at the top of their lists - along with security assurance. The four people who were engaged at this session were: o Florent Frederix who heads the key Network Information Security (NIS) initiative of the the European Commission and has some responsibilities at the Directorate level similar to Rich Struse's as the execution arm of the EU cybersecurity strategy - the analog of the White House's framework initiatives. o Chris Ensor who heads up cybersecurity work in the UK's CESG organization - also similar to Rich's responsibilities. o Marc Henauer of Switzerland's MELANI organization that is similar the principal Swiss threat intelligence sharing body. o Edri an Belmonte, who plays the lead role in this area in ENISA All of the presentations except Cris Ensor's are available at: http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SETTINGTHESCENE/ In the discussion session following the presentations, speaking at the ETSI TC CYBER threat intelligence sharing rapporteur, I had the opportunity to explain the creation of the new TC CTI committee and how the platforms being pursued in CTI were proven best-of-breed models and structured information sharing specifications that provided an ideal match to each of their objectives. It was quite amazing how each of the parties - even in Europe - was rather independently pursuing similar objectives. We also discussed how the work of TC CYBER was to survey the global cybersecurity ecosystem and make use of the most successful existing standards and not pursue duplicative work. Everyone seemed in agreement, and going forward, there seems like an excellent basis for convergence with the CTI work now getting underway. There will be further discussion at the workshop over the next two days as well as definitive actions at the TC CYBER meeting on Thursday and Friday. It was a good beginning that was continued usefully over local provence wine and hors d'oeuves this evening (and setting a useful precedent for future TC CTI physical gatherings). --tony --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

I would agree with the position that Engagement subsumes Outreach. One open question is where Interoperability (as a tangible deliverable) fits into our stratgegy. Patrick Maroney Office: (856)983-0001 Cell: (609)841-5104 pmaroney@specere.org ________________________________________ From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Mark Clancy <mclancy@soltra.com> Sent: Wednesday, June 24, 2015 10:17:23 AM To: Peter F Brown; tony@yaanatech.com; Rich Struse Cc: cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion All, I agree with need this SC and am happy to help. I have been doing a lot this as part of my role as DTCC's CISO in addition to my Soltra role. I have been presenting/meeting in the US, Europe and Asia. I spend a lot of time with legislators, policy makers, and global financial regulators on information sharing and why automation is a key part of capablity needs. By the same token most of the challenges in the global context are not purely technical but national and regualtory impediments. Not to say the technical things we are doing in CTI commitee in Oasis isn't also critical as it certianly is, but that if we only address the technical side of this problem we won't achieve the risk mitigation benefits we all desire. So at some level what do we think "engagement" means vs. "outreach"? -Mark Mark Clancy Chief Executive Officer SOLTRA An FS-ISAC and DTCC Company +1.813.470.2400 office +1.610.659.6671 US mobile ? +44 7823 626 535 UK mobile mclancy@soltra.com soltra.com One organization's incident becomes everyone's defense. ? ________________________________________ From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Peter F Brown <peter@peterfbrown.com> Sent: Tuesday, June 23, 2015 6:37 PM To: tony@yaanatech.com; Rich Struse Cc: cti@lists.oasis-open.org Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion +1 Also agree with comment in an earlier thread that this SC ought to have engagement as a core focus rather than outreach - and that ought to be reflected in the name of any proposed SC. Regards, Peter
Original Message----- From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On Behalf Of Tony Rutkowski Sent: 22 June, 2015 13:08 To: Rich Struse Cc: cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion Hi Rich, There is a great symmetry occurring here on a global scale. The first day of the annual cybersecurity workshop was held this afternoon here in Sophia Antipolis in France's approximation of Silicon Valley in the hills of Valbonne, France. There are people here from around the world, but this afternoon was somewhat Euro centric with key officials describing what was essential to regional and national cybersecurity. Perhaps not by coincidence, cyber threat intelligence sharing was at the top of their lists - along with security assurance. The four people who were engaged at this session were: o Florent Frederix who heads the key Network Information Security (NIS) initiative of the the European Commission and has some responsibilities at the Directorate level similar to Rich Struse's as the execution arm of the EU cybersecurity strategy - the analog of the White House's framework initiatives. o Chris Ensor who heads up cybersecurity work in the UK's CESG organization - also similar to Rich's responsibilities. o Marc Henauer of Switzerland's MELANI organization that is similar the principal Swiss threat intelligence sharing body. o Edri an Belmonte, who plays the lead role in this area in ENISA All of the presentations except Cris Ensor's are available at: http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SETTINGTHESCENE/ In the discussion session following the presentations, speaking at the ETSI TC CYBER threat intelligence sharing rapporteur, I had the opportunity to explain the creation of the new TC CTI committee and how the platforms being pursued in CTI were proven best-of-breed models and structured information sharing specifications that provided an ideal match to each of their objectives. It was quite amazing how each of the parties - even in Europe - was rather independently pursuing similar objectives. We also discussed how the work of TC CYBER was to survey the global cybersecurity ecosystem and make use of the most successful existing standards and not pursue duplicative work. Everyone seemed in agreement, and going forward, there seems like an excellent basis for convergence with the CTI work now getting underway. There will be further discussion at the workshop over the next two days as well as definitive actions at the TC CYBER meeting on Thursday and Friday. It was a good beginning that was continued usefully over local provence wine and hors d'oeuves this evening (and setting a useful precedent for future TC CTI physical gatherings). --tony --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Hi Patrick, Great point. I think part would be an effort of mapping the landscape on the one side, ensuring the tooling required to enable people to be compatible (in addition to the standards and corresponding libraries) and part certification to solidify and ensure compliancy. Especially the latter option combined with hall of fame/shame (in a nice way :)) could drive some tangible KPIs.. ? Best regards, Joep On 6/24/15, 4:29 PM, "Patrick Maroney" <Pmaroney@Specere.org> wrote: >I would agree with the position that Engagement subsumes Outreach. > >One open question is where Interoperability (as a tangible deliverable) >fits into our stratgegy. > >Patrick Maroney >Office: (856)983-0001 >Cell: (609)841-5104 >pmaroney@specere.org >________________________________________ >From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of >Mark Clancy <mclancy@soltra.com> >Sent: Wednesday, June 24, 2015 10:17:23 AM >To: Peter F Brown; tony@yaanatech.com; Rich Struse >Cc: cti@lists.oasis-open.org >Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >All, >I agree with need this SC and am happy to help. I have been doing a lot >this as part of my role as DTCC's CISO in addition to my Soltra role. I >have been presenting/meeting in the US, Europe and Asia. I spend a lot of >time with legislators, policy makers, and global financial regulators on >information sharing and why automation is a key part of capablity needs. >By the same token most of the challenges in the global context are not >purely technical but national and regualtory impediments. Not to say the >technical things we are doing in CTI commitee in Oasis isn't also >critical as it certianly is, but that if we only address the technical >side of this problem we won't achieve the risk mitigation benefits we all >desire. > >So at some level what do we think "engagement" means vs. "outreach"? > >-Mark > > >Mark Clancy >Chief Executive Officer >SOLTRA An FS-ISAC and DTCC Company >+1.813.470.2400 office +1.610.659.6671 US mobile ? +44 7823 626 535 >UK mobile >mclancy@soltra.com soltra.com > >One organization's incident becomes everyone's defense. > >? > >________________________________________ >From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of >Peter F Brown <peter@peterfbrown.com> >Sent: Tuesday, June 23, 2015 6:37 PM >To: tony@yaanatech.com; Rich Struse >Cc: cti@lists.oasis-open.org >Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >+1 >Also agree with comment in an earlier thread that this SC ought to have >engagement as a core focus rather than outreach - and that ought to be >reflected in the name of any proposed SC. >Regards, >Peter > > >
Original Message----- >From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On >Behalf Of Tony Rutkowski >Sent: 22 June, 2015 13:08 >To: Rich Struse >Cc: cti@lists.oasis-open.org >Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >Hi Rich, > >There is a great symmetry occurring here on a global scale. > >The first day of the annual cybersecurity workshop was held this >afternoon here in Sophia Antipolis in France's approximation of Silicon >Valley in the hills of Valbonne, France. There are people here from >around the world, but this afternoon was somewhat Euro centric with key >officials describing what was essential to regional and national >cybersecurity. Perhaps not by coincidence, cyber threat intelligence >sharing was at the top of their lists - along with security assurance. > >The four people who were engaged at this session were: > >o Florent Frederix who heads the key Network Information Security >(NIS) initiative of the the European Commission and has some >responsibilities at the Directorate level similar to Rich Struse's as the >execution arm of the EU cybersecurity strategy - the analog of the White >House's framework initiatives. > >o Chris Ensor who heads up cybersecurity work in the UK's CESG >organization - also similar to Rich's responsibilities. > >o Marc Henauer of Switzerland's MELANI organization that is similar the >principal Swiss threat intelligence sharing body. > >o Edri an Belmonte, who plays the lead role in this area in ENISA > >All of the presentations except Cris Ensor's are available at: > http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SE >TTINGTHESCENE/ > >In the discussion session following the presentations, speaking at the >ETSI TC CYBER threat intelligence sharing rapporteur, I had the >opportunity to explain the creation of the new TC CTI committee and how >the platforms being pursued in CTI were proven best-of-breed models and >structured information sharing specifications that provided an ideal >match to each of their objectives. > >It was quite amazing how each of the parties - even in Europe - was >rather independently pursuing similar objectives. > >We also discussed how the work of TC CYBER was to survey the global >cybersecurity ecosystem and make use of the most successful existing >standards and not pursue duplicative work. Everyone seemed in agreement, >and going forward, there seems like an excellent basis for convergence >with the CTI work now getting underway. > >There will be further discussion at the workshop over the next two days >as well as definitive actions at the TC CYBER meeting on Thursday and >Friday. It was a good beginning that was continued usefully over local >provence wine and hors d'oeuves this evening (and setting a useful >precedent for future TC CTI physical gatherings). > >--tony > > > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > Attachment: CTI Standards Adoption.docx Description: CTI Standards Adoption.docx

Joep,
I think I will push back a bit here, especially on your 'certification' and 'compliance' aspects.

<rant>

We need to be "voluntarily" adopting this 'standard'.

While I can see Tony's comments about talking with EC bodies, the real adoption and use for CTI is in two communities, which by their nature are international.

They are the CSIRT Community, specifically National CSIRTs but also Critical Infrastructure CSIRTs and Enterprise CSIRTs (I will not delve into the Big, Medium, Small discussion).   There is a whole lot going on in CSIRT Services Framework and Education Development where this can be included and is updating materials from CERT/CC-SEI that are now 20 years old.

Then there is the 'vendor' community, which has not been really engaged here.   I know some will say they are part of that community, but then also tout how they are international.   So we need the large IT Vendors and we need the broad IT Security Vendors as part of this process.   That would be for all FOUR Sub-Committee's.    Much of the indicators and expressions will need their input and adoption to actually gain traction for many and to enable the CSIRT Community (yes, the vendors are part of that community as well).     Just to be clear, I am talking about Intel/McAfee, Symantec, Microsoft, IBM, Cisco/SourceFire, FireEye/Mandiant, and a slew of others.

Pushing mandatory compliance and certification does not work globally (think Common Criteria / NIAP, I could go on on that alone) and in security venues globally it is a check box with little use.    Now I know that vendors are looking to be part of this, but the sentiment here in the discussions does not reflect that.    I say that from a vendor and incident response community perspective.

So lets focus on how we get their perspectives to be included, as I know as vendors, we see that STIX/TAXII in their current incarnation do NOT work very well and that exchanging threat data today is severely challenged.   The goal for CTI is to make that easier and simple for users and that means we as designers need to have the implementers involved and participating, not corralled and shamed.   If you take CVRF as an example, you can see that vendors do want a system and are willing to put it into operations and such, but the customer and the vendor need to have value out of it, not just another checkbox.

</rant>

Sincerely,
Pete

Peter Allor  
Senior Security Strategist, Project Manager, Disclosures
Product Management and Strategy
IBM Security
6303 Barfield Rd NE
Atlanta, GA 30328-4233
Mobile: +1-404-643-9638    
Fax:       +1-845-491-4204  
pallor@us.ibm.com

Joep Gommers ---06/24/2015 11:15:54 AM---Hi Patrick, Great point. I think part would be an effort of mapping the landscape on

From: Joep Gommers <joep@intelworks.com>
To: Patrick Maroney <Pmaroney@Specere.org>, Mark Clancy <mclancy@soltra.com>, Peter F Brown <peter@peterfbrown.com>, "tony@yaanatech.com" <tony@yaanatech.com>, Rich Struse <richard.struse@dhs.gov>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 06/24/2015 11:15 AM
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
Sent by: <cti@lists.oasis-open.org>



Hi Patrick,

Great point. I think part would be an effort of mapping the landscape on
the one side, ensuring the tooling required to enable people to be
compatible (in addition to the standards and corresponding libraries) and
part certification to solidify and ensure compliancy. Especially the
latter option combined with hall of fame/shame (in a nice way :)) could
drive some tangible KPIs.. ?

Best regards,
Joep



On 6/24/15, 4:29 PM, "Patrick Maroney" <Pmaroney@Specere.org> wrote:

>I would agree with the position that Engagement subsumes Outreach.
>
>One open question is where Interoperability (as a tangible deliverable)
>fits into our stratgegy.
>
>Patrick Maroney
>Office: (856)983-0001
>Cell: (609)841-5104
>pmaroney@specere.org
>________________________________________
>From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of
>Mark Clancy <mclancy@soltra.com>
>Sent: Wednesday, June 24, 2015 10:17:23 AM
>To: Peter F Brown; tony@yaanatech.com; Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>All,
>I agree with need this SC and am happy to help. I have been doing a lot
>this as part of my role as  DTCC's CISO in addition to my Soltra role.  I
>have been presenting/meeting in the US, Europe and Asia. I spend a lot of
>time with legislators, policy makers, and global financial regulators on
>information sharing and why automation is a key part of capablity needs.
>By the same token most of the challenges in the global context are not
>purely technical but national and regualtory impediments.  Not to say the
>technical things we are doing in CTI commitee in Oasis isn't also
>critical as it certianly is, but that if we only address the technical
>side of this problem we won't achieve the risk mitigation benefits we all
>desire.
>
>So at some level what do we think "engagement" means vs. "outreach"?
>
>-Mark
>
>
>Mark Clancy
>Chief Executive Officer
>SOLTRA An FS-ISAC and DTCC Company
>+1.813.470.2400 office +1.610.659.6671 US mobile ?  +44 7823 626 535
>UK mobile
>mclancy@soltra.com soltra.com
>
>One organization's incident becomes everyone's defense.
>
>?
>
>________________________________________
>From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of
>Peter F Brown <peter@peterfbrown.com>
>Sent: Tuesday, June 23, 2015 6:37 PM
>To: tony@yaanatech.com; Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>+1
>Also agree with comment in an earlier thread that this SC ought to have
>engagement as a core focus rather than outreach - and that ought to be
>reflected in the name of any proposed SC.
>Regards,
>Peter
>
>
>
Original Message-----
>From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On
>Behalf Of Tony Rutkowski
>Sent: 22 June, 2015 13:08
>To: Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>Hi Rich,
>
>There is a great symmetry occurring here on a global scale.
>
>The first day of the annual cybersecurity workshop was held this
>afternoon here in Sophia Antipolis in France's approximation of Silicon
>Valley in the hills of Valbonne, France.  There are people here from
>around the world, but this afternoon was somewhat Euro centric with key
>officials describing what was essential to regional and national
>cybersecurity.  Perhaps not by coincidence, cyber threat intelligence
>sharing was at the top of their lists - along with security assurance.
>
>The four people who were engaged at this session were:
>
>o Florent Frederix who heads the key Network Information Security
>(NIS) initiative of the the European Commission and has some
>responsibilities at the Directorate level similar to Rich Struse's as the
>execution arm of the EU cybersecurity strategy - the analog of the White
>House's framework initiatives.
>
>o Chris Ensor who heads up cybersecurity work in the UK's CESG
>organization - also similar to Rich's responsibilities.
>
>o Marc Henauer of Switzerland's MELANI organization that is similar the
>principal Swiss threat intelligence sharing body.
>
>o Edri an Belmonte, who plays the lead role in this area in ENISA
>
>All of the presentations except Cris Ensor's are available at:
> http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SE
>TTINGTHESCENE/
>
>In the discussion session following the presentations, speaking at the
>ETSI TC CYBER threat intelligence sharing rapporteur, I had the
>opportunity to explain the creation of the new TC CTI committee and how
>the platforms being pursued in CTI were proven best-of-breed models and
>structured information sharing specifications that provided an ideal
>match to each of their objectives.
>
>It was quite amazing how each of the parties - even in Europe - was
>rather independently pursuing similar objectives.
>
>We also discussed how the work of TC CYBER was to survey the global
>cybersecurity ecosystem and make use of the most successful existing
>standards and not pursue duplicative work.  Everyone seemed in agreement,
>and going forward, there seems like an excellent basis for convergence
>with the CTI work now getting underway.
>
>There will be further discussion at the workshop over the next two days
>as well as definitive actions at the TC CYBER meeting on Thursday and
>Friday.  It was a good beginning that was continued usefully over local
>provence wine and hors d'oeuves this evening (and setting a useful
>precedent for future TC CTI physical gatherings).
>
>--tony
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>

[attachment "CTI Standards Adoption.docx" deleted by Peter Allor/Atlanta/IBM]
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  

#1 Just a note regarding the vendors perspective, why " STIX/TAXII in their current incarnation do NOT work very well"? Why all big vendors are still not here? (do they think they have better patented proprietary solutions than CTI? do they have no interest of collaborating on interoperability? do they just wait we do the specification job for them before to jump in?). Vendor perspective feedback welcome here. #2 Regarding the user perspective (and implicitly the vendor one), we would have to clearly demonstrate why CTI is important and what would be the benefits for an organisation to invest into it. How does it operationally help a CSIRT/SOC to be more effective; save time and money, or do more, faster. Few months ago, I commented about the STIX Course of Action specification. From a strategic perspective, I think it could be useful, in the  future (2.0 ?...), to take some time trying to develop the business  element. Without too much details for now, because the -Cost- element is specified;  a little extension (money/time/quality in mind), e.g.: The 'Time' property characterizes the estimated time for applying a  Course of Action to achieve its targeted objective, ... e.g.: it would take X days/hours for digital forensics of 1  workstation with Chain of Custody The idea would be helping adoption and obtaining budget for CTI-related activities, services or technologies... by  showing the business value. And this kind of points of extensions (that would have first to remain optional to avoid complexity) or support of other 'standards' like TLP, CVRF, etc. AND documentation/guidance referring to standards/frameworks/policies/compliance (mapping to CSF, SP 800-53 Families, ISO 27k, Incident Response, Business Continuity, etc. - in short, how to map bottom-up with top-down approaches (Ref. conceptual models & co. topic)) and how CTI fits in would help, imho, if not answering to #2, at least to create interest, and demonstrate the need, from the user/vendor perspective. 2015-06-24 20:11 GMT+03:00 Peter Allor < pallor@us.ibm.com > : Joep, I think I will push back a bit here, especially on your 'certification' and 'compliance' aspects. <rant> We need to be "voluntarily" adopting this 'standard'. While I can see Tony's comments about talking with EC bodies, the real adoption and use for CTI is in two communities, which by their nature are international. They are the CSIRT Community, specifically National CSIRTs but also Critical Infrastructure CSIRTs and Enterprise CSIRTs (I will not delve into the Big, Medium, Small discussion).   There is a whole lot going on in CSIRT Services Framework and Education Development where this can be included and is updating materials from CERT/CC-SEI that are now 20 years old. Then there is the 'vendor' community, which has not been really engaged here.   I know some will say they are part of that community, but then also tout how they are international.   So we need the large IT Vendors and we need the broad IT Security Vendors as part of this process.   That would be for all FOUR Sub-Committee's.    Much of the indicators and expressions will need their input and adoption to actually gain traction for many and to enable the CSIRT Community (yes, the vendors are part of that community as well).     Just to be clear, I am talking about Intel/McAfee, Symantec, Microsoft, IBM, Cisco/SourceFire, FireEye/Mandiant, and a slew of others. Pushing mandatory compliance and certification does not work globally (think Common Criteria / NIAP, I could go on on that alone) and in security venues globally it is a check box with little use.    Now I know that vendors are looking to be part of this, but the sentiment here in the discussions does not reflect that.    I say that from a vendor and incident response community perspective. So lets focus on how we get their perspectives to be included, as I know as vendors, we see that STIX/TAXII in their current incarnation do NOT work very well and that exchanging threat data today is severely challenged.   The goal for CTI is to make that easier and simple for users and that means we as designers need to have the implementers involved and participating, not corralled and shamed.   If you take CVRF as an example, you can see that vendors do want a system and are willing to put it into operations and such, but the customer and the vendor need to have value out of it, not just another checkbox. </rant> Sincerely, Pete Peter Allor   Senior Security Strategist, Project Manager, Disclosures Product Management and Strategy IBM Security 6303 Barfield Rd NE Atlanta, GA 30328-4233 Mobile: +1-404-643-9638     Fax:       +1-845-491-4204   pallor@us.ibm.com Joep Gommers ---06/24/2015 11:15:54 AM---Hi Patrick, Great point. I think part would be an effort of mapping the landscape on From: Joep Gommers < joep@intelworks.com > To: Patrick Maroney <Pmaroney@Specere.org>, Mark Clancy < mclancy@soltra.com >, Peter F Brown < peter@peterfbrown.com >, " tony@yaanatech.com " < tony@yaanatech.com >, Rich Struse < richard.struse@dhs.gov > Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Date: 06/24/2015 11:15 AM Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion Sent by: < cti@lists.oasis-open.org > Hi Patrick, Great point. I think part would be an effort of mapping the landscape on the one side, ensuring the tooling required to enable people to be compatible (in addition to the standards and corresponding libraries) and part certification to solidify and ensure compliancy. Especially the latter option combined with hall of fame/shame (in a nice way :)) could drive some tangible KPIs.. ? Best regards, Joep On 6/24/15, 4:29 PM, "Patrick Maroney" <Pmaroney@Specere.org> wrote: >I would agree with the position that Engagement subsumes Outreach. > >One open question is where Interoperability (as a tangible deliverable) >fits into our stratgegy. > >Patrick Maroney >Office: (856)983-0001 >Cell: (609)841-5104 > pmaroney@specere.org >________________________________________ >From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of >Mark Clancy < mclancy@soltra.com > >Sent: Wednesday, June 24, 2015 10:17:23 AM >To: Peter F Brown; tony@yaanatech.com ; Rich Struse >Cc: cti@lists.oasis-open.org >Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >All, >I agree with need this SC and am happy to help. I have been doing a lot >this as part of my role as  DTCC's CISO in addition to my Soltra role.  I >have been presenting/meeting in the US, Europe and Asia. I spend a lot of >time with legislators, policy makers, and global financial regulators on >information sharing and why automation is a key part of capablity needs. >By the same token most of the challenges in the global context are not >purely technical but national and regualtory impediments.  Not to say the >technical things we are doing in CTI commitee in Oasis isn't also >critical as it certianly is, but that if we only address the technical >side of this problem we won't achieve the risk mitigation benefits we all >desire. > >So at some level what do we think "engagement" means vs. "outreach"? > >-Mark > > >Mark Clancy >Chief Executive Officer >SOLTRA An FS-ISAC and DTCC Company > +1.813.470.2400 office +1.610.659.6671 US mobile ?   +44 7823 626 535 >UK mobile > mclancy@soltra.com soltra.com > >One organization's incident becomes everyone's defense. > >? > >________________________________________ >From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of >Peter F Brown < peter@peterfbrown.com > >Sent: Tuesday, June 23, 2015 6:37 PM >To: tony@yaanatech.com ; Rich Struse >Cc: cti@lists.oasis-open.org >Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >+1 >Also agree with comment in an earlier thread that this SC ought to have >engagement as a core focus rather than outreach - and that ought to be >reflected in the name of any proposed SC. >Regards, >Peter > > >
Original Message----- >From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On >Behalf Of Tony Rutkowski >Sent: 22 June, 2015 13:08 >To: Rich Struse >Cc: cti@lists.oasis-open.org >Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >Hi Rich, > >There is a great symmetry occurring here on a global scale. > >The first day of the annual cybersecurity workshop was held this >afternoon here in Sophia Antipolis in France's approximation of Silicon >Valley in the hills of Valbonne, France.  There are people here from >around the world, but this afternoon was somewhat Euro centric with key >officials describing what was essential to regional and national >cybersecurity.  Perhaps not by coincidence, cyber threat intelligence >sharing was at the top of their lists - along with security assurance. > >The four people who were engaged at this session were: > >o Florent Frederix who heads the key Network Information Security >(NIS) initiative of the the European Commission and has some >responsibilities at the Directorate level similar to Rich Struse's as the >execution arm of the EU cybersecurity strategy - the analog of the White >House's framework initiatives. > >o Chris Ensor who heads up cybersecurity work in the UK's CESG >organization - also similar to Rich's responsibilities. > >o Marc Henauer of Switzerland's MELANI organization that is similar the >principal Swiss threat intelligence sharing body. > >o Edri an Belmonte, who plays the lead role in this area in ENISA > >All of the presentations except Cris Ensor's are available at: > http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SE >TTINGTHESCENE/ > >In the discussion session following the presentations, speaking at the >ETSI TC CYBER threat intelligence sharing rapporteur, I had the >opportunity to explain the creation of the new TC CTI committee and how >the platforms being pursued in CTI were proven best-of-breed models and >structured information sharing specifications that provided an ideal >match to each of their objectives. > >It was quite amazing how each of the parties - even in Europe - was >rather independently pursuing similar objectives. > >We also discussed how the work of TC CYBER was to survey the global >cybersecurity ecosystem and make use of the most successful existing >standards and not pursue duplicative work.  Everyone seemed in agreement, >and going forward, there seems like an excellent basis for convergence >with the CTI work now getting underway. > >There will be further discussion at the workshop over the next two days >as well as definitive actions at the TC CYBER meeting on Thursday and >Friday.  It was a good beginning that was continued usefully over local >provence wine and hors d'oeuves this evening (and setting a useful >precedent for future TC CTI physical gatherings). > >--tony > > > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > [attachment "CTI Standards Adoption.docx" deleted by Peter Allor/Atlanta/IBM] --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  

A quick comment re: "STIX/TAXII in their current incarnation do NOT work very well":

STIX/TAXII in their current incarnation work *** extremely well*** for many of us in many use cases.  That does not mean we do not have challenges, but Open Community tools based on these standards are working today!

Patrick Maroney
Office: (856)983-0001
Cell: (609)841-5104
pmaroney@specere.org

From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Jerome Athias <athiasjerome@gmail.com>
Sent: Thursday, June 25, 2015 2:17:45 AM
To: Peter Allor
Cc: cti@lists.oasis-open.org
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
 


#1 Just a note regarding the vendors perspective, why " STIX/TAXII in their current incarnation do NOT work very well"?
Why all big vendors are still not here? (do they think they have better patented proprietary solutions than CTI? do they have no interest of collaborating on interoperability? do they just wait we do the specification job for them
before to jump in?). Vendor perspective feedback welcome here.



#2 Regarding the user perspective (and implicitly the vendor one), we would have to clearly demonstrate why CTI is important and what would be the benefits for an organisation to invest into it.
How does it operationally help a CSIRT/SOC to be more effective; save time and money, or do more, faster.



Few months ago, I commented about the STIX Course of Action specification.
From a strategic perspective, I think it could be useful, in the  future (2.0 ?...), to take some time trying to develop the business  element.
Without too much details for now, because the -Cost- element is specified;  a little extension (money/time/quality in mind), e.g.:
The 'Time' property characterizes the estimated time for applying a  Course of Action to achieve its targeted objective, ...
e.g.: it would take X days/hours for digital forensics of 1  workstation with Chain of Custody

The idea would be helping adoption and obtaining budget for CTI-related activities, services or technologies... by  showing the business value.




And this kind of points of extensions (that would have first to remain optional to avoid complexity) or support of other 'standards' like TLP, CVRF, etc. AND documentation/guidance referring to standards/frameworks/policies/compliance
(mapping to CSF, SP 800-53 Families, ISO 27k, Incident Response, Business Continuity, etc. - in short, how to map bottom-up with top-down approaches (Ref. conceptual models & co. topic)) and how CTI fits in would help, imho, if not answering to #2, at least
to create interest, and demonstrate the need, from the user/vendor perspective.





2015-06-24 20:11 GMT+03:00 Peter Allor < pallor@us.ibm.com > :


Joep,
I think I will push back a bit here, especially on your 'certification' and 'compliance' aspects.

<rant>

We need to be "voluntarily" adopting this 'standard'.

While I can see Tony's comments about talking with EC bodies, the real adoption and use for CTI is in two communities, which by their nature are international.

They are the CSIRT Community, specifically National CSIRTs but also Critical Infrastructure CSIRTs and Enterprise CSIRTs (I will not delve into the Big, Medium, Small discussion).   There is a whole lot going on in CSIRT Services
Framework and Education Development where this can be included and is updating materials from CERT/CC-SEI that are now 20 years old.

Then there is the 'vendor' community, which has not been really engaged here.   I know some will say they are part of that community, but then also tout how they are international.   So we need the large IT Vendors and we need
the broad IT Security Vendors as part of this process.   That would be for all FOUR Sub-Committee's.    Much of the indicators and expressions will need their input and adoption to actually gain traction for many and to enable the CSIRT Community (yes, the
vendors are part of that community as well).     Just to be clear, I am talking about Intel/McAfee, Symantec, Microsoft, IBM, Cisco/SourceFire, FireEye/Mandiant, and a slew of others.

Pushing mandatory compliance and certification does not work globally (think Common Criteria / NIAP, I could go on on that alone) and in security venues globally it is a check box with little use.    Now I know that vendors
are looking to be part of this, but the sentiment here in the discussions does not reflect that.    I say that from a vendor and incident response community perspective.

So lets focus on how we get their perspectives to be included, as I know as vendors, we see that STIX/TAXII in their current incarnation do NOT work very well and that exchanging threat data today is severely challenged.   The
goal for CTI is to make that easier and simple for users and that means we as designers need to have the implementers involved and participating, not corralled and shamed.   If you take CVRF as an example, you can see that vendors do want a system and are
willing to put it into operations and such, but the customer and the vendor need to have value out of it, not just another checkbox.

</rant>

Sincerely,
Pete

Peter Allor  
Senior Security Strategist, Project Manager, Disclosures
Product Management and Strategy
IBM Security
6303 Barfield Rd NE
Atlanta, GA 30328-4233
Mobile: +1-404-643-9638    
Fax:       +1-845-491-4204  
pallor@us.ibm.com

Joep
Gommers ---06/24/2015 11:15:54 AM---Hi Patrick, Great point. I think part would be an effort of mapping the landscape on

From: Joep Gommers < joep@intelworks.com >
To: Patrick Maroney <Pmaroney@Specere.org>, Mark Clancy < mclancy@soltra.com >, Peter F Brown < peter@peterfbrown.com >,
" tony@yaanatech.com " < tony@yaanatech.com >, Rich Struse < richard.struse@dhs.gov >
Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
Date: 06/24/2015 11:15 AM
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
Sent by: < cti@lists.oasis-open.org >






Hi Patrick,

Great point. I think part would be an effort of mapping the landscape on
the one side, ensuring the tooling required to enable people to be
compatible (in addition to the standards and corresponding libraries) and
part certification to solidify and ensure compliancy. Especially the
latter option combined with hall of fame/shame (in a nice way :)) could
drive some tangible KPIs.. ?

Best regards,
Joep



On 6/24/15, 4:29 PM, "Patrick Maroney" <Pmaroney@Specere.org> wrote:

>I would agree with the position that Engagement subsumes Outreach.
>
>One open question is where Interoperability (as a tangible deliverable)
>fits into our stratgegy.
>
>Patrick Maroney
>Office: (856)983-0001
>Cell: (609)841-5104
> pmaroney@specere.org
>________________________________________
>From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of
>Mark Clancy < mclancy@soltra.com >
>Sent: Wednesday, June 24, 2015 10:17:23 AM
>To: Peter F Brown; tony@yaanatech.com ; Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>All,
>I agree with need this SC and am happy to help. I have been doing a lot
>this as part of my role as  DTCC's CISO in addition to my Soltra role.  I
>have been presenting/meeting in the US, Europe and Asia. I spend a lot of
>time with legislators, policy makers, and global financial regulators on
>information sharing and why automation is a key part of capablity needs.
>By the same token most of the challenges in the global context are not
>purely technical but national and regualtory impediments.  Not to say the
>technical things we are doing in CTI commitee in Oasis isn't also
>critical as it certianly is, but that if we only address the technical
>side of this problem we won't achieve the risk mitigation benefits we all
>desire.
>
>So at some level what do we think "engagement" means vs. "outreach"?
>
>-Mark
>
>
>Mark Clancy
>Chief Executive Officer
>SOLTRA An FS-ISAC and DTCC Company
> +1.813.470.2400 office
+1.610.659.6671 US mobile ?   +44 7823 626 535
>UK mobile
> mclancy@soltra.com
soltra.com
>
>One organization's incident becomes everyone's defense.
>
>?
>
>________________________________________
>From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of
>Peter F Brown < peter@peterfbrown.com >
>Sent: Tuesday, June 23, 2015 6:37 PM
>To: tony@yaanatech.com ; Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>+1
>Also agree with comment in an earlier thread that this SC ought to have
>engagement as a core focus rather than outreach - and that ought to be
>reflected in the name of any proposed SC.
>Regards,
>Peter
>
>
>
Original Message-----
>From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On
>Behalf Of Tony Rutkowski
>Sent: 22 June, 2015 13:08
>To: Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>Hi Rich,
>
>There is a great symmetry occurring here on a global scale.
>
>The first day of the annual cybersecurity workshop was held this
>afternoon here in Sophia Antipolis in France's approximation of Silicon
>Valley in the hills of Valbonne, France.  There are people here from
>around the world, but this afternoon was somewhat Euro centric with key
>officials describing what was essential to regional and national
>cybersecurity.  Perhaps not by coincidence, cyber threat intelligence
>sharing was at the top of their lists - along with security assurance.
>
>The four people who were engaged at this session were:
>
>o Florent Frederix who heads the key Network Information Security
>(NIS) initiative of the the European Commission and has some
>responsibilities at the Directorate level similar to Rich Struse's as the
>execution arm of the EU cybersecurity strategy - the analog of the White
>House's framework initiatives.
>
>o Chris Ensor who heads up cybersecurity work in the UK's CESG
>organization - also similar to Rich's responsibilities.
>
>o Marc Henauer of Switzerland's MELANI organization that is similar the
>principal Swiss threat intelligence sharing body.
>
>o Edri an Belmonte, who plays the lead role in this area in ENISA
>
>All of the presentations except Cris Ensor's are available at:
> http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SE
>TTINGTHESCENE/
>
>In the discussion session following the presentations, speaking at the
>ETSI TC CYBER threat intelligence sharing rapporteur, I had the
>opportunity to explain the creation of the new TC CTI committee and how
>the platforms being pursued in CTI were proven best-of-breed models and
>structured information sharing specifications that provided an ideal
>match to each of their objectives.
>
>It was quite amazing how each of the parties - even in Europe - was
>rather independently pursuing similar objectives.
>
>We also discussed how the work of TC CYBER was to survey the global
>cybersecurity ecosystem and make use of the most successful existing
>standards and not pursue duplicative work.  Everyone seemed in agreement,
>and going forward, there seems like an excellent basis for convergence
>with the CTI work now getting underway.
>
>There will be further discussion at the workshop over the next two days
>as well as definitive actions at the TC CYBER meeting on Thursday and
>Friday.  It was a good beginning that was continued usefully over local
>provence wine and hors d'oeuves this evening (and setting a useful
>precedent for future TC CTI physical gatherings).
>
>--tony
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


>

[attachment "CTI Standards Adoption.docx" deleted by Peter Allor/Atlanta/IBM]
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  

> #1 Just a note regarding the vendors perspective, why " STIX/TAXII in their current incarnation do NOT work very well"?



Can STIX be improved upon? Heck yeah. Should it be improved? Of course, when can we start!?!?!?


Does STIX in it's current form not work? I tend to disagree. I speak to people who use STIX everyday. Also, almost every major ISAC is using STIX/TAXII, or planning to use STIX/TAXII, in some fashion to share intelligence. Over 600 TAXII clients pull from

http://hailataxii.com everyday, over 1,700 unique TAXII clients each month, with an average of about 180,000 TAXII requests everyday. I fully support us doing as much of a revamp in STIX 2.0 as needed, but let's not play the success of all the work we have
put into STIX/TAXII too short. I don't want us to confuse the new people coming into the group who may not understand STIX's history. 








Aharon Chernin
CTO

SOLTRA
An FS-ISAC & DTCC Company
18301 Bermuda green Dr
Tampa, fl 33647

813.470.2173 achernin@soltra.com
www.soltra.com







From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Patrick Maroney <Pmaroney@Specere.org>
Sent: Thursday, June 25, 2015 9:20 AM
To: Jerome Athias; Peter Allor
Cc: cti@lists.oasis-open.org
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
 

A quick comment re: "STIX/TAXII in their current incarnation do NOT work very well":

STIX/TAXII in their current incarnation work *** extremely well*** for many of us in many use cases.  That does not mean we do not have challenges, but Open Community tools based on these standards are working today!

Patrick Maroney
Office: (856)983-0001
Cell: (609)841-5104
pmaroney@specere.org

From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Jerome Athias <athiasjerome@gmail.com>
Sent: Thursday, June 25, 2015 2:17:45 AM
To: Peter Allor
Cc: cti@lists.oasis-open.org
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
 


#1 Just a note regarding the vendors perspective, why " STIX/TAXII in their current incarnation do NOT work very well"?
Why all big vendors are still not here? (do they think they have better patented proprietary solutions than CTI? do they have no interest of collaborating on interoperability? do they just wait we do the specification job for them
before to jump in?). Vendor perspective feedback welcome here.



#2 Regarding the user perspective (and implicitly the vendor one), we would have to clearly demonstrate why CTI is important and what would be the benefits for an organisation to invest into it.
How does it operationally help a CSIRT/SOC to be more effective; save time and money, or do more, faster.



Few months ago, I commented about the STIX Course of Action specification.
From a strategic perspective, I think it could be useful, in the  future (2.0 ?...), to take some time trying to develop the business  element.
Without too much details for now, because the -Cost- element is specified;  a little extension (money/time/quality in mind), e.g.:
The 'Time' property characterizes the estimated time for applying a  Course of Action to achieve its targeted objective, ...
e.g.: it would take X days/hours for digital forensics of 1  workstation with Chain of Custody

The idea would be helping adoption and obtaining budget for CTI-related activities, services or technologies... by  showing the business value.




And this kind of points of extensions (that would have first to remain optional to avoid complexity) or support of other 'standards' like TLP, CVRF, etc. AND documentation/guidance referring to standards/frameworks/policies/compliance
(mapping to CSF, SP 800-53 Families, ISO 27k, Incident Response, Business Continuity, etc. - in short, how to map bottom-up with top-down approaches (Ref. conceptual models & co. topic)) and how CTI fits in would help, imho, if not answering to #2, at least
to create interest, and demonstrate the need, from the user/vendor perspective.





2015-06-24 20:11 GMT+03:00 Peter Allor < pallor@us.ibm.com > :


Joep,
I think I will push back a bit here, especially on your 'certification' and 'compliance' aspects.

<rant>

We need to be "voluntarily" adopting this 'standard'.

While I can see Tony's comments about talking with EC bodies, the real adoption and use for CTI is in two communities, which by their nature are international.

They are the CSIRT Community, specifically National CSIRTs but also Critical Infrastructure CSIRTs and Enterprise CSIRTs (I will not delve into the Big, Medium, Small discussion).   There is a whole lot going on in CSIRT Services
Framework and Education Development where this can be included and is updating materials from CERT/CC-SEI that are now 20 years old.

Then there is the 'vendor' community, which has not been really engaged here.   I know some will say they are part of that community, but then also tout how they are international.   So we need the large IT Vendors and we need
the broad IT Security Vendors as part of this process.   That would be for all FOUR Sub-Committee's.    Much of the indicators and expressions will need their input and adoption to actually gain traction for many and to enable the CSIRT Community (yes, the
vendors are part of that community as well).     Just to be clear, I am talking about Intel/McAfee, Symantec, Microsoft, IBM, Cisco/SourceFire, FireEye/Mandiant, and a slew of others.

Pushing mandatory compliance and certification does not work globally (think Common Criteria / NIAP, I could go on on that alone) and in security venues globally it is a check box with little use.    Now I know that vendors
are looking to be part of this, but the sentiment here in the discussions does not reflect that.    I say that from a vendor and incident response community perspective.

So lets focus on how we get their perspectives to be included, as I know as vendors, we see that STIX/TAXII in their current incarnation do NOT work very well and that exchanging threat data today is severely challenged.   The
goal for CTI is to make that easier and simple for users and that means we as designers need to have the implementers involved and participating, not corralled and shamed.   If you take CVRF as an example, you can see that vendors do want a system and are
willing to put it into operations and such, but the customer and the vendor need to have value out of it, not just another checkbox.

</rant>

Sincerely,
Pete

Peter Allor  
Senior Security Strategist, Project Manager, Disclosures
Product Management and Strategy
IBM Security
6303 Barfield Rd NE
Atlanta, GA 30328-4233
Mobile: +1-404-643-9638    
Fax:       +1-845-491-4204  
pallor@us.ibm.com

Joep
Gommers ---06/24/2015 11:15:54 AM---Hi Patrick, Great point. I think part would be an effort of mapping the landscape on

From: Joep Gommers < joep@intelworks.com >
To: Patrick Maroney <Pmaroney@Specere.org>, Mark Clancy < mclancy@soltra.com >, Peter F Brown < peter@peterfbrown.com >,
" tony@yaanatech.com " < tony@yaanatech.com >, Rich Struse < richard.struse@dhs.gov >
Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
Date: 06/24/2015 11:15 AM
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
Sent by: < cti@lists.oasis-open.org >






Hi Patrick,

Great point. I think part would be an effort of mapping the landscape on
the one side, ensuring the tooling required to enable people to be
compatible (in addition to the standards and corresponding libraries) and
part certification to solidify and ensure compliancy. Especially the
latter option combined with hall of fame/shame (in a nice way :)) could
drive some tangible KPIs.. ?

Best regards,
Joep



On 6/24/15, 4:29 PM, "Patrick Maroney" <Pmaroney@Specere.org> wrote:

>I would agree with the position that Engagement subsumes Outreach.
>
>One open question is where Interoperability (as a tangible deliverable)
>fits into our stratgegy.
>
>Patrick Maroney
>Office: (856)983-0001
>Cell: (609)841-5104
> pmaroney@specere.org
>________________________________________
>From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of
>Mark Clancy < mclancy@soltra.com >
>Sent: Wednesday, June 24, 2015 10:17:23 AM
>To: Peter F Brown; tony@yaanatech.com ; Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>All,
>I agree with need this SC and am happy to help. I have been doing a lot
>this as part of my role as  DTCC's CISO in addition to my Soltra role.  I
>have been presenting/meeting in the US, Europe and Asia. I spend a lot of
>time with legislators, policy makers, and global financial regulators on
>information sharing and why automation is a key part of capablity needs.
>By the same token most of the challenges in the global context are not
>purely technical but national and regualtory impediments.  Not to say the
>technical things we are doing in CTI commitee in Oasis isn't also
>critical as it certianly is, but that if we only address the technical
>side of this problem we won't achieve the risk mitigation benefits we all
>desire.
>
>So at some level what do we think "engagement" means vs. "outreach"?
>
>-Mark
>
>
>Mark Clancy
>Chief Executive Officer
>SOLTRA An FS-ISAC and DTCC Company
> +1.813.470.2400 office
+1.610.659.6671 US mobile ?   +44 7823 626 535
>UK mobile
> mclancy@soltra.com
soltra.com
>
>One organization's incident becomes everyone's defense.
>
>?
>
>________________________________________
>From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of
>Peter F Brown < peter@peterfbrown.com >
>Sent: Tuesday, June 23, 2015 6:37 PM
>To: tony@yaanatech.com ; Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>+1
>Also agree with comment in an earlier thread that this SC ought to have
>engagement as a core focus rather than outreach - and that ought to be
>reflected in the name of any proposed SC.
>Regards,
>Peter
>
>
>
Original Message-----
>From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On
>Behalf Of Tony Rutkowski
>Sent: 22 June, 2015 13:08
>To: Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>Hi Rich,
>
>There is a great symmetry occurring here on a global scale.
>
>The first day of the annual cybersecurity workshop was held this
>afternoon here in Sophia Antipolis in France's approximation of Silicon
>Valley in the hills of Valbonne, France.  There are people here from
>around the world, but this afternoon was somewhat Euro centric with key
>officials describing what was essential to regional and national
>cybersecurity.  Perhaps not by coincidence, cyber threat intelligence
>sharing was at the top of their lists - along with security assurance.
>
>The four people who were engaged at this session were:
>
>o Florent Frederix who heads the key Network Information Security
>(NIS) initiative of the the European Commission and has some
>responsibilities at the Directorate level similar to Rich Struse's as the
>execution arm of the EU cybersecurity strategy - the analog of the White
>House's framework initiatives.
>
>o Chris Ensor who heads up cybersecurity work in the UK's CESG
>organization - also similar to Rich's responsibilities.
>
>o Marc Henauer of Switzerland's MELANI organization that is similar the
>principal Swiss threat intelligence sharing body.
>
>o Edri an Belmonte, who plays the lead role in this area in ENISA
>
>All of the presentations except Cris Ensor's are available at:
> http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SE
>TTINGTHESCENE/
>
>In the discussion session following the presentations, speaking at the
>ETSI TC CYBER threat intelligence sharing rapporteur, I had the
>opportunity to explain the creation of the new TC CTI committee and how
>the platforms being pursued in CTI were proven best-of-breed models and
>structured information sharing specifications that provided an ideal
>match to each of their objectives.
>
>It was quite amazing how each of the parties - even in Europe - was
>rather independently pursuing similar objectives.
>
>We also discussed how the work of TC CYBER was to survey the global
>cybersecurity ecosystem and make use of the most successful existing
>standards and not pursue duplicative work.  Everyone seemed in agreement,
>and going forward, there seems like an excellent basis for convergence
>with the CTI work now getting underway.
>
>There will be further discussion at the workshop over the next two days
>as well as definitive actions at the TC CYBER meeting on Thursday and
>Friday.  It was a good beginning that was continued usefully over local
>provence wine and hors d'oeuves this evening (and setting a useful
>precedent for future TC CTI physical gatherings).
>
>--tony
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


>

[attachment "CTI Standards Adoption.docx" deleted by Peter Allor/Atlanta/IBM]
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  

I agree and I think STIX and TAXII work really well in certain conditions and even in some broad conditions.  I do not want people to get confused by statements that are made when we say it has issues or use even harsher terms like it is broken (super passionate technical people often misuse words that can cause fear and paranoia to those not in the mud head deep).   Keep in mind that the things we are often talking about / complaining about are not that the sky is falling or the sun is going to blow up, or zombies have taken over the earth.  Often they are about how do we make things easier, faster, and more efficient especially across eco-system boundaries.  The question we should be asking is how do we take STIX and TAXII and apple-ize it to make it super intuitive and super easy to use by everyone.   We need to remember that complexity is easy to build, simplicity is what is hard.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 62A6 5999 0F7D 0D61 4C66 D59C 2DB5 111D 63BC A303 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Jun 25, 2015, at 11:19, Aharon Chernin < achernin@soltra.com > wrote: > #1 Just a note regarding the vendors perspective, why STIX/TAXII in their current incarnation do NOT work very well ? Can STIX be improved upon? Heck yeah. Should it be improved? Of course, when can we start!?!?!? Does STIX in it's current form not work? I tend to disagree. I speak to people who use STIX everyday. Also, almost every major ISAC is using STIX/TAXII, or planning to use STIX/TAXII, in some fashion to share intelligence. Over 600 TAXII clients pull from   http://hailataxii.com   everyday, over 1,700 unique TAXII clients each month, with an average of about 180,000 TAXII requests everyday. I fully support us doing as much of a revamp in STIX 2.0 as needed, but let's not play the success of all the work we have put into STIX/TAXII too short. I don't want us to confuse the new people coming into the group who may not understand STIX's history.  Aharon Chernin CTO SOLTRA   An FS-ISAC & DTCC Company 18301 Bermuda green Dr Tampa, fl 33647 813.470.2173   achernin@soltra.com www.soltra.com From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org > on behalf of Patrick Maroney < Pmaroney@Specere.org > Sent:   Thursday, June 25, 2015 9:20 AM To:   Jerome Athias; Peter Allor Cc:   cti@lists.oasis-open.org Subject:   Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion   A quick comment re: STIX/TAXII in their current incarnation do NOT work very well : STIX/TAXII in their current incarnation work *** extremely well*** for many of us in many use cases.  That does not mean we do not have challenges, but Open Community tools based on these standards are working today! Patrick Maroney Office: (856)983-0001 Cell: (609)841-5104 pmaroney@specere.org   From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org > on behalf of Jerome Athias < athiasjerome@gmail.com > Sent:   Thursday, June 25, 2015 2:17:45 AM To:   Peter Allor Cc:   cti@lists.oasis-open.org Subject:   Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion   #1 Just a note regarding the vendors perspective, why STIX/TAXII in their current incarnation do NOT work very well ? Why all big vendors are still not here? (do they think they have better patented proprietary solutions than CTI? do they have no interest of collaborating on interoperability? do they just wait we do the specification job for them before to jump in?). Vendor perspective feedback welcome here. #2 Regarding the user perspective (and implicitly the vendor one), we would have to clearly demonstrate why CTI is important and what would be the benefits for an organisation to invest into it. How does it operationally help a CSIRT/SOC to be more effective; save time and money, or do more, faster. Few months ago, I commented about the STIX Course of Action specification. From a strategic perspective, I think it could be useful, in the  future (2.0 ?...), to take some time trying to develop the business  element. Without too much details for now, because the -Cost- element is specified;  a little extension (money/time/quality in mind), e.g.: The 'Time' property characterizes the estimated time for applying a  Course of Action to achieve its targeted objective, ... e.g.: it would take X days/hours for digital forensics of 1  workstation with Chain of Custody The idea would be helping adoption and obtaining budget for CTI-related activities, services or technologies... by  showing the business value. And this kind of points of extensions (that would have first to remain optional to avoid complexity) or support of other 'standards' like TLP, CVRF, etc. AND documentation/guidance referring to standards/frameworks/policies/compliance (mapping to CSF, SP 800-53 Families, ISO 27k, Incident Response, Business Continuity, etc. - in short, how to map bottom-up with top-down approaches (Ref. conceptual models & co. topic)) and how CTI fits in would help, imho, if not answering to #2, at least to create interest, and demonstrate the need, from the user/vendor perspective. 2015-06-24 20:11 GMT+03:00 Peter Allor   < pallor@us.ibm.com > : Joep, I think I will push back a bit here, especially on your 'certification' and 'compliance' aspects. <rant> We need to be voluntarily adopting this 'standard'. While I can see Tony's comments about talking with EC bodies, the real adoption and use for CTI is in two communities, which by their nature are international. They are the CSIRT Community, specifically National CSIRTs but also Critical Infrastructure CSIRTs and Enterprise CSIRTs (I will not delve into the Big, Medium, Small discussion).   There is a whole lot going on in CSIRT Services Framework and Education Development where this can be included and is updating materials from CERT/CC-SEI that are now 20 years old. Then there is the 'vendor' community, which has not been really engaged here.   I know some will say they are part of that community, but then also tout how they are international.   So we need the large IT Vendors and we need the broad IT Security Vendors as part of this process.   That would be for all FOUR Sub-Committee's.    Much of the indicators and expressions will need their input and adoption to actually gain traction for many and to enable the CSIRT Community (yes, the vendors are part of that community as well).     Just to be clear, I am talking about Intel/McAfee, Symantec, Microsoft, IBM, Cisco/SourceFire, FireEye/Mandiant, and a slew of others. Pushing mandatory compliance and certification does not work globally (think Common Criteria / NIAP, I could go on on that alone) and in security venues globally it is a check box with little use.    Now I know that vendors are looking to be part of this, but the sentiment here in the discussions does not reflect that.    I say that from a vendor and incident response community perspective. So lets focus on how we get their perspectives to be included, as I know as vendors, we see that STIX/TAXII in their current incarnation do NOT work very well and that exchanging threat data today is severely challenged.   The goal for CTI is to make that easier and simple for users and that means we as designers need to have the implementers involved and participating, not corralled and shamed.   If you take CVRF as an example, you can see that vendors do want a system and are willing to put it into operations and such, but the customer and the vendor need to have value out of it, not just another checkbox. </rant> Sincerely, Pete Peter Allor   Senior Security Strategist, Project Manager, Disclosures Product Management and Strategy IBM Security 6303 Barfield Rd NE   Atlanta, GA 30328-4233   Mobile:   +1-404-643-9638       Fax:         +1-845-491-4204     pallor@us.ibm.com <graycol.gif> Joep Gommers ---06/24/2015 11:15:54 AM---Hi Patrick, Great point. I think part would be an effort of mapping the landscape on From:   Joep Gommers < joep@intelworks.com > To:   Patrick Maroney < Pmaroney@Specere.org >, Mark Clancy < mclancy@soltra.com >, Peter F Brown < peter@peterfbrown.com >, tony@yaanatech.com < tony@yaanatech.com >, Rich Struse < richard.struse@dhs.gov > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Date:   06/24/2015 11:15 AM Subject:   Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion Sent by:   < cti@lists.oasis-open.org > Hi Patrick, Great point. I think part would be an effort of mapping the landscape on the one side, ensuring the tooling required to enable people to be compatible (in addition to the standards and corresponding libraries) and part certification to solidify and ensure compliancy. Especially the latter option combined with hall of fame/shame (in a nice way :)) could drive some tangible KPIs.. ? Best regards, Joep On 6/24/15, 4:29 PM, Patrick Maroney < Pmaroney@Specere.org > wrote: >I would agree with the position that Engagement subsumes Outreach. > >One open question is where Interoperability (as a tangible deliverable) >fits into our stratgegy. > >Patrick Maroney >Office:   (856)983-0001 >Cell:   (609)841-5104 > pmaroney@specere.org >________________________________________ >From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org > on behalf of >Mark Clancy < mclancy@soltra.com > >Sent: Wednesday, June 24, 2015 10:17:23 AM >To: Peter F Brown;   tony@yaanatech.com ; Rich Struse >Cc:   cti@lists.oasis-open.org >Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >All, >I agree with need this SC and am happy to help. I have been doing a lot >this as part of my role as  DTCC's CISO in addition to my Soltra role.  I >have been presenting/meeting in the US, Europe and Asia. I spend a lot of >time with legislators, policy makers, and global financial regulators on >information sharing and why automation is a key part of capablity needs. >By the same token most of the challenges in the global context are not >purely technical but national and regualtory impediments.  Not to say the >technical things we are doing in CTI commitee in Oasis isn't also >critical as it certianly is, but that if we only address the technical >side of this problem we won't achieve the risk mitigation benefits we all >desire. > >So at some level what do we think engagement means vs. outreach ? > >-Mark > > >Mark Clancy >Chief Executive Officer >SOLTRA An FS-ISAC and DTCC Company > +1.813.470.2400   office   +1.610.659.6671   US mobile ?   +44 7823 626 535 >UK mobile > mclancy@soltra.com     soltra.com > >One organization's incident becomes everyone's defense. > >? > >________________________________________ >From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org > on behalf of >Peter F Brown < peter@peterfbrown.com > >Sent: Tuesday, June 23, 2015 6:37 PM >To:   tony@yaanatech.com ; Rich Struse >Cc:   cti@lists.oasis-open.org >Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >+1 >Also agree with comment in an earlier thread that this SC ought to have >engagement as a core focus rather than outreach - and that ought to be >reflected in the name of any proposed SC. >Regards, >Peter > > >
Original Message----- >From:   cti@lists.oasis-open.org   [ mailto:cti@lists.oasis-open.org ] On >Behalf Of Tony Rutkowski >Sent: 22 June, 2015 13:08 >To: Rich Struse >Cc:   cti@lists.oasis-open.org >Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >Hi Rich, > >There is a great symmetry occurring here on a global scale. > >The first day of the annual cybersecurity workshop was held this >afternoon here in Sophia Antipolis in France's approximation of Silicon >Valley in the hills of Valbonne, France.  There are people here from >around the world, but this afternoon was somewhat Euro centric with key >officials describing what was essential to regional and national >cybersecurity.  Perhaps not by coincidence, cyber threat intelligence >sharing was at the top of their lists - along with security assurance. > >The four people who were engaged at this session were: > >o Florent Frederix who heads the key Network Information Security >(NIS) initiative of the the European Commission and has some >responsibilities at the Directorate level similar to Rich Struse's as the >execution arm of the EU cybersecurity strategy - the analog of the White >House's framework initiatives. > >o Chris Ensor who heads up cybersecurity work in the UK's CESG >organization - also similar to Rich's responsibilities. > >o Marc Henauer of Switzerland's MELANI organization that is similar the >principal Swiss threat intelligence sharing body. > >o Edri an Belmonte, who plays the lead role in this area in ENISA > >All of the presentations except Cris Ensor's are available at: > http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SE >TTINGTHESCENE/ > >In the discussion session following the presentations, speaking at the >ETSI TC CYBER threat intelligence sharing rapporteur, I had the >opportunity to explain the creation of the new TC CTI committee and how >the platforms being pursued in CTI were proven best-of-breed models and >structured information sharing specifications that provided an ideal >match to each of their objectives. > >It was quite amazing how each of the parties - even in Europe - was >rather independently pursuing similar objectives. > >We also discussed how the work of TC CYBER was to survey the global >cybersecurity ecosystem and make use of the most successful existing >standards and not pursue duplicative work.  Everyone seemed in agreement, >and going forward, there seems like an excellent basis for convergence >with the CTI work now getting underway. > >There will be further discussion at the workshop over the next two days >as well as definitive actions at the TC CYBER meeting on Thursday and >Friday.  It was a good beginning that was continued usefully over local >provence wine and hors d'oeuves this evening (and setting a useful >precedent for future TC CTI physical gatherings). > >--tony > > > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > [attachment CTI Standards Adoption.docx deleted by Peter Allor/Atlanta/IBM]   --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that   generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

+1 Guys! Nuance is definitely needed when talking to a broad audience!



Grtz,
Raymon van der Velde






Intelworks +31 (0)6 5235 4099   www.intelworks.com
"I ntelligence powered defence"







From: < cti@lists.oasis-open.org > on behalf of "Jordan, Bret" < bret.jordan@bluecoat.com >
Date: Thursday 25 June 2015 20:00
To: Aharon Chernin < achernin@soltra.com >
Cc: Patrick Maroney < Pmaroney@Specere.org >, Jerome Athias < athiasjerome@gmail.com >, Peter Allor < pallor@us.ibm.com >,
" cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion





I agree and I think STIX and TAXII work really well in certain conditions and even in some broad conditions.  I do not want people to get confused by statements that are made when we say it has issues or use even harsher terms like it is broken (super passionate
technical people often misuse words that can cause fear and paranoia to those not in the mud head deep).  


Keep in mind that the things we are often talking about / complaining about are not that the sky is falling or the sun is going to blow up, or zombies have taken over the earth.  Often they are about how do we make things easier, faster, and more
efficient especially across eco-system boundaries.  The question we should be asking is how do we take STIX and TAXII and "apple-ize" it to make it super intuitive and super easy to use by everyone.  


We need to remember that complexity is easy to build, simplicity is what is hard.  









Thanks,


Bret











Bret Jordan CISSP

Director of Security Architecture and Standards Office of the CTO

Blue Coat Systems

PGP Fingerprint: 62A6 5999 0F7D 0D61 4C66 D59C 2DB5 111D 63BC A303
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 










On Jun 25, 2015, at 11:19, Aharon Chernin < achernin@soltra.com > wrote:



> #1 Just a note regarding the vendors perspective, why " STIX/TAXII in their current incarnation do NOT work very well"?


Can STIX be improved upon? Heck yeah. Should it be improved? Of course, when can we start!?!?!?


Does STIX in it's current form not work? I tend to disagree. I speak to people who use STIX everyday. Also, almost every major ISAC is using STIX/TAXII, or planning to use STIX/TAXII, in some fashion
to share intelligence. Over 600 TAXII clients pull from   http://hailataxii.com   everyday,
over 1,700 unique TAXII clients each month, with an average of about 180,000 TAXII requests everyday. I fully support us doing as much of a revamp in STIX 2.0 as needed, but let's not play the success of all the work we have put into STIX/TAXII too short.
I don't want us to confuse the new people coming into the group who may not understand STIX's history. 








Aharon Chernin
CTO

SOLTRA  
An FS-ISAC & DTCC Company
18301 Bermuda green Dr
Tampa, fl 33647

813.470.2173   achernin@soltra.com
www.soltra.com







From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org >
on behalf of Patrick Maroney < Pmaroney@Specere.org >
Sent:   Thursday, June 25, 2015 9:20 AM
To:   Jerome Athias; Peter Allor
Cc:   cti@lists.oasis-open.org
Subject:   Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
 

A quick comment re: "STIX/TAXII in their current incarnation do NOT work very well":

STIX/TAXII in their current incarnation work *** extremely well*** for many of us in many use cases.  That does not mean we do not have challenges, but Open Community tools based on these standards are working today!

Patrick Maroney
Office: (856)983-0001
Cell: (609)841-5104
pmaroney@specere.org  

From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org >
on behalf of Jerome Athias < athiasjerome@gmail.com >
Sent:   Thursday, June 25, 2015 2:17:45 AM
To:   Peter Allor
Cc:   cti@lists.oasis-open.org
Subject:   Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
 


#1 Just a note regarding the vendors perspective, why " STIX/TAXII in their current incarnation do NOT work very well"?
Why all big vendors are still not here? (do they think they have better patented proprietary solutions than CTI? do they have no interest of collaborating on interoperability? do they just wait we do the specification
job for them before to jump in?). Vendor perspective feedback welcome here.



#2 Regarding the user perspective (and implicitly the vendor one), we would have to clearly demonstrate why CTI is important and what would be the benefits for an organisation to invest into it.
How does it operationally help a CSIRT/SOC to be more effective; save time and money, or do more, faster.



Few months ago, I commented about the STIX Course of Action specification.
From a strategic perspective, I think it could be useful, in the  future (2.0 ?...), to take some time trying to develop the business  element.
Without too much details for now, because the -Cost- element is specified;  a little extension (money/time/quality in mind), e.g.:
The 'Time' property characterizes the estimated time for applying a  Course of Action to achieve its targeted objective, ...
e.g.: it would take X days/hours for digital forensics of 1  workstation with Chain of Custody

The idea would be helping adoption and obtaining budget for CTI-related activities, services or technologies... by  showing the business value.




And this kind of points of extensions (that would have first to remain optional to avoid complexity) or support of other 'standards' like TLP, CVRF, etc. AND documentation/guidance referring to
standards/frameworks/policies/compliance (mapping to CSF, SP 800-53 Families, ISO 27k, Incident Response, Business Continuity, etc. - in short, how to map bottom-up with top-down approaches (Ref. conceptual models & co. topic)) and how CTI fits in would help,
imho, if not answering to #2, at least to create interest, and demonstrate the need, from the user/vendor perspective.





2015-06-24 20:11 GMT+03:00 Peter Allor   < pallor@us.ibm.com > :


Joep,
I think I will push back a bit here, especially on your 'certification' and 'compliance' aspects.

<rant>

We need to be "voluntarily" adopting this 'standard'.

While I can see Tony's comments about talking with EC bodies, the real adoption and use for CTI is in two communities, which by their nature are international.

They are the CSIRT Community, specifically National CSIRTs but also Critical Infrastructure CSIRTs and Enterprise CSIRTs (I will not delve into the Big, Medium, Small discussion).   There is a whole lot going on in
CSIRT Services Framework and Education Development where this can be included and is updating materials from CERT/CC-SEI that are now 20 years old.

Then there is the 'vendor' community, which has not been really engaged here.   I know some will say they are part of that community, but then also tout how they are international.   So we need the large IT Vendors
and we need the broad IT Security Vendors as part of this process.   That would be for all FOUR Sub-Committee's.    Much of the indicators and expressions will need their input and adoption to actually gain traction for many and to enable the CSIRT Community
(yes, the vendors are part of that community as well).     Just to be clear, I am talking about Intel/McAfee, Symantec, Microsoft, IBM, Cisco/SourceFire, FireEye/Mandiant, and a slew of others.

Pushing mandatory compliance and certification does not work globally (think Common Criteria / NIAP, I could go on on that alone) and in security venues globally it is a check box with little use.    Now I know that
vendors are looking to be part of this, but the sentiment here in the discussions does not reflect that.    I say that from a vendor and incident response community perspective.

So lets focus on how we get their perspectives to be included, as I know as vendors, we see that STIX/TAXII in their current incarnation do NOT work very well and that exchanging threat data today is severely challenged.
  The goal for CTI is to make that easier and simple for users and that means we as designers need to have the implementers involved and participating, not corralled and shamed.   If you take CVRF as an example, you can see that vendors do want a system and
are willing to put it into operations and such, but the customer and the vendor need to have value out of it, not just another checkbox.

</rant>

Sincerely,
Pete

Peter Allor  
Senior Security Strategist, Project Manager, Disclosures
Product Management and Strategy
IBM Security
6303 Barfield Rd NE  
Atlanta, GA 30328-4233  
Mobile:   +1-404-643-9638      
Fax:         +1-845-491-4204    
pallor@us.ibm.com

<graycol.gif> Joep Gommers ---06/24/2015 11:15:54 AM---Hi Patrick, Great point. I think part would be an effort of mapping the landscape
on

From:   Joep Gommers < joep@intelworks.com >
To:   Patrick Maroney < Pmaroney@Specere.org >, Mark Clancy
< mclancy@soltra.com >, Peter F Brown < peter@peterfbrown.com >, " tony@yaanatech.com "
< tony@yaanatech.com >, Rich Struse < richard.struse@dhs.gov >
Cc:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
Date:   06/24/2015 11:15 AM
Subject:   Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
Sent by:   < cti@lists.oasis-open.org >






Hi Patrick,

Great point. I think part would be an effort of mapping the landscape on
the one side, ensuring the tooling required to enable people to be
compatible (in addition to the standards and corresponding libraries) and
part certification to solidify and ensure compliancy. Especially the
latter option combined with hall of fame/shame (in a nice way :)) could
drive some tangible KPIs.. ?

Best regards,
Joep



On 6/24/15, 4:29 PM, "Patrick Maroney" < Pmaroney@Specere.org > wrote:

>I would agree with the position that Engagement subsumes Outreach.
>
>One open question is where Interoperability (as a tangible deliverable)
>fits into our stratgegy.
>
>Patrick Maroney
>Office:   (856)983-0001
>Cell:   (609)841-5104
> pmaroney@specere.org
>________________________________________
>From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org >
on behalf of
>Mark Clancy < mclancy@soltra.com >
>Sent: Wednesday, June 24, 2015 10:17:23 AM
>To: Peter F Brown;   tony@yaanatech.com ; Rich Struse
>Cc:   cti@lists.oasis-open.org
>Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>All,
>I agree with need this SC and am happy to help. I have been doing a lot
>this as part of my role as  DTCC's CISO in addition to my Soltra role.  I
>have been presenting/meeting in the US, Europe and Asia. I spend a lot of
>time with legislators, policy makers, and global financial regulators on
>information sharing and why automation is a key part of capablity needs.
>By the same token most of the challenges in the global context are not
>purely technical but national and regualtory impediments.  Not to say the
>technical things we are doing in CTI commitee in Oasis isn't also
>critical as it certianly is, but that if we only address the technical
>side of this problem we won't achieve the risk mitigation benefits we all
>desire.
>
>So at some level what do we think "engagement" means vs. "outreach"?
>
>-Mark
>
>
>Mark Clancy
>Chief Executive Officer
>SOLTRA An FS-ISAC and DTCC Company
> +1.813.470.2400   office   +1.610.659.6671   US
mobile ?   +44 7823 626 535
>UK mobile
> mclancy@soltra.com     soltra.com
>
>One organization's incident becomes everyone's defense.
>
>?
>
>________________________________________
>From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org >
on behalf of
>Peter F Brown < peter@peterfbrown.com >
>Sent: Tuesday, June 23, 2015 6:37 PM
>To:   tony@yaanatech.com ; Rich Struse
>Cc:   cti@lists.oasis-open.org
>Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>+1
>Also agree with comment in an earlier thread that this SC ought to have
>engagement as a core focus rather than outreach - and that ought to be
>reflected in the name of any proposed SC.
>Regards,
>Peter
>
>
>
Original Message-----
>From:   cti@lists.oasis-open.org   [ mailto:cti@lists.oasis-open.org ]
On
>Behalf Of Tony Rutkowski
>Sent: 22 June, 2015 13:08
>To: Rich Struse
>Cc:   cti@lists.oasis-open.org
>Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>Hi Rich,
>
>There is a great symmetry occurring here on a global scale.
>
>The first day of the annual cybersecurity workshop was held this
>afternoon here in Sophia Antipolis in France's approximation of Silicon
>Valley in the hills of Valbonne, France.  There are people here from
>around the world, but this afternoon was somewhat Euro centric with key
>officials describing what was essential to regional and national
>cybersecurity.  Perhaps not by coincidence, cyber threat intelligence
>sharing was at the top of their lists - along with security assurance.
>
>The four people who were engaged at this session were:
>
>o Florent Frederix who heads the key Network Information Security
>(NIS) initiative of the the European Commission and has some
>responsibilities at the Directorate level similar to Rich Struse's as the
>execution arm of the EU cybersecurity strategy - the analog of the White
>House's framework initiatives.
>
>o Chris Ensor who heads up cybersecurity work in the UK's CESG
>organization - also similar to Rich's responsibilities.
>
>o Marc Henauer of Switzerland's MELANI organization that is similar the
>principal Swiss threat intelligence sharing body.
>
>o Edri an Belmonte, who plays the lead role in this area in ENISA
>
>All of the presentations except Cris Ensor's are available at:
> http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SE
>TTINGTHESCENE/
>
>In the discussion session following the presentations, speaking at the
>ETSI TC CYBER threat intelligence sharing rapporteur, I had the
>opportunity to explain the creation of the new TC CTI committee and how
>the platforms being pursued in CTI were proven best-of-breed models and
>structured information sharing specifications that provided an ideal
>match to each of their objectives.
>
>It was quite amazing how each of the parties - even in Europe - was
>rather independently pursuing similar objectives.
>
>We also discussed how the work of TC CYBER was to survey the global
>cybersecurity ecosystem and make use of the most successful existing
>standards and not pursue duplicative work.  Everyone seemed in agreement,
>and going forward, there seems like an excellent basis for convergence
>with the CTI work now getting underway.
>
>There will be further discussion at the workshop over the next two days
>as well as definitive actions at the TC CYBER meeting on Thursday and
>Friday.  It was a good beginning that was continued usefully over local
>provence wine and hors d'oeuves this evening (and setting a useful
>precedent for future TC CTI physical gatherings).
>
>--tony
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


>

[attachment "CTI Standards Adoption.docx" deleted by Peter Allor/Atlanta/IBM]  
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that  
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Hi Peter,


Let me put some context around my proposal for certification, which perhaps means rewording.


First, I am completely aligned with you on the “voluntary” part and on the fact that mandatory certification would severely hinder adoption. Yet, what I think it hindering adoption more is – and perhaps this speaks to your concerns about STIX/TAXII too
– that it is ensure for producers how their intelligence value is retained when received by other consumers. In a world where I send you a PDF, I know how you will consume the PDF. It is predictable and the value I bring as an intelligence producer is surely
retained. Additionally, I as a producer am in full control.


Now in STIX this isn’t necessarily the case. Since STIX is transport, it does not guarantee to any extent that the intelligence value is retained all the way to its human consumer – not as that the intent. STIX 1.1.1 compliancy usually means, for both
CSIRT communities and vendors (and many other communities I might add that this is relevant for), a partial implementation of parts of the standard – that are processed by a machine and/or readable by a human in different ways.


For TAXII, a similar challenge exists where there is no easy automated way of determining for machines what the TAXII implementors supports. Think; authentication, authorization, different services (depending on discovery service on/off, hooked on/off),
polling subscription models, etc.


For me, certification and compliancy effort would be to ensure that it is publicly known and easily measurable what implementors actually support from the standard and where value is retained and where it isn’t. For TAXII, this means simple tools that
make transparant the pattern of functionality implemented by a CSIRT community, vendor, etc. so they can say “guys I’m level A TAXII” - which will mean I support features A, B and C. For STIX similarly, a certain level of certification might mean that an producer/consumer
implements the indicator/observable idioms, but does not retain much of the intelligence value of threat actor or exploit target information. This is relevant for the public to know, for producers to understand and to make transparant as to drive the community
towards the right priorities and compatibility efforts. Right now, the conversational line of “STIX/TAXII compatible” has no value and requires significant effort to undercover what REALLY is implemented and what intelligence value is REALLY retained.


So perhaps, certification is a bad word. Thoughts?


Best regards,
Joep




From: Peter Allor < pallor@us.ibm.com >
Date: Wednesday, June 24, 2015 at 7:11 PM
To: Joep Gommers < joep@intelworks.com >
Cc: Rich Struse < richard.struse@dhs.gov >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion





Joep,
I think I will push back a bit here, especially on your 'certification' and 'compliance' aspects.

<rant>

We need to be "voluntarily" adopting this 'standard'.

While I can see Tony's comments about talking with EC bodies, the real adoption and use for CTI is in two communities, which by their nature are international.

They are the CSIRT Community, specifically National CSIRTs but also Critical Infrastructure CSIRTs and Enterprise CSIRTs (I will not delve into the Big, Medium, Small discussion).   There is a whole lot going on in CSIRT Services
Framework and Education Development where this can be included and is updating materials from CERT/CC-SEI that are now 20 years old.

Then there is the 'vendor' community, which has not been really engaged here.   I know some will say they are part of that community, but then also tout how they are international.   So we need the large IT Vendors and we need
the broad IT Security Vendors as part of this process.   That would be for all FOUR Sub-Committee's.    Much of the indicators and expressions will need their input and adoption to actually gain traction for many and to enable the CSIRT Community (yes, the
vendors are part of that community as well).     Just to be clear, I am talking about Intel/McAfee, Symantec, Microsoft, IBM, Cisco/SourceFire, FireEye/Mandiant, and a slew of others.

Pushing mandatory compliance and certification does not work globally (think Common Criteria / NIAP, I could go on on that alone) and in security venues globally it is a check box with little use.    Now I know that vendors
are looking to be part of this, but the sentiment here in the discussions does not reflect that.    I say that from a vendor and incident response community perspective.

So lets focus on how we get their perspectives to be included, as I know as vendors, we see that STIX/TAXII in their current incarnation do NOT work very well and that exchanging threat data today is severely challenged.   The
goal for CTI is to make that easier and simple for users and that means we as designers need to have the implementers involved and participating, not corralled and shamed.   If you take CVRF as an example, you can see that vendors do want a system and are
willing to put it into operations and such, but the customer and the vendor need to have value out of it, not just another checkbox.

</rant>

Sincerely,
Pete

Peter Allor  
Senior Security Strategist, Project Manager, Disclosures
Product Management and Strategy
IBM Security
6303 Barfield Rd NE
Atlanta, GA 30328-4233
Mobile: +1-404-643-9638    
Fax:       +1-845-491-4204  
pallor@us.ibm.com

Joep
Gommers ---06/24/2015 11:15:54 AM---Hi Patrick, Great point. I think part would be an effort of mapping the landscape on

From: Joep Gommers < joep@intelworks.com >
To: Patrick Maroney < Pmaroney@Specere.org >, Mark Clancy < mclancy@soltra.com >, Peter F
Brown < peter@peterfbrown.com >, " tony@yaanatech.com " < tony@yaanatech.com >, Rich Struse < richard.struse@dhs.gov >
Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
Date: 06/24/2015 11:15 AM
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
Sent by: < cti@lists.oasis-open.org >





Hi Patrick,

Great point. I think part would be an effort of mapping the landscape on
the one side, ensuring the tooling required to enable people to be
compatible (in addition to the standards and corresponding libraries) and
part certification to solidify and ensure compliancy. Especially the
latter option combined with hall of fame/shame (in a nice way :)) could
drive some tangible KPIs.. ?

Best regards,
Joep



On 6/24/15, 4:29 PM, "Patrick Maroney" < Pmaroney@Specere.org > wrote:

>I would agree with the position that Engagement subsumes Outreach.
>
>One open question is where Interoperability (as a tangible deliverable)
>fits into our stratgegy.
>
>Patrick Maroney
>Office: (856)983-0001
>Cell: (609)841-5104
> pmaroney@specere.org
>________________________________________
>From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of
>Mark Clancy < mclancy@soltra.com >
>Sent: Wednesday, June 24, 2015 10:17:23 AM
>To: Peter F Brown; tony@yaanatech.com ; Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>All,
>I agree with need this SC and am happy to help. I have been doing a lot
>this as part of my role as  DTCC's CISO in addition to my Soltra role.  I
>have been presenting/meeting in the US, Europe and Asia. I spend a lot of
>time with legislators, policy makers, and global financial regulators on
>information sharing and why automation is a key part of capablity needs.
>By the same token most of the challenges in the global context are not
>purely technical but national and regualtory impediments.  Not to say the
>technical things we are doing in CTI commitee in Oasis isn't also
>critical as it certianly is, but that if we only address the technical
>side of this problem we won't achieve the risk mitigation benefits we all
>desire.
>
>So at some level what do we think "engagement" means vs. "outreach"?
>
>-Mark
>
>
>Mark Clancy
>Chief Executive Officer
>SOLTRA An FS-ISAC and DTCC Company
>+1.813.470.2400 office +1.610.659.6671 US mobile ?  +44 7823 626 535
>UK mobile
> mclancy@soltra.com soltra.com
>
>One organization's incident becomes everyone's defense.
>
>?
>
>________________________________________
>From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of
>Peter F Brown < peter@peterfbrown.com >
>Sent: Tuesday, June 23, 2015 6:37 PM
>To: tony@yaanatech.com ; Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>+1
>Also agree with comment in an earlier thread that this SC ought to have
>engagement as a core focus rather than outreach - and that ought to be
>reflected in the name of any proposed SC.
>Regards,
>Peter
>
>
>
Original Message-----
>From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On
>Behalf Of Tony Rutkowski
>Sent: 22 June, 2015 13:08
>To: Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>Hi Rich,
>
>There is a great symmetry occurring here on a global scale.
>
>The first day of the annual cybersecurity workshop was held this
>afternoon here in Sophia Antipolis in France's approximation of Silicon
>Valley in the hills of Valbonne, France.  There are people here from
>around the world, but this afternoon was somewhat Euro centric with key
>officials describing what was essential to regional and national
>cybersecurity.  Perhaps not by coincidence, cyber threat intelligence
>sharing was at the top of their lists - along with security assurance.
>
>The four people who were engaged at this session were:
>
>o Florent Frederix who heads the key Network Information Security
>(NIS) initiative of the the European Commission and has some
>responsibilities at the Directorate level similar to Rich Struse's as the
>execution arm of the EU cybersecurity strategy - the analog of the White
>House's framework initiatives.
>
>o Chris Ensor who heads up cybersecurity work in the UK's CESG
>organization - also similar to Rich's responsibilities.
>
>o Marc Henauer of Switzerland's MELANI organization that is similar the
>principal Swiss threat intelligence sharing body.
>
>o Edri an Belmonte, who plays the lead role in this area in ENISA
>
>All of the presentations except Cris Ensor's are available at:
> http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SE
>TTINGTHESCENE/
>
>In the discussion session following the presentations, speaking at the
>ETSI TC CYBER threat intelligence sharing rapporteur, I had the
>opportunity to explain the creation of the new TC CTI committee and how
>the platforms being pursued in CTI were proven best-of-breed models and
>structured information sharing specifications that provided an ideal
>match to each of their objectives.
>
>It was quite amazing how each of the parties - even in Europe - was
>rather independently pursuing similar objectives.
>
>We also discussed how the work of TC CYBER was to survey the global
>cybersecurity ecosystem and make use of the most successful existing
>standards and not pursue duplicative work.  Everyone seemed in agreement,
>and going forward, there seems like an excellent basis for convergence
>with the CTI work now getting underway.
>
>There will be further discussion at the workshop over the next two days
>as well as definitive actions at the TC CYBER meeting on Thursday and
>Friday.  It was a good beginning that was continued usefully over local
>provence wine and hors d'oeuves this evening (and setting a useful
>precedent for future TC CTI physical gatherings).
>
>--tony
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>

[attachment "CTI Standards Adoption.docx" deleted by Peter Allor/Atlanta/IBM]
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  

Adoption Program? e.g. https://oval.mitre.org/adoption/ 2015-06-26 8:46 GMT+03:00 Joep Gommers < joep@intelworks.com > : Hi Peter, Let me put some context around my proposal for certification, which perhaps means rewording. First, I am completely aligned with you on the “voluntary” part and on the fact that mandatory certification would severely hinder adoption. Yet, what I think it hindering adoption more is – and perhaps this speaks to your concerns about STIX/TAXII too – that it is ensure for producers how their intelligence value is retained when received by other consumers. In a world where I send you a PDF, I know how you will consume the PDF. It is predictable and the value I bring as an intelligence producer is surely retained. Additionally, I as a producer am in full control. Now in STIX this isn’t necessarily the case. Since STIX is transport, it does not guarantee to any extent that the intelligence value is retained all the way to its human consumer – not as that the intent. STIX 1.1.1 compliancy usually means, for both CSIRT communities and vendors (and many other communities I might add that this is relevant for), a partial implementation of parts of the standard – that are processed by a machine and/or readable by a human in different ways. For TAXII, a similar challenge exists where there is no easy automated way of determining for machines what the TAXII implementors supports. Think; authentication, authorization, different services (depending on discovery service on/off, hooked on/off), polling subscription models, etc. For me, certification and compliancy effort would be to ensure that it is publicly known and easily measurable what implementors actually support from the standard and where value is retained and where it isn’t. For TAXII, this means simple tools that make transparant the pattern of functionality implemented by a CSIRT community, vendor, etc. so they can say “guys I’m level A TAXII” - which will mean I support features A, B and C. For STIX similarly, a certain level of certification might mean that an producer/consumer implements the indicator/observable idioms, but does not retain much of the intelligence value of threat actor or exploit target information. This is relevant for the public to know, for producers to understand and to make transparant as to drive the community towards the right priorities and compatibility efforts. Right now, the conversational line of “STIX/TAXII compatible” has no value and requires significant effort to undercover what REALLY is implemented and what intelligence value is REALLY retained. So perhaps, certification is a bad word. Thoughts? Best regards, Joep From: Peter Allor < pallor@us.ibm.com > Date: Wednesday, June 24, 2015 at 7:11 PM To: Joep Gommers < joep@intelworks.com > Cc: Rich Struse < richard.struse@dhs.gov >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion Joep, I think I will push back a bit here, especially on your 'certification' and 'compliance' aspects. <rant> We need to be "voluntarily" adopting this 'standard'. While I can see Tony's comments about talking with EC bodies, the real adoption and use for CTI is in two communities, which by their nature are international. They are the CSIRT Community, specifically National CSIRTs but also Critical Infrastructure CSIRTs and Enterprise CSIRTs (I will not delve into the Big, Medium, Small discussion).   There is a whole lot going on in CSIRT Services Framework and Education Development where this can be included and is updating materials from CERT/CC-SEI that are now 20 years old. Then there is the 'vendor' community, which has not been really engaged here.   I know some will say they are part of that community, but then also tout how they are international.   So we need the large IT Vendors and we need the broad IT Security Vendors as part of this process.   That would be for all FOUR Sub-Committee's.    Much of the indicators and expressions will need their input and adoption to actually gain traction for many and to enable the CSIRT Community (yes, the vendors are part of that community as well).     Just to be clear, I am talking about Intel/McAfee, Symantec, Microsoft, IBM, Cisco/SourceFire, FireEye/Mandiant, and a slew of others. Pushing mandatory compliance and certification does not work globally (think Common Criteria / NIAP, I could go on on that alone) and in security venues globally it is a check box with little use.    Now I know that vendors are looking to be part of this, but the sentiment here in the discussions does not reflect that.    I say that from a vendor and incident response community perspective. So lets focus on how we get their perspectives to be included, as I know as vendors, we see that STIX/TAXII in their current incarnation do NOT work very well and that exchanging threat data today is severely challenged.   The goal for CTI is to make that easier and simple for users and that means we as designers need to have the implementers involved and participating, not corralled and shamed.   If you take CVRF as an example, you can see that vendors do want a system and are willing to put it into operations and such, but the customer and the vendor need to have value out of it, not just another checkbox. </rant> Sincerely, Pete Peter Allor   Senior Security Strategist, Project Manager, Disclosures Product Management and Strategy IBM Security 6303 Barfield Rd NE Atlanta, GA 30328-4233 Mobile: +1-404-643-9638     Fax:       +1-845-491-4204   pallor@us.ibm.com Joep Gommers ---06/24/2015 11:15:54 AM---Hi Patrick, Great point. I think part would be an effort of mapping the landscape on From: Joep Gommers < joep@intelworks.com > To: Patrick Maroney < Pmaroney@Specere.org >, Mark Clancy < mclancy@soltra.com >, Peter F Brown < peter@peterfbrown.com >, " tony@yaanatech.com " < tony@yaanatech.com >, Rich Struse < richard.struse@dhs.gov > Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Date: 06/24/2015 11:15 AM Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion Sent by: < cti@lists.oasis-open.org > Hi Patrick, Great point. I think part would be an effort of mapping the landscape on the one side, ensuring the tooling required to enable people to be compatible (in addition to the standards and corresponding libraries) and part certification to solidify and ensure compliancy. Especially the latter option combined with hall of fame/shame (in a nice way :)) could drive some tangible KPIs.. ? Best regards, Joep On 6/24/15, 4:29 PM, "Patrick Maroney" < Pmaroney@Specere.org > wrote: >I would agree with the position that Engagement subsumes Outreach. > >One open question is where Interoperability (as a tangible deliverable) >fits into our stratgegy. > >Patrick Maroney >Office: (856)983-0001 >Cell: (609)841-5104 > pmaroney@specere.org >________________________________________ >From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of >Mark Clancy < mclancy@soltra.com > >Sent: Wednesday, June 24, 2015 10:17:23 AM >To: Peter F Brown; tony@yaanatech.com ; Rich Struse >Cc: cti@lists.oasis-open.org >Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >All, >I agree with need this SC and am happy to help. I have been doing a lot >this as part of my role as  DTCC's CISO in addition to my Soltra role.  I >have been presenting/meeting in the US, Europe and Asia. I spend a lot of >time with legislators, policy makers, and global financial regulators on >information sharing and why automation is a key part of capablity needs. >By the same token most of the challenges in the global context are not >purely technical but national and regualtory impediments.  Not to say the >technical things we are doing in CTI commitee in Oasis isn't also >critical as it certianly is, but that if we only address the technical >side of this problem we won't achieve the risk mitigation benefits we all >desire. > >So at some level what do we think "engagement" means vs. "outreach"? > >-Mark > > >Mark Clancy >Chief Executive Officer >SOLTRA An FS-ISAC and DTCC Company > +1.813.470.2400 office +1.610.659.6671 US mobile ?   +44 7823 626 535 >UK mobile > mclancy@soltra.com soltra.com > >One organization's incident becomes everyone's defense. > >? > >________________________________________ >From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of >Peter F Brown < peter@peterfbrown.com > >Sent: Tuesday, June 23, 2015 6:37 PM >To: tony@yaanatech.com ; Rich Struse >Cc: cti@lists.oasis-open.org >Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >+1 >Also agree with comment in an earlier thread that this SC ought to have >engagement as a core focus rather than outreach - and that ought to be >reflected in the name of any proposed SC. >Regards, >Peter > > >
Original Message----- >From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On >Behalf Of Tony Rutkowski >Sent: 22 June, 2015 13:08 >To: Rich Struse >Cc: cti@lists.oasis-open.org >Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >Hi Rich, > >There is a great symmetry occurring here on a global scale. > >The first day of the annual cybersecurity workshop was held this >afternoon here in Sophia Antipolis in France's approximation of Silicon >Valley in the hills of Valbonne, France.  There are people here from >around the world, but this afternoon was somewhat Euro centric with key >officials describing what was essential to regional and national >cybersecurity.  Perhaps not by coincidence, cyber threat intelligence >sharing was at the top of their lists - along with security assurance. > >The four people who were engaged at this session were: > >o Florent Frederix who heads the key Network Information Security >(NIS) initiative of the the European Commission and has some >responsibilities at the Directorate level similar to Rich Struse's as the >execution arm of the EU cybersecurity strategy - the analog of the White >House's framework initiatives. > >o Chris Ensor who heads up cybersecurity work in the UK's CESG >organization - also similar to Rich's responsibilities. > >o Marc Henauer of Switzerland's MELANI organization that is similar the >principal Swiss threat intelligence sharing body. > >o Edri an Belmonte, who plays the lead role in this area in ENISA > >All of the presentations except Cris Ensor's are available at: > http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SE >TTINGTHESCENE/ > >In the discussion session following the presentations, speaking at the >ETSI TC CYBER threat intelligence sharing rapporteur, I had the >opportunity to explain the creation of the new TC CTI committee and how >the platforms being pursued in CTI were proven best-of-breed models and >structured information sharing specifications that provided an ideal >match to each of their objectives. > >It was quite amazing how each of the parties - even in Europe - was >rather independently pursuing similar objectives. > >We also discussed how the work of TC CYBER was to survey the global >cybersecurity ecosystem and make use of the most successful existing >standards and not pursue duplicative work.  Everyone seemed in agreement, >and going forward, there seems like an excellent basis for convergence >with the CTI work now getting underway. > >There will be further discussion at the workshop over the next two days >as well as definitive actions at the TC CYBER meeting on Thursday and >Friday.  It was a good beginning that was continued usefully over local >provence wine and hors d'oeuves this evening (and setting a useful >precedent for future TC CTI physical gatherings). > >--tony > > > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > [attachment "CTI Standards Adoption.docx" deleted by Peter Allor/Atlanta/IBM] --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php   --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

HI Jerome,


Yes very much along these lines, nice one!


J-




From: Jerome Athias < athiasjerome@gmail.com >
Date: Friday, June 26, 2015 at 8:00 AM
To: Joep Gommers < joep@intelworks.com >
Cc: Peter Allor < pallor@us.ibm.com >, Rich Struse < richard.struse@dhs.gov >, " cti@lists.oasis-open.org "
< cti@lists.oasis-open.org >
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion





Adoption Program?
e.g. https://oval.mitre.org/adoption/





2015-06-26 8:46 GMT+03:00 Joep Gommers < joep@intelworks.com > :


Hi Peter,


Let me put some context around my proposal for certification, which perhaps means rewording.


First, I am completely aligned with you on the “voluntary” part and on the fact that mandatory certification would severely hinder adoption. Yet, what I think it hindering adoption more is – and perhaps this speaks to your concerns about STIX/TAXII too
– that it is ensure for producers how their intelligence value is retained when received by other consumers. In a world where I send you a PDF, I know how you will consume the PDF. It is predictable and the value I bring as an intelligence producer is surely
retained. Additionally, I as a producer am in full control.


Now in STIX this isn’t necessarily the case. Since STIX is transport, it does not guarantee to any extent that the intelligence value is retained all the way to its human consumer – not as that the intent. STIX 1.1.1 compliancy usually means, for both
CSIRT communities and vendors (and many other communities I might add that this is relevant for), a partial implementation of parts of the standard – that are processed by a machine and/or readable by a human in different ways.


For TAXII, a similar challenge exists where there is no easy automated way of determining for machines what the TAXII implementors supports. Think; authentication, authorization, different services (depending on discovery service on/off, hooked on/off),
polling subscription models, etc.


For me, certification and compliancy effort would be to ensure that it is publicly known and easily measurable what implementors actually support from the standard and where value is retained and where it isn’t. For TAXII, this means simple tools that
make transparant the pattern of functionality implemented by a CSIRT community, vendor, etc. so they can say “guys I’m level A TAXII” - which will mean I support features A, B and C. For STIX similarly, a certain level of certification might mean that an producer/consumer
implements the indicator/observable idioms, but does not retain much of the intelligence value of threat actor or exploit target information. This is relevant for the public to know, for producers to understand and to make transparant as to drive the community
towards the right priorities and compatibility efforts. Right now, the conversational line of “STIX/TAXII compatible” has no value and requires significant effort to undercover what REALLY is implemented and what intelligence value is REALLY retained.


So perhaps, certification is a bad word. Thoughts?


Best regards,
Joep




From: Peter Allor < pallor@us.ibm.com >
Date: Wednesday, June 24, 2015 at 7:11 PM
To: Joep Gommers < joep@intelworks.com >
Cc: Rich Struse < richard.struse@dhs.gov >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >


Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion









Joep,
I think I will push back a bit here, especially on your 'certification' and 'compliance' aspects.

<rant>

We need to be "voluntarily" adopting this 'standard'.

While I can see Tony's comments about talking with EC bodies, the real adoption and use for CTI is in two communities, which by their nature are international.

They are the CSIRT Community, specifically National CSIRTs but also Critical Infrastructure CSIRTs and Enterprise CSIRTs (I will not delve into the Big, Medium, Small discussion).   There is a whole lot going on in CSIRT Services
Framework and Education Development where this can be included and is updating materials from CERT/CC-SEI that are now 20 years old.

Then there is the 'vendor' community, which has not been really engaged here.   I know some will say they are part of that community, but then also tout how they are international.   So we need the large IT Vendors and we need
the broad IT Security Vendors as part of this process.   That would be for all FOUR Sub-Committee's.    Much of the indicators and expressions will need their input and adoption to actually gain traction for many and to enable the CSIRT Community (yes, the
vendors are part of that community as well).     Just to be clear, I am talking about Intel/McAfee, Symantec, Microsoft, IBM, Cisco/SourceFire, FireEye/Mandiant, and a slew of others.

Pushing mandatory compliance and certification does not work globally (think Common Criteria / NIAP, I could go on on that alone) and in security venues globally it is a check box with little use.    Now I know that vendors
are looking to be part of this, but the sentiment here in the discussions does not reflect that.    I say that from a vendor and incident response community perspective.

So lets focus on how we get their perspectives to be included, as I know as vendors, we see that STIX/TAXII in their current incarnation do NOT work very well and that exchanging threat data today is severely challenged.   The
goal for CTI is to make that easier and simple for users and that means we as designers need to have the implementers involved and participating, not corralled and shamed.   If you take CVRF as an example, you can see that vendors do want a system and are
willing to put it into operations and such, but the customer and the vendor need to have value out of it, not just another checkbox.

</rant>

Sincerely,
Pete

Peter Allor  
Senior Security Strategist, Project Manager, Disclosures
Product Management and Strategy
IBM Security
6303 Barfield Rd NE
Atlanta, GA 30328-4233
Mobile: +1-404-643-9638    
Fax:       +1-845-491-4204  
pallor@us.ibm.com

Joep
Gommers ---06/24/2015 11:15:54 AM---Hi Patrick, Great point. I think part would be an effort of mapping the landscape on

From: Joep Gommers < joep@intelworks.com >
To: Patrick Maroney < Pmaroney@Specere.org >, Mark Clancy < mclancy@soltra.com >,
Peter F Brown < peter@peterfbrown.com >, " tony@yaanatech.com " < tony@yaanatech.com >, Rich
Struse < richard.struse@dhs.gov >
Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
Date: 06/24/2015 11:15 AM
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
Sent by: < cti@lists.oasis-open.org >





Hi Patrick,

Great point. I think part would be an effort of mapping the landscape on
the one side, ensuring the tooling required to enable people to be
compatible (in addition to the standards and corresponding libraries) and
part certification to solidify and ensure compliancy. Especially the
latter option combined with hall of fame/shame (in a nice way :)) could
drive some tangible KPIs.. ?

Best regards,
Joep



On 6/24/15, 4:29 PM, "Patrick Maroney" < Pmaroney@Specere.org > wrote:

>I would agree with the position that Engagement subsumes Outreach.
>
>One open question is where Interoperability (as a tangible deliverable)
>fits into our stratgegy.
>
>Patrick Maroney
>Office: (856)983-0001
>Cell: (609)841-5104
> pmaroney@specere.org
>________________________________________
>From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of
>Mark Clancy < mclancy@soltra.com >
>Sent: Wednesday, June 24, 2015 10:17:23 AM
>To: Peter F Brown; tony@yaanatech.com ; Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>All,
>I agree with need this SC and am happy to help. I have been doing a lot
>this as part of my role as  DTCC's CISO in addition to my Soltra role.  I
>have been presenting/meeting in the US, Europe and Asia. I spend a lot of
>time with legislators, policy makers, and global financial regulators on
>information sharing and why automation is a key part of capablity needs.
>By the same token most of the challenges in the global context are not
>purely technical but national and regualtory impediments.  Not to say the
>technical things we are doing in CTI commitee in Oasis isn't also
>critical as it certianly is, but that if we only address the technical
>side of this problem we won't achieve the risk mitigation benefits we all
>desire.
>
>So at some level what do we think "engagement" means vs. "outreach"?
>
>-Mark
>
>
>Mark Clancy
>Chief Executive Officer
>SOLTRA An FS-ISAC and DTCC Company
> +1.813.470.2400 office
+1.610.659.6671 US mobile ?   +44 7823 626 535
>UK mobile
> mclancy@soltra.com
soltra.com
>
>One organization's incident becomes everyone's defense.
>
>?
>
>________________________________________
>From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of
>Peter F Brown < peter@peterfbrown.com >
>Sent: Tuesday, June 23, 2015 6:37 PM
>To: tony@yaanatech.com ; Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>+1
>Also agree with comment in an earlier thread that this SC ought to have
>engagement as a core focus rather than outreach - and that ought to be
>reflected in the name of any proposed SC.
>Regards,
>Peter
>
>
>
Original Message-----
>From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On
>Behalf Of Tony Rutkowski
>Sent: 22 June, 2015 13:08
>To: Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>Hi Rich,
>
>There is a great symmetry occurring here on a global scale.
>
>The first day of the annual cybersecurity workshop was held this
>afternoon here in Sophia Antipolis in France's approximation of Silicon
>Valley in the hills of Valbonne, France.  There are people here from
>around the world, but this afternoon was somewhat Euro centric with key
>officials describing what was essential to regional and national
>cybersecurity.  Perhaps not by coincidence, cyber threat intelligence
>sharing was at the top of their lists - along with security assurance.
>
>The four people who were engaged at this session were:
>
>o Florent Frederix who heads the key Network Information Security
>(NIS) initiative of the the European Commission and has some
>responsibilities at the Directorate level similar to Rich Struse's as the
>execution arm of the EU cybersecurity strategy - the analog of the White
>House's framework initiatives.
>
>o Chris Ensor who heads up cybersecurity work in the UK's CESG
>organization - also similar to Rich's responsibilities.
>
>o Marc Henauer of Switzerland's MELANI organization that is similar the
>principal Swiss threat intelligence sharing body.
>
>o Edri an Belmonte, who plays the lead role in this area in ENISA
>
>All of the presentations except Cris Ensor's are available at:
> http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SE
>TTINGTHESCENE/
>
>In the discussion session following the presentations, speaking at the
>ETSI TC CYBER threat intelligence sharing rapporteur, I had the
>opportunity to explain the creation of the new TC CTI committee and how
>the platforms being pursued in CTI were proven best-of-breed models and
>structured information sharing specifications that provided an ideal
>match to each of their objectives.
>
>It was quite amazing how each of the parties - even in Europe - was
>rather independently pursuing similar objectives.
>
>We also discussed how the work of TC CYBER was to survey the global
>cybersecurity ecosystem and make use of the most successful existing
>standards and not pursue duplicative work.  Everyone seemed in agreement,
>and going forward, there seems like an excellent basis for convergence
>with the CTI work now getting underway.
>
>There will be further discussion at the workshop over the next two days
>as well as definitive actions at the TC CYBER meeting on Thursday and
>Friday.  It was a good beginning that was continued usefully over local
>provence wine and hors d'oeuves this evening (and setting a useful
>precedent for future TC CTI physical gatherings).
>
>--tony
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>

[attachment "CTI Standards Adoption.docx" deleted by Peter Allor/Atlanta/IBM]
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  








---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

The adoption chart is part of the need and the OVAL example is a good one. 


Another side of this is the STIX profile  ( https://stix.mitre.org/about/documents/STIX_Profiles_Overview_White_Paper_v0.1.pdf ).
This is important as different parts of the ecosystem have and need different levels of ‘completeness’ in how they handled Cybox/STIX.  So if I am trying to consume STIX data for say a Snort based IDS system there are a lot of Cybox objects (like Win Reg key),
STIX object types (like say Campaigns) that don’t make any sense for a Snort based sensor to consume or produce.  Where as we also have STIX implementations for devices/sensors like say a SIEM that can/should handle mode Cybox/STIX object types, but don’t
do so at present.  It is kind of hard to describe the difference between those two levels of implementation.  I could have everything implemented for a Snort type IDS that the device is able to do and have the same number of STIX/Cybox objects supports in
same a SEIM tool which should be able to handle a lot more of these the STIX profiles would be the same, but the maximum possible maturity of the implementations IMHO are quite different.
 

I would really like to see the concept of an implementation maturity model worked into the ‘adoption’ notions here. We see quite a difference between “like” products in the same categories as to their level of implementation.  Today you
could say you support STIX if you support say IPv4 address Cybox objects and only STIX Observables. Technically that is STIX ‘support’ and if that is what is in your STIX profile you are legit. The reality is the STIX profile is the way to ‘transact’ the objects
supports vs. not when being shared, but we need a simpler summary of this so when customers of these products make choices informed of what “we support STIX/TAXII” actually means.  If consumers experience “STIX support” at this level of maturity/completeness
and they expected much more it is going to reflect poorly on our standards.  So say supporting one Cybox object and one Stix object is Level 1 maturity in a single direction , but supporting all Cybox and STIX objects, bi-directionally, linked to each other
is a much higher level.


I suggest we add this to the outreach workstream as a way of keeping track of what "adoption" really means.


-Mark





Mark Clancy
Chief Executive Officer
SOLTRA

An FS-ISAC and DTCC Company
+1.813.470.2400
office

+1.610.659.6671  US  mobile

?    +44 7823 626 535   UK  mobile
mclancy@soltra.com
soltra.com
 
One organization's incident becomes everyone's defense.
 
?







From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Jerome Athias <athiasjerome@gmail.com>
Sent: Friday, June 26, 2015 2:00 AM
To: Joep Gommers
Cc: Peter Allor; Rich Struse; cti@lists.oasis-open.org
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
 


Adoption Program?
e.g. https://oval.mitre.org/adoption/





2015-06-26 8:46 GMT+03:00 Joep Gommers < joep@intelworks.com > :


Hi Peter,


Let me put some context around my proposal for certification, which perhaps means rewording.


First, I am completely aligned with you on the “voluntary” part and on the fact that mandatory certification would severely hinder adoption. Yet, what I think it hindering adoption more is – and perhaps this speaks to your concerns about STIX/TAXII too
– that it is ensure for producers how their intelligence value is retained when received by other consumers. In a world where I send you a PDF, I know how you will consume the PDF. It is predictable and the value I bring as an intelligence producer is surely
retained. Additionally, I as a producer am in full control.


Now in STIX this isn’t necessarily the case. Since STIX is transport, it does not guarantee to any extent that the intelligence value is retained all the way to its human consumer – not as that the intent. STIX 1.1.1 compliancy usually means, for both
CSIRT communities and vendors (and many other communities I might add that this is relevant for), a partial implementation of parts of the standard – that are processed by a machine and/or readable by a human in different ways.


For TAXII, a similar challenge exists where there is no easy automated way of determining for machines what the TAXII implementors supports. Think; authentication, authorization, different services (depending on discovery service on/off, hooked on/off),
polling subscription models, etc.


For me, certification and compliancy effort would be to ensure that it is publicly known and easily measurable what implementors actually support from the standard and where value is retained and where it isn’t. For TAXII, this means simple tools that
make transparant the pattern of functionality implemented by a CSIRT community, vendor, etc. so they can say “guys I’m level A TAXII” - which will mean I support features A, B and C. For STIX similarly, a certain level of certification might mean that an producer/consumer
implements the indicator/observable idioms, but does not retain much of the intelligence value of threat actor or exploit target information. This is relevant for the public to know, for producers to understand and to make transparant as to drive the community
towards the right priorities and compatibility efforts. Right now, the conversational line of “STIX/TAXII compatible” has no value and requires significant effort to undercover what REALLY is implemented and what intelligence value is REALLY retained.


So perhaps, certification is a bad word. Thoughts?


Best regards,
Joep




From: Peter Allor < pallor@us.ibm.com >
Date: Wednesday, June 24, 2015 at 7:11 PM
To: Joep Gommers < joep@intelworks.com >
Cc: Rich Struse < richard.struse@dhs.gov >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >


Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion









Joep,
I think I will push back a bit here, especially on your 'certification' and 'compliance' aspects.

<rant>

We need to be "voluntarily" adopting this 'standard'.

While I can see Tony's comments about talking with EC bodies, the real adoption and use for CTI is in two communities, which by their nature are international.

They are the CSIRT Community, specifically National CSIRTs but also Critical Infrastructure CSIRTs and Enterprise CSIRTs (I will not delve into the Big, Medium, Small discussion).   There is a whole lot going on in CSIRT Services
Framework and Education Development where this can be included and is updating materials from CERT/CC-SEI that are now 20 years old.

Then there is the 'vendor' community, which has not been really engaged here.   I know some will say they are part of that community, but then also tout how they are international.   So we need the large IT Vendors and we need
the broad IT Security Vendors as part of this process.   That would be for all FOUR Sub-Committee's.    Much of the indicators and expressions will need their input and adoption to actually gain traction for many and to enable the CSIRT Community (yes, the
vendors are part of that community as well).     Just to be clear, I am talking about Intel/McAfee, Symantec, Microsoft, IBM, Cisco/SourceFire, FireEye/Mandiant, and a slew of others.

Pushing mandatory compliance and certification does not work globally (think Common Criteria / NIAP, I could go on on that alone) and in security venues globally it is a check box with little use.    Now I know that vendors
are looking to be part of this, but the sentiment here in the discussions does not reflect that.    I say that from a vendor and incident response community perspective.

So lets focus on how we get their perspectives to be included, as I know as vendors, we see that STIX/TAXII in their current incarnation do NOT work very well and that exchanging threat data today is severely challenged.   The
goal for CTI is to make that easier and simple for users and that means we as designers need to have the implementers involved and participating, not corralled and shamed.   If you take CVRF as an example, you can see that vendors do want a system and are
willing to put it into operations and such, but the customer and the vendor need to have value out of it, not just another checkbox.

</rant>

Sincerely,
Pete

Peter Allor  
Senior Security Strategist, Project Manager, Disclosures
Product Management and Strategy
IBM Security
6303 Barfield Rd NE
Atlanta, GA 30328-4233
Mobile: +1-404-643-9638    
Fax:       +1-845-491-4204  
pallor@us.ibm.com

Joep
Gommers ---06/24/2015 11:15:54 AM---Hi Patrick, Great point. I think part would be an effort of mapping the landscape on

From: Joep Gommers < joep@intelworks.com >
To: Patrick Maroney < Pmaroney@Specere.org >, Mark Clancy < mclancy@soltra.com >,
Peter F Brown < peter@peterfbrown.com >, " tony@yaanatech.com " < tony@yaanatech.com >, Rich
Struse < richard.struse@dhs.gov >
Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
Date: 06/24/2015 11:15 AM
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
Sent by: < cti@lists.oasis-open.org >





Hi Patrick,

Great point. I think part would be an effort of mapping the landscape on
the one side, ensuring the tooling required to enable people to be
compatible (in addition to the standards and corresponding libraries) and
part certification to solidify and ensure compliancy. Especially the
latter option combined with hall of fame/shame (in a nice way :)) could
drive some tangible KPIs.. ?

Best regards,
Joep



On 6/24/15, 4:29 PM, "Patrick Maroney" < Pmaroney@Specere.org > wrote:

>I would agree with the position that Engagement subsumes Outreach.
>
>One open question is where Interoperability (as a tangible deliverable)
>fits into our stratgegy.
>
>Patrick Maroney
>Office: (856)983-0001
>Cell: (609)841-5104
> pmaroney@specere.org
>________________________________________
>From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of
>Mark Clancy < mclancy@soltra.com >
>Sent: Wednesday, June 24, 2015 10:17:23 AM
>To: Peter F Brown; tony@yaanatech.com ; Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>All,
>I agree with need this SC and am happy to help. I have been doing a lot
>this as part of my role as  DTCC's CISO in addition to my Soltra role.  I
>have been presenting/meeting in the US, Europe and Asia. I spend a lot of
>time with legislators, policy makers, and global financial regulators on
>information sharing and why automation is a key part of capablity needs.
>By the same token most of the challenges in the global context are not
>purely technical but national and regualtory impediments.  Not to say the
>technical things we are doing in CTI commitee in Oasis isn't also
>critical as it certianly is, but that if we only address the technical
>side of this problem we won't achieve the risk mitigation benefits we all
>desire.
>
>So at some level what do we think "engagement" means vs. "outreach"?
>
>-Mark
>
>
>Mark Clancy
>Chief Executive Officer
>SOLTRA An FS-ISAC and DTCC Company
> +1.813.470.2400 office
+1.610.659.6671 US mobile ?   +44 7823 626 535
>UK mobile
> mclancy@soltra.com
soltra.com
>
>One organization's incident becomes everyone's defense.
>
>?
>
>________________________________________
>From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of
>Peter F Brown < peter@peterfbrown.com >
>Sent: Tuesday, June 23, 2015 6:37 PM
>To: tony@yaanatech.com ; Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>+1
>Also agree with comment in an earlier thread that this SC ought to have
>engagement as a core focus rather than outreach - and that ought to be
>reflected in the name of any proposed SC.
>Regards,
>Peter
>
>
>
Original Message-----
>From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On
>Behalf Of Tony Rutkowski
>Sent: 22 June, 2015 13:08
>To: Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>Hi Rich,
>
>There is a great symmetry occurring here on a global scale.
>
>The first day of the annual cybersecurity workshop was held this
>afternoon here in Sophia Antipolis in France's approximation of Silicon
>Valley in the hills of Valbonne, France.  There are people here from
>around the world, but this afternoon was somewhat Euro centric with key
>officials describing what was essential to regional and national
>cybersecurity.  Perhaps not by coincidence, cyber threat intelligence
>sharing was at the top of their lists - along with security assurance.
>
>The four people who were engaged at this session were:
>
>o Florent Frederix who heads the key Network Information Security
>(NIS) initiative of the the European Commission and has some
>responsibilities at the Directorate level similar to Rich Struse's as the
>execution arm of the EU cybersecurity strategy - the analog of the White
>House's framework initiatives.
>
>o Chris Ensor who heads up cybersecurity work in the UK's CESG
>organization - also similar to Rich's responsibilities.
>
>o Marc Henauer of Switzerland's MELANI organization that is similar the
>principal Swiss threat intelligence sharing body.
>
>o Edri an Belmonte, who plays the lead role in this area in ENISA
>
>All of the presentations except Cris Ensor's are available at:
> http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SE
>TTINGTHESCENE/
>
>In the discussion session following the presentations, speaking at the
>ETSI TC CYBER threat intelligence sharing rapporteur, I had the
>opportunity to explain the creation of the new TC CTI committee and how
>the platforms being pursued in CTI were proven best-of-breed models and
>structured information sharing specifications that provided an ideal
>match to each of their objectives.
>
>It was quite amazing how each of the parties - even in Europe - was
>rather independently pursuing similar objectives.
>
>We also discussed how the work of TC CYBER was to survey the global
>cybersecurity ecosystem and make use of the most successful existing
>standards and not pursue duplicative work.  Everyone seemed in agreement,
>and going forward, there seems like an excellent basis for convergence
>with the CTI work now getting underway.
>
>There will be further discussion at the workshop over the next two days
>as well as definitive actions at the TC CYBER meeting on Thursday and
>Friday.  It was a good beginning that was continued usefully over local
>provence wine and hors d'oeuves this evening (and setting a useful
>precedent for future TC CTI physical gatherings).
>
>--tony
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>

[attachment "CTI Standards Adoption.docx" deleted by Peter Allor/Atlanta/IBM]
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  








---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Understanding what Idioms are supported or what elements of an Idiom are support is valuable, yes.  But think of certification in regards to bigger level items.   1) Does the systems support data making / handling?  And if so, can you appropriately handle something that is like a TLP RED. 2) Does the system actually support delete requests  3) Does the system support full fidelity on a STIX package's producer chain?  Or does it strip all of that away.  Further if we add an ability to sign a STIX package, does the system support that and the ability to re-issue the package with the cert or include it some how. 4) On the TAXII side, does the system support Data Feeds or just Data Sets..  5) Does the TAXII system support inbox services or just poll services?   6) What is the sustained rate that a system supports in tiers.   etc etc. What I would like to see is a simple and easy to understand tier system with certification.  We have talked about this a lot over the past year and I think a lot of really good ideas have been brought up...  Imagine that the first few levels are self asserting.  Then the final few levels, will have an official certification process similar to the WiFi alliance.  Initially, for the first few years say 3-5 years, we would only do self assessment.  Then in say the 5 year time frame we would do an official certification process. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 62A6 5999 0F7D 0D61 4C66 D59C 2DB5 111D 63BC A303 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Jun 26, 2015, at 06:25, Mark Clancy < mclancy@soltra.com > wrote: The adoption chart is part of the need and the OVAL example is a good one.  Another side of this is the STIX profile  ( https://stix.mitre.org/about/documents/STIX_Profiles_Overview_White_Paper_v0.1.pdf ). This is important as different parts of the ecosystem have and need different levels of ‘completeness’ in how they handled Cybox/STIX.  So if I am trying to consume STIX data for say a Snort based IDS system there are a lot of Cybox objects (like Win Reg key), STIX object types (like say Campaigns) that don’t make any sense for a Snort based sensor to consume or produce.  Where as we also have STIX implementations for devices/sensors like say a SIEM that can/should handle mode Cybox/STIX object types, but don’t do so at present.  It is kind of hard to describe the difference between those two levels of implementation.  I could have everything implemented for a Snort type IDS that the device is able to do and have the same number of STIX/Cybox objects supports in same a SEIM tool which should be able to handle a lot more of these the STIX profiles would be the same, but the maximum possible maturity of the implementations IMHO are quite different.   I would really like to see the concept of an implementation maturity model worked into the ‘adoption’ notions here. We see quite a difference between “like” products in the same categories as to their level of implementation.  Today you could say you support STIX if you support say IPv4 address Cybox objects and only STIX Observables. Technically that is STIX ‘support’ and if that is what is in your STIX profile you are legit. The reality is the STIX profile is the way to ‘transact’ the objects supports vs. not when being shared, but we need a simpler summary of this so when customers of these products make choices informed of what “we support STIX/TAXII” actually means.  If consumers experience “STIX support” at this level of maturity/completeness and they expected much more it is going to reflect poorly on our standards.  So say supporting one Cybox object and one Stix object is Level 1 maturity in a single direction , but supporting all Cybox and STIX objects, bi-directionally, linked to each other is a much higher level. I suggest we add this to the outreach workstream as a way of keeping track of what adoption really means. -Mark Mark Clancy Chief Executive Officer SOLTRA     An FS-ISAC and DTCC Company +1.813.470.2400   office     +1.610.659.6671  US  mobile   ?    +44 7823 626 535   UK  mobile mclancy@soltra.com     soltra.com   One organization's incident becomes everyone's defense.   ? From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org > on behalf of Jerome Athias < athiasjerome@gmail.com > Sent:   Friday, June 26, 2015 2:00 AM To:   Joep Gommers Cc:   Peter Allor; Rich Struse;   cti@lists.oasis-open.org Subject:   Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion   Adoption Program? e.g.   https://oval.mitre.org/adoption/ 2015-06-26 8:46 GMT+03:00 Joep Gommers   < joep@intelworks.com > : Hi Peter, Let me put some context around my proposal for certification, which perhaps means rewording. First, I am completely aligned with you on the “voluntary” part and on the fact that mandatory certification would severely hinder adoption. Yet, what I think it hindering adoption more is – and perhaps this speaks to your concerns about STIX/TAXII too – that it is ensure for producers how their intelligence value is retained when received by other consumers. In a world where I send you a PDF, I know how you will consume the PDF. It is predictable and the value I bring as an intelligence producer is surely retained. Additionally, I as a producer am in full control. Now in STIX this isn’t necessarily the case. Since STIX is transport, it does not guarantee to any extent that the intelligence value is retained all the way to its human consumer – not as that the intent. STIX 1.1.1 compliancy usually means, for both CSIRT communities and vendors (and many other communities I might add that this is relevant for), a partial implementation of parts of the standard – that are processed by a machine and/or readable by a human in different ways. For TAXII, a similar challenge exists where there is no easy automated way of determining for machines what the TAXII implementors supports. Think; authentication, authorization, different services (depending on discovery service on/off, hooked on/off), polling subscription models, etc. For me, certification and compliancy effort would be to ensure that it is publicly known and easily measurable what implementors actually support from the standard and where value is retained and where it isn’t. For TAXII, this means simple tools that make transparant the pattern of functionality implemented by a CSIRT community, vendor, etc. so they can say “guys I’m level A TAXII” - which will mean I support features A, B and C. For STIX similarly, a certain level of certification might mean that an producer/consumer implements the indicator/observable idioms, but does not retain much of the intelligence value of threat actor or exploit target information. This is relevant for the public to know, for producers to understand and to make transparant as to drive the community towards the right priorities and compatibility efforts. Right now, the conversational line of “STIX/TAXII compatible” has no value and requires significant effort to undercover what REALLY is implemented and what intelligence value is REALLY retained. So perhaps, certification is a bad word. Thoughts? Best regards, Joep From:   Peter Allor < pallor@us.ibm.com > Date:   Wednesday, June 24, 2015 at 7:11 PM To:   Joep Gommers < joep@intelworks.com > Cc:   Rich Struse < richard.struse@dhs.gov >, cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion Joep, I think I will push back a bit here, especially on your 'certification' and 'compliance' aspects. <rant> We need to be voluntarily adopting this 'standard'. While I can see Tony's comments about talking with EC bodies, the real adoption and use for CTI is in two communities, which by their nature are international. They are the CSIRT Community, specifically National CSIRTs but also Critical Infrastructure CSIRTs and Enterprise CSIRTs (I will not delve into the Big, Medium, Small discussion).   There is a whole lot going on in CSIRT Services Framework and Education Development where this can be included and is updating materials from CERT/CC-SEI that are now 20 years old. Then there is the 'vendor' community, which has not been really engaged here.   I know some will say they are part of that community, but then also tout how they are international.   So we need the large IT Vendors and we need the broad IT Security Vendors as part of this process.   That would be for all FOUR Sub-Committee's.    Much of the indicators and expressions will need their input and adoption to actually gain traction for many and to enable the CSIRT Community (yes, the vendors are part of that community as well).     Just to be clear, I am talking about Intel/McAfee, Symantec, Microsoft, IBM, Cisco/SourceFire, FireEye/Mandiant, and a slew of others. Pushing mandatory compliance and certification does not work globally (think Common Criteria / NIAP, I could go on on that alone) and in security venues globally it is a check box with little use.    Now I know that vendors are looking to be part of this, but the sentiment here in the discussions does not reflect that.    I say that from a vendor and incident response community perspective. So lets focus on how we get their perspectives to be included, as I know as vendors, we see that STIX/TAXII in their current incarnation do NOT work very well and that exchanging threat data today is severely challenged.   The goal for CTI is to make that easier and simple for users and that means we as designers need to have the implementers involved and participating, not corralled and shamed.   If you take CVRF as an example, you can see that vendors do want a system and are willing to put it into operations and such, but the customer and the vendor need to have value out of it, not just another checkbox. </rant> Sincerely, Pete Peter Allor   Senior Security Strategist, Project Manager, Disclosures Product Management and Strategy IBM Security 6303 Barfield Rd NE   Atlanta, GA 30328-4233   Mobile:   +1-404-643-9638       Fax:         +1-845-491-4204     pallor@us.ibm.com Joep Gommers ---06/24/2015 11:15:54 AM---Hi Patrick, Great point. I think part would be an effort of mapping the landscape on From:   Joep Gommers < joep@intelworks.com > To:   Patrick Maroney < Pmaroney@Specere.org >, Mark Clancy < mclancy@soltra.com >, Peter F Brown < peter@peterfbrown.com >, tony@yaanatech.com < tony@yaanatech.com >, Rich Struse < richard.struse@dhs.gov > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Date:   06/24/2015 11:15 AM Subject:   Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion Sent by:   < cti@lists.oasis-open.org > Hi Patrick, Great point. I think part would be an effort of mapping the landscape on the one side, ensuring the tooling required to enable people to be compatible (in addition to the standards and corresponding libraries) and part certification to solidify and ensure compliancy. Especially the latter option combined with hall of fame/shame (in a nice way :)) could drive some tangible KPIs.. ? Best regards, Joep On 6/24/15, 4:29 PM, Patrick Maroney < Pmaroney@Specere.org > wrote: >I would agree with the position that Engagement subsumes Outreach. > >One open question is where Interoperability (as a tangible deliverable) >fits into our stratgegy. > >Patrick Maroney >Office:   (856)983-0001 >Cell:   (609)841-5104 > pmaroney@specere.org >________________________________________ >From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org > on behalf of >Mark Clancy < mclancy@soltra.com > >Sent: Wednesday, June 24, 2015 10:17:23 AM >To: Peter F Brown;   tony@yaanatech.com ; Rich Struse >Cc:   cti@lists.oasis-open.org >Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >All, >I agree with need this SC and am happy to help. I have been doing a lot >this as part of my role as  DTCC's CISO in addition to my Soltra role.  I >have been presenting/meeting in the US, Europe and Asia. I spend a lot of >time with legislators, policy makers, and global financial regulators on >information sharing and why automation is a key part of capablity needs. >By the same token most of the challenges in the global context are not >purely technical but national and regualtory impediments.  Not to say the >technical things we are doing in CTI commitee in Oasis isn't also >critical as it certianly is, but that if we only address the technical >side of this problem we won't achieve the risk mitigation benefits we all >desire. > >So at some level what do we think engagement means vs. outreach ? > >-Mark > > >Mark Clancy >Chief Executive Officer >SOLTRA An FS-ISAC and DTCC Company > +1.813.470.2400   office   +1.610.659.6671   US mobile ?   +44 7823 626 535 >UK mobile > mclancy@soltra.com     soltra.com > >One organization's incident becomes everyone's defense. > >? > >________________________________________ >From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org > on behalf of >Peter F Brown < peter@peterfbrown.com > >Sent: Tuesday, June 23, 2015 6:37 PM >To:   tony@yaanatech.com ; Rich Struse >Cc:   cti@lists.oasis-open.org >Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >+1 >Also agree with comment in an earlier thread that this SC ought to have >engagement as a core focus rather than outreach - and that ought to be >reflected in the name of any proposed SC. >Regards, >Peter > > >
Original Message----- >From:   cti@lists.oasis-open.org   [ mailto:cti@lists.oasis-open.org ] On >Behalf Of Tony Rutkowski >Sent: 22 June, 2015 13:08 >To: Rich Struse >Cc:   cti@lists.oasis-open.org >Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >Hi Rich, > >There is a great symmetry occurring here on a global scale. > >The first day of the annual cybersecurity workshop was held this >afternoon here in Sophia Antipolis in France's approximation of Silicon >Valley in the hills of Valbonne, France.  There are people here from >around the world, but this afternoon was somewhat Euro centric with key >officials describing what was essential to regional and national >cybersecurity.  Perhaps not by coincidence, cyber threat intelligence >sharing was at the top of their lists - along with security assurance. > >The four people who were engaged at this session were: > >o Florent Frederix who heads the key Network Information Security >(NIS) initiative of the the European Commission and has some >responsibilities at the Directorate level similar to Rich Struse's as the >execution arm of the EU cybersecurity strategy - the analog of the White >House's framework initiatives. > >o Chris Ensor who heads up cybersecurity work in the UK's CESG >organization - also similar to Rich's responsibilities. > >o Marc Henauer of Switzerland's MELANI organization that is similar the >principal Swiss threat intelligence sharing body. > >o Edri an Belmonte, who plays the lead role in this area in ENISA > >All of the presentations except Cris Ensor's are available at: > http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SE >TTINGTHESCENE/ > >In the discussion session following the presentations, speaking at the >ETSI TC CYBER threat intelligence sharing rapporteur, I had the >opportunity to explain the creation of the new TC CTI committee and how >the platforms being pursued in CTI were proven best-of-breed models and >structured information sharing specifications that provided an ideal >match to each of their objectives. > >It was quite amazing how each of the parties - even in Europe - was >rather independently pursuing similar objectives. > >We also discussed how the work of TC CYBER was to survey the global >cybersecurity ecosystem and make use of the most successful existing >standards and not pursue duplicative work.  Everyone seemed in agreement, >and going forward, there seems like an excellent basis for convergence >with the CTI work now getting underway. > >There will be further discussion at the workshop over the next two days >as well as definitive actions at the TC CYBER meeting on Thursday and >Friday.  It was a good beginning that was continued usefully over local >provence wine and hors d'oeuves this evening (and setting a useful >precedent for future TC CTI physical gatherings). > >--tony > > > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > [attachment CTI Standards Adoption.docx deleted by Peter Allor/Atlanta/IBM]   --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that   generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php   --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php   Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

I think that any kind of maturity/compliance assessment/declaration (should it be just self assessment) would have to be based on some kind of criterias or requirements. Those would have to be listed/defined in order to be measured for providing relevant -to be defined- key indicators (such as list of supported functionnalities, or % of CybOX observables supported...). This was, I think, what was done for OVAL. 2015-06-26 18:50 GMT+03:00 Jordan, Bret <bret.jordan@bluecoat.com>: > Understanding what Idioms are supported or what elements of an Idiom are > support is valuable, yes. But think of certification in regards to bigger > level items. > > 1) Does the systems support data making / handling? And if so, can you > appropriately handle something that is like a TLP RED. > > 2) Does the system actually support delete requests > > 3) Does the system support full fidelity on a STIX package's producer chain? > Or does it strip all of that away. Further if we add an ability to sign a > STIX package, does the system support that and the ability to re-issue the > package with the cert or include it some how. > > 4) On the TAXII side, does the system support Data Feeds or just Data Sets.. > > 5) Does the TAXII system support inbox services or just poll services? > > 6) What is the sustained rate that a system supports in tiers. > > etc etc. > > > What I would like to see is a simple and easy to understand tier system with > certification. We have talked about this a lot over the past year and I > think a lot of really good ideas have been brought up... Imagine that the > first few levels are self asserting. Then the final few levels, will have > an official certification process similar to the WiFi alliance. Initially, > for the first few years say 3-5 years, we would only do self assessment. > Then in say the 5 year time frame we would do an official certification > process. > > Thanks, > > Bret > > > > Bret Jordan CISSP > Director of Security Architecture and Standards Office of the CTO > Blue Coat Systems > PGP Fingerprint: 62A6 5999 0F7D 0D61 4C66 D59C 2DB5 111D 63BC A303 > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can > not be unscrambled is an egg." > > On Jun 26, 2015, at 06:25, Mark Clancy <mclancy@soltra.com> wrote: > > The adoption chart is part of the need and the OVAL example is a good one. > > Another side of this is the STIX profile > ( https://stix.mitre.org/about/documents/STIX_Profiles_Overview_White_Paper_v0.1.pdf ). > This is important as different parts of the ecosystem have and need > different levels of ‘completeness’ in how they handled Cybox/STIX. So if I > am trying to consume STIX data for say a Snort based IDS system there are a > lot of Cybox objects (like Win Reg key), STIX object types (like say > Campaigns) that don’t make any sense for a Snort based sensor to consume or > produce. Where as we also have STIX implementations for devices/sensors > like say a SIEM that can/should handle mode Cybox/STIX object types, but > don’t do so at present. It is kind of hard to describe the difference > between those two levels of implementation. I could have everything > implemented for a Snort type IDS that the device is able to do and have the > same number of STIX/Cybox objects supports in same a SEIM tool which should > be able to handle a lot more of these the STIX profiles would be the same, > but the maximum possible maturity of the implementations IMHO are quite > different. > > > I would really like to see the concept of an implementation maturity model > worked into the ‘adoption’ notions here. We see quite a difference between > “like” products in the same categories as to their level of implementation. > Today you could say you support STIX if you support say IPv4 address Cybox > objects and only STIX Observables. Technically that is STIX ‘support’ and if > that is what is in your STIX profile you are legit. The reality is the STIX > profile is the way to ‘transact’ the objects supports vs. not when being > shared, but we need a simpler summary of this so when customers of these > products make choices informed of what “we support STIX/TAXII” actually > means. If consumers experience “STIX support” at this level of > maturity/completeness and they expected much more it is going to reflect > poorly on our standards. So say supporting one Cybox object and one Stix > object is Level 1 maturity in a single direction , but supporting all Cybox > and STIX objects, bi-directionally, linked to each other is a much higher > level. > > I suggest we add this to the outreach workstream as a way of keeping track > of what "adoption" really means. > > -Mark > > Mark Clancy > Chief Executive Officer > SOLTRA An FS-ISAC and DTCC Company > +1.813.470.2400 office +1.610.659.6671 US mobile +44 7823 626 535 UK > mobile > mclancy@soltra.com soltra.com > > One organization's incident becomes everyone's defense. > > > > ________________________________ > From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of > Jerome Athias <athiasjerome@gmail.com> > Sent: Friday, June 26, 2015 2:00 AM > To: Joep Gommers > Cc: Peter Allor; Rich Struse; cti@lists.oasis-open.org > Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > > Adoption Program? > e.g. https://oval.mitre.org/adoption/ > > > 2015-06-26 8:46 GMT+03:00 Joep Gommers <joep@intelworks.com>: >> >> Hi Peter, >> >> Let me put some context around my proposal for certification, which >> perhaps means rewording. >> >> First, I am completely aligned with you on the “voluntary” part and on the >> fact that mandatory certification would severely hinder adoption. Yet, what >> I think it hindering adoption more is – and perhaps this speaks to your >> concerns about STIX/TAXII too – that it is ensure for producers how their >> intelligence value is retained when received by other consumers. In a world >> where I send you a PDF, I know how you will consume the PDF. It is >> predictable and the value I bring as an intelligence producer is surely >> retained. Additionally, I as a producer am in full control. >> >> Now in STIX this isn’t necessarily the case. Since STIX is transport, it >> does not guarantee to any extent that the intelligence value is retained all >> the way to its human consumer – not as that the intent. STIX 1.1.1 >> compliancy usually means, for both CSIRT communities and vendors (and many >> other communities I might add that this is relevant for), a partial >> implementation of parts of the standard – that are processed by a machine >> and/or readable by a human in different ways. >> >> For TAXII, a similar challenge exists where there is no easy automated way >> of determining for machines what the TAXII implementors supports. Think; >> authentication, authorization, different services (depending on discovery >> service on/off, hooked on/off), polling subscription models, etc. >> >> For me, certification and compliancy effort would be to ensure that it is >> publicly known and easily measurable what implementors actually support from >> the standard and where value is retained and where it isn’t. For TAXII, this >> means simple tools that make transparant the pattern of functionality >> implemented by a CSIRT community, vendor, etc. so they can say “guys I’m >> level A TAXII” - which will mean I support features A, B and C. For STIX >> similarly, a certain level of certification might mean that an >> producer/consumer implements the indicator/observable idioms, but does not >> retain much of the intelligence value of threat actor or exploit target >> information. This is relevant for the public to know, for producers to >> understand and to make transparant as to drive the community towards the >> right priorities and compatibility efforts. Right now, the conversational >> line of “STIX/TAXII compatible” has no value and requires significant effort >> to undercover what REALLY is implemented and what intelligence value is >> REALLY retained. >> >> So perhaps, certification is a bad word. Thoughts? >> >> Best regards, >> Joep >> >> From: Peter Allor <pallor@us.ibm.com> >> Date: Wednesday, June 24, 2015 at 7:11 PM >> To: Joep Gommers <joep@intelworks.com> >> Cc: Rich Struse <richard.struse@dhs.gov>, "cti@lists.oasis-open.org" >> <cti@lists.oasis-open.org> >> >> Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion >> >> Joep, >> I think I will push back a bit here, especially on your 'certification' >> and 'compliance' aspects. >> >> <rant> >> >> We need to be "voluntarily" adopting this 'standard'. >> >> While I can see Tony's comments about talking with EC bodies, the real >> adoption and use for CTI is in two communities, which by their nature are >> international. >> >> They are the CSIRT Community, specifically National CSIRTs but also >> Critical Infrastructure CSIRTs and Enterprise CSIRTs (I will not delve into >> the Big, Medium, Small discussion). There is a whole lot going on in CSIRT >> Services Framework and Education Development where this can be included and >> is updating materials from CERT/CC-SEI that are now 20 years old. >> >> Then there is the 'vendor' community, which has not been really engaged >> here. I know some will say they are part of that community, but then also >> tout how they are international. So we need the large IT Vendors and we >> need the broad IT Security Vendors as part of this process. That would be >> for all FOUR Sub-Committee's. Much of the indicators and expressions will >> need their input and adoption to actually gain traction for many and to >> enable the CSIRT Community (yes, the vendors are part of that community as >> well). Just to be clear, I am talking about Intel/McAfee, Symantec, >> Microsoft, IBM, Cisco/SourceFire, FireEye/Mandiant, and a slew of others. >> >> Pushing mandatory compliance and certification does not work globally >> (think Common Criteria / NIAP, I could go on on that alone) and in security >> venues globally it is a check box with little use. Now I know that >> vendors are looking to be part of this, but the sentiment here in the >> discussions does not reflect that. I say that from a vendor and incident >> response community perspective. >> >> So lets focus on how we get their perspectives to be included, as I know >> as vendors, we see that STIX/TAXII in their current incarnation do NOT work >> very well and that exchanging threat data today is severely challenged. >> The goal for CTI is to make that easier and simple for users and that means >> we as designers need to have the implementers involved and participating, >> not corralled and shamed. If you take CVRF as an example, you can see that >> vendors do want a system and are willing to put it into operations and such, >> but the customer and the vendor need to have value out of it, not just >> another checkbox. >> >> </rant> >> >> Sincerely, >> Pete >> >> Peter Allor >> Senior Security Strategist, Project Manager, Disclosures >> Product Management and Strategy >> IBM Security >> 6303 Barfield Rd NE >> Atlanta, GA 30328-4233 >> Mobile: +1-404-643-9638 >> Fax: +1-845-491-4204 >> pallor@us.ibm.com >> >> Joep Gommers ---06/24/2015 11:15:54 AM---Hi Patrick, Great point. I think >> part would be an effort of mapping the landscape on >> >> From: Joep Gommers <joep@intelworks.com> >> To: Patrick Maroney <Pmaroney@Specere.org>, Mark Clancy >> <mclancy@soltra.com>, Peter F Brown <peter@peterfbrown.com>, >> "tony@yaanatech.com" <tony@yaanatech.com>, Rich Struse >> <richard.struse@dhs.gov> >> Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> >> Date: 06/24/2015 11:15 AM >> Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion >> Sent by: <cti@lists.oasis-open.org> >> ________________________________ >> >> >> >> Hi Patrick, >> >> Great point. I think part would be an effort of mapping the landscape on >> the one side, ensuring the tooling required to enable people to be >> compatible (in addition to the standards and corresponding libraries) and >> part certification to solidify and ensure compliancy. Especially the >> latter option combined with hall of fame/shame (in a nice way :)) could >> drive some tangible KPIs.. ? >> >> Best regards, >> Joep >> >> >> >> On 6/24/15, 4:29 PM, "Patrick Maroney" <Pmaroney@Specere.org> wrote: >> >> >I would agree with the position that Engagement subsumes Outreach. >> > >> >One open question is where Interoperability (as a tangible deliverable) >> >fits into our stratgegy. >> > >> >Patrick Maroney >> >Office: (856)983-0001 >> >Cell: (609)841-5104 >> >pmaroney@specere.org >> >________________________________________ >> >From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of >> >Mark Clancy <mclancy@soltra.com> >> >Sent: Wednesday, June 24, 2015 10:17:23 AM >> >To: Peter F Brown; tony@yaanatech.com; Rich Struse >> >Cc: cti@lists.oasis-open.org >> >Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion >> > >> >All, >> >I agree with need this SC and am happy to help. I have been doing a lot >> >this as part of my role as DTCC's CISO in addition to my Soltra role. I >> >have been presenting/meeting in the US, Europe and Asia. I spend a lot of >> >time with legislators, policy makers, and global financial regulators on >> >information sharing and why automation is a key part of capablity needs. >> >By the same token most of the challenges in the global context are not >> >purely technical but national and regualtory impediments. Not to say the >> >technical things we are doing in CTI commitee in Oasis isn't also >> >critical as it certianly is, but that if we only address the technical >> >side of this problem we won't achieve the risk mitigation benefits we all >> >desire. >> > >> >So at some level what do we think "engagement" means vs. "outreach"? >> > >> >-Mark >> > >> > >> >Mark Clancy >> >Chief Executive Officer >> >SOLTRA An FS-ISAC and DTCC Company >> >+1.813.470.2400 office +1.610.659.6671 US mobile +44 7823 626 535 >> >UK mobile >> >mclancy@soltra.com soltra.com >> > >> >One organization's incident becomes everyone's defense. >> > >> > >> > >> >________________________________________ >> >From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of >> >Peter F Brown <peter@peterfbrown.com> >> >Sent: Tuesday, June 23, 2015 6:37 PM >> >To: tony@yaanatech.com; Rich Struse >> >Cc: cti@lists.oasis-open.org >> >Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion >> > >> >+1 >> >Also agree with comment in an earlier thread that this SC ought to have >> >engagement as a core focus rather than outreach - and that ought to be >> >reflected in the name of any proposed SC. >> >Regards, >> >Peter >> > >> > >> >
Original Message----- >> >From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On >> >Behalf Of Tony Rutkowski >> >Sent: 22 June, 2015 13:08 >> >To: Rich Struse >> >Cc: cti@lists.oasis-open.org >> >Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion >> > >> >Hi Rich, >> > >> >There is a great symmetry occurring here on a global scale. >> > >> >The first day of the annual cybersecurity workshop was held this >> >afternoon here in Sophia Antipolis in France's approximation of Silicon >> >Valley in the hills of Valbonne, France. There are people here from >> >around the world, but this afternoon was somewhat Euro centric with key >> >officials describing what was essential to regional and national >> >cybersecurity. Perhaps not by coincidence, cyber threat intelligence >> >sharing was at the top of their lists - along with security assurance. >> > >> >The four people who were engaged at this session were: >> > >> >o Florent Frederix who heads the key Network Information Security >> >(NIS) initiative of the the European Commission and has some >> >responsibilities at the Directorate level similar to Rich Struse's as the >> >execution arm of the EU cybersecurity strategy - the analog of the White >> >House's framework initiatives. >> > >> >o Chris Ensor who heads up cybersecurity work in the UK's CESG >> >organization - also similar to Rich's responsibilities. >> > >> >o Marc Henauer of Switzerland's MELANI organization that is similar the >> >principal Swiss threat intelligence sharing body. >> > >> >o Edri an Belmonte, who plays the lead role in this area in ENISA >> > >> >All of the presentations except Cris Ensor's are available at: >> >> > > http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SE >> >TTINGTHESCENE/ >> > >> >In the discussion session following the presentations, speaking at the >> >ETSI TC CYBER threat intelligence sharing rapporteur, I had the >> >opportunity to explain the creation of the new TC CTI committee and how >> >the platforms being pursued in CTI were proven best-of-breed models and >> >structured information sharing specifications that provided an ideal >> >match to each of their objectives. >> > >> >It was quite amazing how each of the parties - even in Europe - was >> >rather independently pursuing similar objectives. >> > >> >We also discussed how the work of TC CYBER was to survey the global >> >cybersecurity ecosystem and make use of the most successful existing >> >standards and not pursue duplicative work. Everyone seemed in agreement, >> >and going forward, there seems like an excellent basis for convergence >> >with the CTI work now getting underway. >> > >> >There will be further discussion at the workshop over the next two days >> >as well as definitive actions at the TC CYBER meeting on Thursday and >> >Friday. It was a good beginning that was continued usefully over local >> >provence wine and hors d'oeuves this evening (and setting a useful >> >precedent for future TC CTI physical gatherings). >> > >> >--tony >> > >> > >> > >> > >> >--------------------------------------------------------------------- >> >To unsubscribe from this mail list, you must leave the OASIS TC that >> >generates this mail. Follow this link to all your TCs in OASIS at: >> > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >> > >> > >> >--------------------------------------------------------------------- >> >To unsubscribe from this mail list, you must leave the OASIS TC that >> >generates this mail. Follow this link to all your TCs in OASIS at: >> > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >> > >> >> [attachment "CTI Standards Adoption.docx" deleted by Peter >> Allor/Atlanta/IBM] >> --------------------------------------------------------------------- >> To unsubscribe from this mail list, you must leave the OASIS TC that >> generates this mail. Follow this link to all your TCs in OASIS at: >> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe from this mail list, you must leave the OASIS TC that >> generates this mail. Follow this link to all your TCs in OASIS at: >> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > > >

Yes, I agree.  Any self assessment would need to be spelled out and be super easy for implementors and consumers to understand.  This would include things like certain sections of Idioms and certain features / functions.  For example I can see a whole class of vendor network and client products that will either emit a STIX object or consume a STIX object but not both and it would be good for consumers to understand that they are at Level X or Level Y.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 62A6 5999 0F7D 0D61 4C66 D59C 2DB5 111D 63BC A303 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Jun 26, 2015, at 10:13, Jerome Athias < athiasjerome@GMAIL.COM > wrote: I think that any kind of maturity/compliance assessment/declaration (should it be just self assessment) would have to be based on some kind of criterias or requirements. Those would have to be listed/defined in order to be measured for providing relevant -to be defined- key indicators (such as list of supported functionnalities, or % of CybOX observables supported...). This was, I think, what was done for OVAL. 2015-06-26 18:50 GMT+03:00 Jordan, Bret < bret.jordan@bluecoat.com >: Understanding what Idioms are supported or what elements of an Idiom are support is valuable, yes.  But think of certification in regards to bigger level items. 1) Does the systems support data making / handling?  And if so, can you appropriately handle something that is like a TLP RED. 2) Does the system actually support delete requests 3) Does the system support full fidelity on a STIX package's producer chain? Or does it strip all of that away.  Further if we add an ability to sign a STIX package, does the system support that and the ability to re-issue the package with the cert or include it some how. 4) On the TAXII side, does the system support Data Feeds or just Data Sets.. 5) Does the TAXII system support inbox services or just poll services? 6) What is the sustained rate that a system supports in tiers. etc etc. What I would like to see is a simple and easy to understand tier system with certification.  We have talked about this a lot over the past year and I think a lot of really good ideas have been brought up...  Imagine that the first few levels are self asserting.  Then the final few levels, will have an official certification process similar to the WiFi alliance.  Initially, for the first few years say 3-5 years, we would only do self assessment. Then in say the 5 year time frame we would do an official certification process. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 62A6 5999 0F7D 0D61 4C66 D59C 2DB5 111D 63BC A303 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg. On Jun 26, 2015, at 06:25, Mark Clancy < mclancy@soltra.com > wrote: The adoption chart is part of the need and the OVAL example is a good one. Another side of this is the STIX profile ( https://stix.mitre.org/about/documents/STIX_Profiles_Overview_White_Paper_v0.1.pdf ). This is important as different parts of the ecosystem have and need different levels of ‘completeness’ in how they handled Cybox/STIX.  So if I am trying to consume STIX data for say a Snort based IDS system there are a lot of Cybox objects (like Win Reg key), STIX object types (like say Campaigns) that don’t make any sense for a Snort based sensor to consume or produce.  Where as we also have STIX implementations for devices/sensors like say a SIEM that can/should handle mode Cybox/STIX object types, but don’t do so at present.  It is kind of hard to describe the difference between those two levels of implementation.  I could have everything implemented for a Snort type IDS that the device is able to do and have the same number of STIX/Cybox objects supports in same a SEIM tool which should be able to handle a lot more of these the STIX profiles would be the same, but the maximum possible maturity of the implementations IMHO are quite different. I would really like to see the concept of an implementation maturity model worked into the ‘adoption’ notions here. We see quite a difference between “like” products in the same categories as to their level of implementation. Today you could say you support STIX if you support say IPv4 address Cybox objects and only STIX Observables. Technically that is STIX ‘support’ and if that is what is in your STIX profile you are legit. The reality is the STIX profile is the way to ‘transact’ the objects supports vs. not when being shared, but we need a simpler summary of this so when customers of these products make choices informed of what “we support STIX/TAXII” actually means.  If consumers experience “STIX support” at this level of maturity/completeness and they expected much more it is going to reflect poorly on our standards.  So say supporting one Cybox object and one Stix object is Level 1 maturity in a single direction , but supporting all Cybox and STIX objects, bi-directionally, linked to each other is a much higher level. I suggest we add this to the outreach workstream as a way of keeping track of what adoption really means. -Mark Mark Clancy Chief Executive Officer SOLTRA An FS-ISAC and DTCC Company +1.813.470.2400 office +1.610.659.6671 US mobile  +44 7823 626 535  UK mobile mclancy@soltra.com soltra.com One organization's incident becomes everyone's defense. ________________________________ From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Jerome Athias < athiasjerome@gmail.com > Sent: Friday, June 26, 2015 2:00 AM To: Joep Gommers Cc: Peter Allor; Rich Struse; cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion Adoption Program? e.g. https://oval.mitre.org/adoption/ 2015-06-26 8:46 GMT+03:00 Joep Gommers < joep@intelworks.com >: Hi Peter, Let me put some context around my proposal for certification, which perhaps means rewording. First, I am completely aligned with you on the “voluntary” part and on the fact that mandatory certification would severely hinder adoption. Yet, what I think it hindering adoption more is – and perhaps this speaks to your concerns about STIX/TAXII too – that it is ensure for producers how their intelligence value is retained when received by other consumers. In a world where I send you a PDF, I know how you will consume the PDF. It is predictable and the value I bring as an intelligence producer is surely retained. Additionally, I as a producer am in full control. Now in STIX this isn’t necessarily the case. Since STIX is transport, it does not guarantee to any extent that the intelligence value is retained all the way to its human consumer – not as that the intent. STIX 1.1.1 compliancy usually means, for both CSIRT communities and vendors (and many other communities I might add that this is relevant for), a partial implementation of parts of the standard – that are processed by a machine and/or readable by a human in different ways. For TAXII, a similar challenge exists where there is no easy automated way of determining for machines what the TAXII implementors supports. Think; authentication, authorization, different services (depending on discovery service on/off, hooked on/off), polling subscription models, etc. For me, certification and compliancy effort would be to ensure that it is publicly known and easily measurable what implementors actually support from the standard and where value is retained and where it isn’t. For TAXII, this means simple tools that make transparant the pattern of functionality implemented by a CSIRT community, vendor, etc. so they can say “guys I’m level A TAXII” - which will mean I support features A, B and C. For STIX similarly, a certain level of certification might mean that an producer/consumer implements the indicator/observable idioms, but does not retain much of the intelligence value of threat actor or exploit target information. This is relevant for the public to know, for producers to understand and to make transparant as to drive the community towards the right priorities and compatibility efforts. Right now, the conversational line of “STIX/TAXII compatible” has no value and requires significant effort to undercover what REALLY is implemented and what intelligence value is REALLY retained. So perhaps, certification is a bad word. Thoughts? Best regards, Joep From: Peter Allor < pallor@us.ibm.com > Date: Wednesday, June 24, 2015 at 7:11 PM To: Joep Gommers < joep@intelworks.com > Cc: Rich Struse < richard.struse@dhs.gov >, cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion Joep, I think I will push back a bit here, especially on your 'certification' and 'compliance' aspects. <rant> We need to be voluntarily adopting this 'standard'. While I can see Tony's comments about talking with EC bodies, the real adoption and use for CTI is in two communities, which by their nature are international. They are the CSIRT Community, specifically National CSIRTs but also Critical Infrastructure CSIRTs and Enterprise CSIRTs (I will not delve into the Big, Medium, Small discussion).   There is a whole lot going on in CSIRT Services Framework and Education Development where this can be included and is updating materials from CERT/CC-SEI that are now 20 years old. Then there is the 'vendor' community, which has not been really engaged here.   I know some will say they are part of that community, but then also tout how they are international.   So we need the large IT Vendors and we need the broad IT Security Vendors as part of this process.   That would be for all FOUR Sub-Committee's.    Much of the indicators and expressions will need their input and adoption to actually gain traction for many and to enable the CSIRT Community (yes, the vendors are part of that community as well).     Just to be clear, I am talking about Intel/McAfee, Symantec, Microsoft, IBM, Cisco/SourceFire, FireEye/Mandiant, and a slew of others. Pushing mandatory compliance and certification does not work globally (think Common Criteria / NIAP, I could go on on that alone) and in security venues globally it is a check box with little use.    Now I know that vendors are looking to be part of this, but the sentiment here in the discussions does not reflect that.    I say that from a vendor and incident response community perspective. So lets focus on how we get their perspectives to be included, as I know as vendors, we see that STIX/TAXII in their current incarnation do NOT work very well and that exchanging threat data today is severely challenged. The goal for CTI is to make that easier and simple for users and that means we as designers need to have the implementers involved and participating, not corralled and shamed.   If you take CVRF as an example, you can see that vendors do want a system and are willing to put it into operations and such, but the customer and the vendor need to have value out of it, not just another checkbox. </rant> Sincerely, Pete Peter Allor Senior Security Strategist, Project Manager, Disclosures Product Management and Strategy IBM Security 6303 Barfield Rd NE Atlanta, GA 30328-4233 Mobile: +1-404-643-9638 Fax:       +1-845-491-4204 pallor@us.ibm.com Joep Gommers ---06/24/2015 11:15:54 AM---Hi Patrick, Great point. I think part would be an effort of mapping the landscape on From: Joep Gommers <joep@intelworks.com> To: Patrick Maroney <Pmaroney@Specere.org>, Mark Clancy <mclancy@soltra.com>, Peter F Brown <peter@peterfbrown.com>, tony@yaanatech.com <tony@yaanatech.com>, Rich Struse <richard.struse@dhs.gov> Cc: cti@lists.oasis-open.org <cti@lists.oasis-open.org> Date: 06/24/2015 11:15 AM Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion Sent by: <cti@lists.oasis-open.org> ________________________________ Hi Patrick, Great point. I think part would be an effort of mapping the landscape on the one side, ensuring the tooling required to enable people to be compatible (in addition to the standards and corresponding libraries) and part certification to solidify and ensure compliancy. Especially the latter option combined with hall of fame/shame (in a nice way :)) could drive some tangible KPIs.. ? Best regards, Joep On 6/24/15, 4:29 PM, Patrick Maroney <Pmaroney@Specere.org> wrote: I would agree with the position that Engagement subsumes Outreach. One open question is where Interoperability (as a tangible deliverable) fits into our stratgegy. Patrick Maroney Office: (856)983-0001 Cell: (609)841-5104 pmaroney@specere.org ________________________________________ From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Mark Clancy <mclancy@soltra.com> Sent: Wednesday, June 24, 2015 10:17:23 AM To: Peter F Brown; tony@yaanatech.com; Rich Struse Cc: cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion All, I agree with need this SC and am happy to help. I have been doing a lot this as part of my role as  DTCC's CISO in addition to my Soltra role.  I have been presenting/meeting in the US, Europe and Asia. I spend a lot of time with legislators, policy makers, and global financial regulators on information sharing and why automation is a key part of capablity needs. By the same token most of the challenges in the global context are not purely technical but national and regualtory impediments.  Not to say the technical things we are doing in CTI commitee in Oasis isn't also critical as it certianly is, but that if we only address the technical side of this problem we won't achieve the risk mitigation benefits we all desire. So at some level what do we think engagement means vs. outreach ? -Mark Mark Clancy Chief Executive Officer SOLTRA An FS-ISAC and DTCC Company +1.813.470.2400 office +1.610.659.6671 US mobile  +44 7823 626 535 UK mobile mclancy@soltra.com soltra.com One organization's incident becomes everyone's defense. ________________________________________ From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Peter F Brown <peter@peterfbrown.com> Sent: Tuesday, June 23, 2015 6:37 PM To: tony@yaanatech.com; Rich Struse Cc: cti@lists.oasis-open.org Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion +1 Also agree with comment in an earlier thread that this SC ought to have engagement as a core focus rather than outreach - and that ought to be reflected in the name of any proposed SC. Regards, Peter
Original Message----- From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of Tony Rutkowski Sent: 22 June, 2015 13:08 To: Rich Struse Cc: cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion Hi Rich, There is a great symmetry occurring here on a global scale. The first day of the annual cybersecurity workshop was held this afternoon here in Sophia Antipolis in France's approximation of Silicon Valley in the hills of Valbonne, France.  There are people here from around the world, but this afternoon was somewhat Euro centric with key officials describing what was essential to regional and national cybersecurity.  Perhaps not by coincidence, cyber threat intelligence sharing was at the top of their lists - along with security assurance. The four people who were engaged at this session were: o Florent Frederix who heads the key Network Information Security (NIS) initiative of the the European Commission and has some responsibilities at the Directorate level similar to Rich Struse's as the execution arm of the EU cybersecurity strategy - the analog of the White House's framework initiatives. o Chris Ensor who heads up cybersecurity work in the UK's CESG organization - also similar to Rich's responsibilities. o Marc Henauer of Switzerland's MELANI organization that is similar the principal Swiss threat intelligence sharing body. o Edri an Belmonte, who plays the lead role in this area in ENISA All of the presentations except Cris Ensor's are available at: http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SE TTINGTHESCENE/ In the discussion session following the presentations, speaking at the ETSI TC CYBER threat intelligence sharing rapporteur, I had the opportunity to explain the creation of the new TC CTI committee and how the platforms being pursued in CTI were proven best-of-breed models and structured information sharing specifications that provided an ideal match to each of their objectives. It was quite amazing how each of the parties - even in Europe - was rather independently pursuing similar objectives. We also discussed how the work of TC CYBER was to survey the global cybersecurity ecosystem and make use of the most successful existing standards and not pursue duplicative work.  Everyone seemed in agreement, and going forward, there seems like an excellent basis for convergence with the CTI work now getting underway. There will be further discussion at the workshop over the next two days as well as definitive actions at the TC CYBER meeting on Thursday and Friday.  It was a good beginning that was continued usefully over local provence wine and hors d'oeuves this evening (and setting a useful precedent for future TC CTI physical gatherings). --tony --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php [attachment CTI Standards Adoption.docx deleted by Peter Allor/Atlanta/IBM] --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

Hi Mark,


Love the MMO angle here!


J-




From: Mark Clancy < mclancy@soltra.com >
Date: Friday, June 26, 2015 at 2:25 PM
To: Jerome Athias < athiasjerome@gmail.com >, Joep Gommers < joep@intelworks.com >
Cc: Peter Allor < pallor@us.ibm.com >, Rich Struse < richard.struse@dhs.gov >, " cti@lists.oasis-open.org "
< cti@lists.oasis-open.org >
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion






The adoption chart is part of the need and the OVAL example is a good one. 


Another side of this is the STIX profile  ( https://stix.mitre.org/about/documents/STIX_Profiles_Overview_White_Paper_v0.1.pdf ).
This is important as different parts of the ecosystem have and need different levels of ‘completeness’ in how they handled Cybox/STIX.  So if I am trying to consume STIX data for say a Snort based IDS system there are a lot of Cybox objects (like Win Reg key),
STIX object types (like say Campaigns) that don’t make any sense for a Snort based sensor to consume or produce.  Where as we also have STIX implementations for devices/sensors like say a SIEM that can/should handle mode Cybox/STIX object types, but don’t
do so at present.  It is kind of hard to describe the difference between those two levels of implementation.  I could have everything implemented for a Snort type IDS that the device is able to do and have the same number of STIX/Cybox objects supports in
same a SEIM tool which should be able to handle a lot more of these the STIX profiles would be the same, but the maximum possible maturity of the implementations IMHO are quite different.
 

I would really like to see the concept of an implementation maturity model worked into the ‘adoption’ notions here. We see quite a difference between “like” products in the same categories as to their level of implementation.  Today you
could say you support STIX if you support say IPv4 address Cybox objects and only STIX Observables. Technically that is STIX ‘support’ and if that is what is in your STIX profile you are legit. The reality is the STIX profile is the way to ‘transact’ the objects
supports vs. not when being shared, but we need a simpler summary of this so when customers of these products make choices informed of what “we support STIX/TAXII” actually means.  If consumers experience “STIX support” at this level of maturity/completeness
and they expected much more it is going to reflect poorly on our standards.  So say supporting one Cybox object and one Stix object is Level 1 maturity in a single direction , but supporting all Cybox and STIX objects, bi-directionally, linked to each other
is a much higher level.


I suggest we add this to the outreach workstream as a way of keeping track of what "adoption" really means.


-Mark





Mark Clancy
Chief Executive Officer
SOLTRA

An FS-ISAC and DTCC Company
+1.813.470.2400
office

+1.610.659.6671  US  mobile

?    +44 7823 626 535   UK  mobile
mclancy@soltra.com
soltra.com
 
One organization's incident becomes everyone's defense.
 
?







From:
cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Jerome Athias < athiasjerome@gmail.com >
Sent: Friday, June 26, 2015 2:00 AM
To: Joep Gommers
Cc: Peter Allor; Rich Struse; cti@lists.oasis-open.org
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
 


Adoption Program?
e.g. https://oval.mitre.org/adoption/





2015-06-26 8:46 GMT+03:00 Joep Gommers < joep@intelworks.com > :


Hi Peter,


Let me put some context around my proposal for certification, which perhaps means rewording.


First, I am completely aligned with you on the “voluntary” part and on the fact that mandatory certification would severely hinder adoption. Yet, what I think it hindering adoption more is – and perhaps this speaks to your concerns about STIX/TAXII too
– that it is ensure for producers how their intelligence value is retained when received by other consumers. In a world where I send you a PDF, I know how you will consume the PDF. It is predictable and the value I bring as an intelligence producer is surely
retained. Additionally, I as a producer am in full control.


Now in STIX this isn’t necessarily the case. Since STIX is transport, it does not guarantee to any extent that the intelligence value is retained all the way to its human consumer – not as that the intent. STIX 1.1.1 compliancy usually means, for both
CSIRT communities and vendors (and many other communities I might add that this is relevant for), a partial implementation of parts of the standard – that are processed by a machine and/or readable by a human in different ways.


For TAXII, a similar challenge exists where there is no easy automated way of determining for machines what the TAXII implementors supports. Think; authentication, authorization, different services (depending on discovery service on/off, hooked on/off),
polling subscription models, etc.


For me, certification and compliancy effort would be to ensure that it is publicly known and easily measurable what implementors actually support from the standard and where value is retained and where it isn’t. For TAXII, this means simple tools that
make transparant the pattern of functionality implemented by a CSIRT community, vendor, etc. so they can say “guys I’m level A TAXII” - which will mean I support features A, B and C. For STIX similarly, a certain level of certification might mean that an producer/consumer
implements the indicator/observable idioms, but does not retain much of the intelligence value of threat actor or exploit target information. This is relevant for the public to know, for producers to understand and to make transparant as to drive the community
towards the right priorities and compatibility efforts. Right now, the conversational line of “STIX/TAXII compatible” has no value and requires significant effort to undercover what REALLY is implemented and what intelligence value is REALLY retained.


So perhaps, certification is a bad word. Thoughts?


Best regards,
Joep




From: Peter Allor < pallor@us.ibm.com >
Date: Wednesday, June 24, 2015 at 7:11 PM
To: Joep Gommers < joep@intelworks.com >
Cc: Rich Struse < richard.struse@dhs.gov >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >


Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion









Joep,
I think I will push back a bit here, especially on your 'certification' and 'compliance' aspects.

<rant>

We need to be "voluntarily" adopting this 'standard'.

While I can see Tony's comments about talking with EC bodies, the real adoption and use for CTI is in two communities, which by their nature are international.

They are the CSIRT Community, specifically National CSIRTs but also Critical Infrastructure CSIRTs and Enterprise CSIRTs (I will not delve into the Big, Medium, Small discussion).   There is a whole lot going on in CSIRT Services
Framework and Education Development where this can be included and is updating materials from CERT/CC-SEI that are now 20 years old.

Then there is the 'vendor' community, which has not been really engaged here.   I know some will say they are part of that community, but then also tout how they are international.   So we need the large IT Vendors and we need
the broad IT Security Vendors as part of this process.   That would be for all FOUR Sub-Committee's.    Much of the indicators and expressions will need their input and adoption to actually gain traction for many and to enable the CSIRT Community (yes, the
vendors are part of that community as well).     Just to be clear, I am talking about Intel/McAfee, Symantec, Microsoft, IBM, Cisco/SourceFire, FireEye/Mandiant, and a slew of others.

Pushing mandatory compliance and certification does not work globally (think Common Criteria / NIAP, I could go on on that alone) and in security venues globally it is a check box with little use.    Now I know that vendors
are looking to be part of this, but the sentiment here in the discussions does not reflect that.    I say that from a vendor and incident response community perspective.

So lets focus on how we get their perspectives to be included, as I know as vendors, we see that STIX/TAXII in their current incarnation do NOT work very well and that exchanging threat data today is severely challenged.   The
goal for CTI is to make that easier and simple for users and that means we as designers need to have the implementers involved and participating, not corralled and shamed.   If you take CVRF as an example, you can see that vendors do want a system and are
willing to put it into operations and such, but the customer and the vendor need to have value out of it, not just another checkbox.

</rant>

Sincerely,
Pete

Peter Allor  
Senior Security Strategist, Project Manager, Disclosures
Product Management and Strategy
IBM Security
6303 Barfield Rd NE
Atlanta, GA 30328-4233
Mobile: +1-404-643-9638    
Fax:       +1-845-491-4204  
pallor@us.ibm.com

Joep
Gommers ---06/24/2015 11:15:54 AM---Hi Patrick, Great point. I think part would be an effort of mapping the landscape on

From: Joep Gommers < joep@intelworks.com >
To: Patrick Maroney < Pmaroney@Specere.org >, Mark Clancy < mclancy@soltra.com >,
Peter F Brown < peter@peterfbrown.com >, " tony@yaanatech.com " < tony@yaanatech.com >, Rich
Struse < richard.struse@dhs.gov >
Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
Date: 06/24/2015 11:15 AM
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
Sent by: < cti@lists.oasis-open.org >





Hi Patrick,

Great point. I think part would be an effort of mapping the landscape on
the one side, ensuring the tooling required to enable people to be
compatible (in addition to the standards and corresponding libraries) and
part certification to solidify and ensure compliancy. Especially the
latter option combined with hall of fame/shame (in a nice way :)) could
drive some tangible KPIs.. ?

Best regards,
Joep



On 6/24/15, 4:29 PM, "Patrick Maroney" < Pmaroney@Specere.org > wrote:

>I would agree with the position that Engagement subsumes Outreach.
>
>One open question is where Interoperability (as a tangible deliverable)
>fits into our stratgegy.
>
>Patrick Maroney
>Office: (856)983-0001
>Cell: (609)841-5104
> pmaroney@specere.org
>________________________________________
>From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of
>Mark Clancy < mclancy@soltra.com >
>Sent: Wednesday, June 24, 2015 10:17:23 AM
>To: Peter F Brown; tony@yaanatech.com ; Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>All,
>I agree with need this SC and am happy to help. I have been doing a lot
>this as part of my role as  DTCC's CISO in addition to my Soltra role.  I
>have been presenting/meeting in the US, Europe and Asia. I spend a lot of
>time with legislators, policy makers, and global financial regulators on
>information sharing and why automation is a key part of capablity needs.
>By the same token most of the challenges in the global context are not
>purely technical but national and regualtory impediments.  Not to say the
>technical things we are doing in CTI commitee in Oasis isn't also
>critical as it certianly is, but that if we only address the technical
>side of this problem we won't achieve the risk mitigation benefits we all
>desire.
>
>So at some level what do we think "engagement" means vs. "outreach"?
>
>-Mark
>
>
>Mark Clancy
>Chief Executive Officer
>SOLTRA An FS-ISAC and DTCC Company
> +1.813.470.2400 office
+1.610.659.6671 US mobile ?   +44 7823 626 535
>UK mobile
> mclancy@soltra.com
soltra.com
>
>One organization's incident becomes everyone's defense.
>
>?
>
>________________________________________
>From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of
>Peter F Brown < peter@peterfbrown.com >
>Sent: Tuesday, June 23, 2015 6:37 PM
>To: tony@yaanatech.com ; Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>+1
>Also agree with comment in an earlier thread that this SC ought to have
>engagement as a core focus rather than outreach - and that ought to be
>reflected in the name of any proposed SC.
>Regards,
>Peter
>
>
>
Original Message-----
>From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On
>Behalf Of Tony Rutkowski
>Sent: 22 June, 2015 13:08
>To: Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>Hi Rich,
>
>There is a great symmetry occurring here on a global scale.
>
>The first day of the annual cybersecurity workshop was held this
>afternoon here in Sophia Antipolis in France's approximation of Silicon
>Valley in the hills of Valbonne, France.  There are people here from
>around the world, but this afternoon was somewhat Euro centric with key
>officials describing what was essential to regional and national
>cybersecurity.  Perhaps not by coincidence, cyber threat intelligence
>sharing was at the top of their lists - along with security assurance.
>
>The four people who were engaged at this session were:
>
>o Florent Frederix who heads the key Network Information Security
>(NIS) initiative of the the European Commission and has some
>responsibilities at the Directorate level similar to Rich Struse's as the
>execution arm of the EU cybersecurity strategy - the analog of the White
>House's framework initiatives.
>
>o Chris Ensor who heads up cybersecurity work in the UK's CESG
>organization - also similar to Rich's responsibilities.
>
>o Marc Henauer of Switzerland's MELANI organization that is similar the
>principal Swiss threat intelligence sharing body.
>
>o Edri an Belmonte, who plays the lead role in this area in ENISA
>
>All of the presentations except Cris Ensor's are available at:
> http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SE
>TTINGTHESCENE/
>
>In the discussion session following the presentations, speaking at the
>ETSI TC CYBER threat intelligence sharing rapporteur, I had the
>opportunity to explain the creation of the new TC CTI committee and how
>the platforms being pursued in CTI were proven best-of-breed models and
>structured information sharing specifications that provided an ideal
>match to each of their objectives.
>
>It was quite amazing how each of the parties - even in Europe - was
>rather independently pursuing similar objectives.
>
>We also discussed how the work of TC CYBER was to survey the global
>cybersecurity ecosystem and make use of the most successful existing
>standards and not pursue duplicative work.  Everyone seemed in agreement,
>and going forward, there seems like an excellent basis for convergence
>with the CTI work now getting underway.
>
>There will be further discussion at the workshop over the next two days
>as well as definitive actions at the TC CYBER meeting on Thursday and
>Friday.  It was a good beginning that was continued usefully over local
>provence wine and hors d'oeuves this evening (and setting a useful
>precedent for future TC CTI physical gatherings).
>
>--tony
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>

[attachment "CTI Standards Adoption.docx" deleted by Peter Allor/Atlanta/IBM]
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  








---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Mark: A Maturity Model for the STIX/TAXII/CYBOX ecosystem is something I would support, too. It seems like it would be most suitable for Producers of STIX.... How many levels would you envision? What kind of certifying/auditing body would confirm achievement of certain levels? How would the Producers demonstrate features of maturity? I envision a Maturity Model along two dimensions for this ecosystem: qualitative and quantitative. Jane Ginn, MSIA, MRP Cyber Threat Intelligence Network, Inc. jg@ctin.us
Original Message -------- From: Joep Gommers <joep@intelworks.com> Sent: Tuesday, June 30, 2015 05:29 AM To: Mark Clancy <mclancy@soltra.com>,Jerome Athias <athiasjerome@gmail.com> Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion CC: Peter Allor <pallor@us.ibm.com>,Rich Struse <richard.struse@dhs.gov>," cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Hi Mark,


Love the MMO angle here!


J-




From: Mark Clancy < mclancy@soltra.com >
Date: Friday, June 26, 2015 at 2:25 PM
To: Jerome Athias < athiasjerome@gmail.com >, Joep Gommers < joep@intelworks.com >
Cc: Peter Allor < pallor@us.ibm.com >, Rich Struse < richard.struse@dhs.gov >, " cti@lists.oasis-open.org "
< cti@lists.oasis-open.org >
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion






The adoption chart is part of the need and the OVAL example is a good one. 


Another side of this is the STIX profile  ( https://stix.mitre.org/about/documents/STIX_Profiles_Overview_White_Paper_v0.1.pdf ).
This is important as different parts of the ecosystem have and need different levels of ‘completeness’ in how they handled Cybox/STIX.  So if I am trying to consume STIX data for say a Snort based IDS system there are a lot of Cybox objects (like Win Reg key),
STIX object types (like say Campaigns) that don’t make any sense for a Snort based sensor to consume or produce.  Where as we also have STIX implementations for devices/sensors like say a SIEM that can/should handle mode Cybox/STIX object types, but don’t
do so at present.  It is kind of hard to describe the difference between those two levels of implementation.  I could have everything implemented for a Snort type IDS that the device is able to do and have the same number of STIX/Cybox objects supports in
same a SEIM tool which should be able to handle a lot more of these the STIX profiles would be the same, but the maximum possible maturity of the implementations IMHO are quite different.
 

I would really like to see the concept of an implementation maturity model worked into the ‘adoption’ notions here. We see quite a difference between “like” products in the same categories as to their level of implementation.  Today you
could say you support STIX if you support say IPv4 address Cybox objects and only STIX Observables. Technically that is STIX ‘support’ and if that is what is in your STIX profile you are legit. The reality is the STIX profile is the way to ‘transact’ the objects
supports vs. not when being shared, but we need a simpler summary of this so when customers of these products make choices informed of what “we support STIX/TAXII” actually means.  If consumers experience “STIX support” at this level of maturity/completeness
and they expected much more it is going to reflect poorly on our standards.  So say supporting one Cybox object and one Stix object is Level 1 maturity in a single direction , but supporting all Cybox and STIX objects, bi-directionally, linked to each other
is a much higher level.


I suggest we add this to the outreach workstream as a way of keeping track of what "adoption" really means.


-Mark





Mark Clancy
Chief Executive Officer
SOLTRA

An FS-ISAC and DTCC Company
+1.813.470.2400
office

+1.610.659.6671  US  mobile

?    +44 7823 626 535   UK  mobile
mclancy@soltra.com
soltra.com
 
One organization's incident becomes everyone's defense.
 
?







From:
cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Jerome Athias < athiasjerome@gmail.com >
Sent: Friday, June 26, 2015 2:00 AM
To: Joep Gommers
Cc: Peter Allor; Rich Struse; cti@lists.oasis-open.org
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
 


Adoption Program?
e.g. https://oval.mitre.org/adoption/





2015-06-26 8:46 GMT+03:00 Joep Gommers < joep@intelworks.com > :


Hi Peter,


Let me put some context around my proposal for certification, which perhaps means rewording.


First, I am completely aligned with you on the “voluntary” part and on the fact that mandatory certification would severely hinder adoption. Yet, what I think it hindering adoption more is – and perhaps this speaks to your concerns about STIX/TAXII too
– that it is ensure for producers how their intelligence value is retained when received by other consumers. In a world where I send you a PDF, I know how you will consume the PDF. It is predictable and the value I bring as an intelligence producer is surely
retained. Additionally, I as a producer am in full control.


Now in STIX this isn’t necessarily the case. Since STIX is transport, it does not guarantee to any extent that the intelligence value is retained all the way to its human consumer – not as that the intent. STIX 1.1.1 compliancy usually means, for both
CSIRT communities and vendors (and many other communities I might add that this is relevant for), a partial implementation of parts of the standard – that are processed by a machine and/or readable by a human in different ways.


For TAXII, a similar challenge exists where there is no easy automated way of determining for machines what the TAXII implementors supports. Think; authentication, authorization, different services (depending on discovery service on/off, hooked on/off),
polling subscription models, etc.


For me, certification and compliancy effort would be to ensure that it is publicly known and easily measurable what implementors actually support from the standard and where value is retained and where it isn’t. For TAXII, this means simple tools that
make transparant the pattern of functionality implemented by a CSIRT community, vendor, etc. so they can say “guys I’m level A TAXII” - which will mean I support features A, B and C. For STIX similarly, a certain level of certification might mean that an producer/consumer
implements the indicator/observable idioms, but does not retain much of the intelligence value of threat actor or exploit target information. This is relevant for the public to know, for producers to understand and to make transparant as to drive the community
towards the right priorities and compatibility efforts. Right now, the conversational line of “STIX/TAXII compatible” has no value and requires significant effort to undercover what REALLY is implemented and what intelligence value is REALLY retained.


So perhaps, certification is a bad word. Thoughts?


Best regards,
Joep




From: Peter Allor < pallor@us.ibm.com >
Date: Wednesday, June 24, 2015 at 7:11 PM
To: Joep Gommers < joep@intelworks.com >
Cc: Rich Struse < richard.struse@dhs.gov >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >


Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion









Joep,
I think I will push back a bit here, especially on your 'certification' and 'compliance' aspects.

<rant>

We need to be "voluntarily" adopting this 'standard'.

While I can see Tony's comments about talking with EC bodies, the real adoption and use for CTI is in two communities, which by their nature are international.

They are the CSIRT Community, specifically National CSIRTs but also Critical Infrastructure CSIRTs and Enterprise CSIRTs (I will not delve into the Big, Medium, Small discussion).   There is a whole lot going on in CSIRT Services
Framework and Education Development where this can be included and is updating materials from CERT/CC-SEI that are now 20 years old.

Then there is the 'vendor' community, which has not been really engaged here.   I know some will say they are part of that community, but then also tout how they are international.   So we need the large IT Vendors and we need
the broad IT Security Vendors as part of this process.   That would be for all FOUR Sub-Committee's.    Much of the indicators and expressions will need their input and adoption to actually gain traction for many and to enable the CSIRT Community (yes, the
vendors are part of that community as well).     Just to be clear, I am talking about Intel/McAfee, Symantec, Microsoft, IBM, Cisco/SourceFire, FireEye/Mandiant, and a slew of others.

Pushing mandatory compliance and certification does not work globally (think Common Criteria / NIAP, I could go on on that alone) and in security venues globally it is a check box with little use.    Now I know that vendors
are looking to be part of this, but the sentiment here in the discussions does not reflect that.    I say that from a vendor and incident response community perspective.

So lets focus on how we get their perspectives to be included, as I know as vendors, we see that STIX/TAXII in their current incarnation do NOT work very well and that exchanging threat data today is severely challenged.   The
goal for CTI is to make that easier and simple for users and that means we as designers need to have the implementers involved and participating, not corralled and shamed.   If you take CVRF as an example, you can see that vendors do want a system and are
willing to put it into operations and such, but the customer and the vendor need to have value out of it, not just another checkbox.

</rant>

Sincerely,
Pete

Peter Allor  
Senior Security Strategist, Project Manager, Disclosures
Product Management and Strategy
IBM Security
6303 Barfield Rd NE
Atlanta, GA 30328-4233
Mobile: +1-404-643-9638    
Fax:       +1-845-491-4204  
pallor@us.ibm.com

Joep
Gommers ---06/24/2015 11:15:54 AM---Hi Patrick, Great point. I think part would be an effort of mapping the landscape on

From: Joep Gommers < joep@intelworks.com >
To: Patrick Maroney < Pmaroney@Specere.org >, Mark Clancy < mclancy@soltra.com >,
Peter F Brown < peter@peterfbrown.com >, " tony@yaanatech.com " < tony@yaanatech.com >, Rich
Struse < richard.struse@dhs.gov >
Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
Date: 06/24/2015 11:15 AM
Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
Sent by: < cti@lists.oasis-open.org >





Hi Patrick,

Great point. I think part would be an effort of mapping the landscape on
the one side, ensuring the tooling required to enable people to be
compatible (in addition to the standards and corresponding libraries) and
part certification to solidify and ensure compliancy. Especially the
latter option combined with hall of fame/shame (in a nice way :)) could
drive some tangible KPIs.. ?

Best regards,
Joep



On 6/24/15, 4:29 PM, "Patrick Maroney" < Pmaroney@Specere.org > wrote:

>I would agree with the position that Engagement subsumes Outreach.
>
>One open question is where Interoperability (as a tangible deliverable)
>fits into our stratgegy.
>
>Patrick Maroney
>Office: (856)983-0001
>Cell: (609)841-5104
> pmaroney@specere.org
>________________________________________
>From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of
>Mark Clancy < mclancy@soltra.com >
>Sent: Wednesday, June 24, 2015 10:17:23 AM
>To: Peter F Brown; tony@yaanatech.com ; Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>All,
>I agree with need this SC and am happy to help. I have been doing a lot
>this as part of my role as  DTCC's CISO in addition to my Soltra role.  I
>have been presenting/meeting in the US, Europe and Asia. I spend a lot of
>time with legislators, policy makers, and global financial regulators on
>information sharing and why automation is a key part of capablity needs.
>By the same token most of the challenges in the global context are not
>purely technical but national and regualtory impediments.  Not to say the
>technical things we are doing in CTI commitee in Oasis isn't also
>critical as it certianly is, but that if we only address the technical
>side of this problem we won't achieve the risk mitigation benefits we all
>desire.
>
>So at some level what do we think "engagement" means vs. "outreach"?
>
>-Mark
>
>
>Mark Clancy
>Chief Executive Officer
>SOLTRA An FS-ISAC and DTCC Company
> +1.813.470.2400 office
+1.610.659.6671 US mobile ?   +44 7823 626 535
>UK mobile
> mclancy@soltra.com
soltra.com
>
>One organization's incident becomes everyone's defense.
>
>?
>
>________________________________________
>From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of
>Peter F Brown < peter@peterfbrown.com >
>Sent: Tuesday, June 23, 2015 6:37 PM
>To: tony@yaanatech.com ; Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>+1
>Also agree with comment in an earlier thread that this SC ought to have
>engagement as a core focus rather than outreach - and that ought to be
>reflected in the name of any proposed SC.
>Regards,
>Peter
>
>
>
Original Message-----
>From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On
>Behalf Of Tony Rutkowski
>Sent: 22 June, 2015 13:08
>To: Rich Struse
>Cc: cti@lists.oasis-open.org
>Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion
>
>Hi Rich,
>
>There is a great symmetry occurring here on a global scale.
>
>The first day of the annual cybersecurity workshop was held this
>afternoon here in Sophia Antipolis in France's approximation of Silicon
>Valley in the hills of Valbonne, France.  There are people here from
>around the world, but this afternoon was somewhat Euro centric with key
>officials describing what was essential to regional and national
>cybersecurity.  Perhaps not by coincidence, cyber threat intelligence
>sharing was at the top of their lists - along with security assurance.
>
>The four people who were engaged at this session were:
>
>o Florent Frederix who heads the key Network Information Security
>(NIS) initiative of the the European Commission and has some
>responsibilities at the Directorate level similar to Rich Struse's as the
>execution arm of the EU cybersecurity strategy - the analog of the White
>House's framework initiatives.
>
>o Chris Ensor who heads up cybersecurity work in the UK's CESG
>organization - also similar to Rich's responsibilities.
>
>o Marc Henauer of Switzerland's MELANI organization that is similar the
>principal Swiss threat intelligence sharing body.
>
>o Edri an Belmonte, who plays the lead role in this area in ENISA
>
>All of the presentations except Cris Ensor's are available at:
> http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SE
>TTINGTHESCENE/
>
>In the discussion session following the presentations, speaking at the
>ETSI TC CYBER threat intelligence sharing rapporteur, I had the
>opportunity to explain the creation of the new TC CTI committee and how
>the platforms being pursued in CTI were proven best-of-breed models and
>structured information sharing specifications that provided an ideal
>match to each of their objectives.
>
>It was quite amazing how each of the parties - even in Europe - was
>rather independently pursuing similar objectives.
>
>We also discussed how the work of TC CYBER was to survey the global
>cybersecurity ecosystem and make use of the most successful existing
>standards and not pursue duplicative work.  Everyone seemed in agreement,
>and going forward, there seems like an excellent basis for convergence
>with the CTI work now getting underway.
>
>There will be further discussion at the workshop over the next two days
>as well as definitive actions at the TC CYBER meeting on Thursday and
>Friday.  It was a good beginning that was continued usefully over local
>provence wine and hors d'oeuves this evening (and setting a useful
>precedent for future TC CTI physical gatherings).
>
>--tony
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>

[attachment "CTI Standards Adoption.docx" deleted by Peter Allor/Atlanta/IBM]
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  








---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Apologies for not responding sooner to various posts. I've been on a family vacation behind the Great Firewall since the TC was established. Regarding a Maturity Model, I agree quantitative and qualitative measurements would be appropriate. I also think there is an opportunity with the Outreach SC to bring together the work that has been done up to date and coordinate the various people involved moving forward. You may have seen the list attached of STIX & TAXII implementations that we have actually reviewed and tested. I think with some additional level of object granularity (or an associated STIX profile) and a combination of the more qualitative aspects that Mitre has put forth , we could have a Maturity Model that is quite robust. And with a labeled "maturity level", it could be relatively straight forward. I'm happy to contribute the many hours that I and others at Soltra have put behind this effort and combine with other sources for the SC to carry on. More broadly, I feel the Outeach SC should be about all TC members contributing to encourage standards adoption and help drive maturity versus just a small group of appointed evangelists. Dave Eilken Soltra/ FS-ISAC VP Strategy From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Jane Ginn - jg@ctin.us <jg@ctin.us> Sent: Thursday, July 2, 2015 6:09 AM To: Joep Grommers; mclancy@soltra.com; Jerome Athias Cc: pallor@us.ibm.com; richard.struse@dhs.gov; cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion   Mark: A Maturity Model for the STIX/TAXII/CYBOX ecosystem is something I would support, too. It seems like it would be most suitable for Producers of STIX.... How many levels would you envision? What kind of certifying/auditing body would confirm achievement of certain levels? How would the Producers demonstrate features of maturity? I envision a Maturity Model along two dimensions for this ecosystem: qualitative and quantitative. Jane Ginn, MSIA, MRP Cyber Threat Intelligence Network, Inc. jg@ctin.us
Original Message -------- From: Joep Gommers <joep@intelworks.com> Sent: Tuesday, June 30, 2015 05:29 AM To: Mark Clancy <mclancy@soltra.com>,Jerome Athias <athiasjerome@gmail.com> Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion CC: Peter Allor <pallor@us.ibm.com>,Rich Struse <richard.struse@dhs.gov>," cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Hi Mark, Love the MMO angle here! J- From: Mark Clancy < mclancy@soltra.com > Date: Friday, June 26, 2015 at 2:25 PM To: Jerome Athias < athiasjerome@gmail.com >, Joep Gommers < joep@intelworks.com > Cc: Peter Allor < pallor@us.ibm.com >, Rich Struse < richard.struse@dhs.gov >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion The adoption chart is part of the need and the OVAL example is a good one.  Another side of this is the STIX profile  ( https://stix.mitre.org/about/documents/STIX_Profiles_Overview_White_Paper_v0.1.pdf ). This is important as different parts of the ecosystem have and need different levels of ‘completeness’ in how they handled Cybox/STIX.  So if I am trying to consume STIX data for say a Snort based IDS system there are a lot of Cybox objects (like Win Reg key), STIX object types (like say Campaigns) that don’t make any sense for a Snort based sensor to consume or produce.  Where as we also have STIX implementations for devices/sensors like say a SIEM that can/should handle mode Cybox/STIX object types, but don’t do so at present.  It is kind of hard to describe the difference between those two levels of implementation.  I could have everything implemented for a Snort type IDS that the device is able to do and have the same number of STIX/Cybox objects supports in same a SEIM tool which should be able to handle a lot more of these the STIX profiles would be the same, but the maximum possible maturity of the implementations IMHO are quite different.   I would really like to see the concept of an implementation maturity model worked into the ‘adoption’ notions here. We see quite a difference between “like” products in the same categories as to their level of implementation.  Today you could say you support STIX if you support say IPv4 address Cybox objects and only STIX Observables. Technically that is STIX ‘support’ and if that is what is in your STIX profile you are legit. The reality is the STIX profile is the way to ‘transact’ the objects supports vs. not when being shared, but we need a simpler summary of this so when customers of these products make choices informed of what “we support STIX/TAXII” actually means.  If consumers experience “STIX support” at this level of maturity/completeness and they expected much more it is going to reflect poorly on our standards.  So say supporting one Cybox object and one Stix object is Level 1 maturity in a single direction , but supporting all Cybox and STIX objects, bi-directionally, linked to each other is a much higher level. I suggest we add this to the outreach workstream as a way of keeping track of what "adoption" really means. -Mark Mark Clancy Chief Executive Officer SOLTRA An FS-ISAC and DTCC Company +1.813.470.2400 office +1.610.659.6671  US  mobile     +44 7823 626 535   UK  mobile mclancy@soltra.com soltra.com   One organization's incident becomes everyone's defense.   From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Jerome Athias < athiasjerome@gmail.com > Sent: Friday, June 26, 2015 2:00 AM To: Joep Gommers Cc: Peter Allor; Rich Struse; cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion   Adoption Program? e.g. https://oval.mitre.org/adoption/ 2015-06-26 8:46 GMT+03:00 Joep Gommers < joep@intelworks.com > : Hi Peter, Let me put some context around my proposal for certification, which perhaps means rewording. First, I am completely aligned with you on the “voluntary” part and on the fact that mandatory certification would severely hinder adoption. Yet, what I think it hindering adoption more is – and perhaps this speaks to your concerns about STIX/TAXII too – that it is ensure for producers how their intelligence value is retained when received by other consumers. In a world where I send you a PDF, I know how you will consume the PDF. It is predictable and the value I bring as an intelligence producer is surely retained. Additionally, I as a producer am in full control. Now in STIX this isn’t necessarily the case. Since STIX is transport, it does not guarantee to any extent that the intelligence value is retained all the way to its human consumer – not as that the intent. STIX 1.1.1 compliancy usually means, for both CSIRT communities and vendors (and many other communities I might add that this is relevant for), a partial implementation of parts of the standard – that are processed by a machine and/or readable by a human in different ways. For TAXII, a similar challenge exists where there is no easy automated way of determining for machines what the TAXII implementors supports. Think; authentication, authorization, different services (depending on discovery service on/off, hooked on/off), polling subscription models, etc. For me, certification and compliancy effort would be to ensure that it is publicly known and easily measurable what implementors actually support from the standard and where value is retained and where it isn’t. For TAXII, this means simple tools that make transparant the pattern of functionality implemented by a CSIRT community, vendor, etc. so they can say “guys I’m level A TAXII” - which will mean I support features A, B and C. For STIX similarly, a certain level of certification might mean that an producer/consumer implements the indicator/observable idioms, but does not retain much of the intelligence value of threat actor or exploit target information. This is relevant for the public to know, for producers to understand and to make transparant as to drive the community towards the right priorities and compatibility efforts. Right now, the conversational line of “STIX/TAXII compatible” has no value and requires significant effort to undercover what REALLY is implemented and what intelligence value is REALLY retained. So perhaps, certification is a bad word. Thoughts? Best regards, Joep From: Peter Allor < pallor@us.ibm.com > Date: Wednesday, June 24, 2015 at 7:11 PM To: Joep Gommers < joep@intelworks.com > Cc: Rich Struse < richard.struse@dhs.gov >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion Joep, I think I will push back a bit here, especially on your 'certification' and 'compliance' aspects. <rant> We need to be "voluntarily" adopting this 'standard'. While I can see Tony's comments about talking with EC bodies, the real adoption and use for CTI is in two communities, which by their nature are international. They are the CSIRT Community, specifically National CSIRTs but also Critical Infrastructure CSIRTs and Enterprise CSIRTs (I will not delve into the Big, Medium, Small discussion).   There is a whole lot going on in CSIRT Services Framework and Education Development where this can be included and is updating materials from CERT/CC-SEI that are now 20 years old. Then there is the 'vendor' community, which has not been really engaged here.   I know some will say they are part of that community, but then also tout how they are international.   So we need the large IT Vendors and we need the broad IT Security Vendors as part of this process.   That would be for all FOUR Sub-Committee's.    Much of the indicators and expressions will need their input and adoption to actually gain traction for many and to enable the CSIRT Community (yes, the vendors are part of that community as well).     Just to be clear, I am talking about Intel/McAfee, Symantec, Microsoft, IBM, Cisco/SourceFire, FireEye/Mandiant, and a slew of others. Pushing mandatory compliance and certification does not work globally (think Common Criteria / NIAP, I could go on on that alone) and in security venues globally it is a check box with little use.    Now I know that vendors are looking to be part of this, but the sentiment here in the discussions does not reflect that.    I say that from a vendor and incident response community perspective. So lets focus on how we get their perspectives to be included, as I know as vendors, we see that STIX/TAXII in their current incarnation do NOT work very well and that exchanging threat data today is severely challenged.   The goal for CTI is to make that easier and simple for users and that means we as designers need to have the implementers involved and participating, not corralled and shamed.   If you take CVRF as an example, you can see that vendors do want a system and are willing to put it into operations and such, but the customer and the vendor need to have value out of it, not just another checkbox. </rant> Sincerely, Pete Peter Allor   Senior Security Strategist, Project Manager, Disclosures Product Management and Strategy IBM Security 6303 Barfield Rd NE Atlanta, GA 30328-4233 Mobile: +1-404-643-9638     Fax:       +1-845-491-4204   pallor@us.ibm.com Joep Gommers ---06/24/2015 11:15:54 AM---Hi Patrick, Great point. I think part would be an effort of mapping the landscape on From: Joep Gommers < joep@intelworks.com > To: Patrick Maroney < Pmaroney@Specere.org >, Mark Clancy < mclancy@soltra.com >, Peter F Brown < peter@peterfbrown.com >, " tony@yaanatech.com " < tony@yaanatech.com >, Rich Struse < richard.struse@dhs.gov > Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org > Date: 06/24/2015 11:15 AM Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion Sent by: < cti@lists.oasis-open.org > Hi Patrick, Great point. I think part would be an effort of mapping the landscape on the one side, ensuring the tooling required to enable people to be compatible (in addition to the standards and corresponding libraries) and part certification to solidify and ensure compliancy. Especially the latter option combined with hall of fame/shame (in a nice way :)) could drive some tangible KPIs.. ? Best regards, Joep On 6/24/15, 4:29 PM, "Patrick Maroney" < Pmaroney@Specere.org > wrote: >I would agree with the position that Engagement subsumes Outreach. > >One open question is where Interoperability (as a tangible deliverable) >fits into our stratgegy. > >Patrick Maroney >Office: (856)983-0001 >Cell: (609)841-5104 > pmaroney@specere.org >________________________________________ >From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of >Mark Clancy < mclancy@soltra.com > >Sent: Wednesday, June 24, 2015 10:17:23 AM >To: Peter F Brown; tony@yaanatech.com ; Rich Struse >Cc: cti@lists.oasis-open.org >Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >All, >I agree with need this SC and am happy to help. I have been doing a lot >this as part of my role as  DTCC's CISO in addition to my Soltra role.  I >have been presenting/meeting in the US, Europe and Asia. I spend a lot of >time with legislators, policy makers, and global financial regulators on >information sharing and why automation is a key part of capablity needs. >By the same token most of the challenges in the global context are not >purely technical but national and regualtory impediments.  Not to say the >technical things we are doing in CTI commitee in Oasis isn't also >critical as it certianly is, but that if we only address the technical >side of this problem we won't achieve the risk mitigation benefits we all >desire. > >So at some level what do we think "engagement" means vs. "outreach"? > >-Mark > > >Mark Clancy >Chief Executive Officer >SOLTRA An FS-ISAC and DTCC Company > +1.813.470.2400 office +1.610.659.6671 US mobile   +44 7823 626 535 >UK mobile > mclancy@soltra.com soltra.com > >One organization's incident becomes everyone's defense. > > > >________________________________________ >From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of >Peter F Brown < peter@peterfbrown.com > >Sent: Tuesday, June 23, 2015 6:37 PM >To: tony@yaanatech.com ; Rich Struse >Cc: cti@lists.oasis-open.org >Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >+1 >Also agree with comment in an earlier thread that this SC ought to have >engagement as a core focus rather than outreach - and that ought to be >reflected in the name of any proposed SC. >Regards, >Peter > > >
Original Message----- >From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On >Behalf Of Tony Rutkowski >Sent: 22 June, 2015 13:08 >To: Rich Struse >Cc: cti@lists.oasis-open.org >Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion > >Hi Rich, > >There is a great symmetry occurring here on a global scale. > >The first day of the annual cybersecurity workshop was held this >afternoon here in Sophia Antipolis in France's approximation of Silicon >Valley in the hills of Valbonne, France.  There are people here from >around the world, but this afternoon was somewhat Euro centric with key >officials describing what was essential to regional and national >cybersecurity.  Perhaps not by coincidence, cyber threat intelligence >sharing was at the top of their lists - along with security assurance. > >The four people who were engaged at this session were: > >o Florent Frederix who heads the key Network Information Security >(NIS) initiative of the the European Commission and has some >responsibilities at the Directorate level similar to Rich Struse's as the >execution arm of the EU cybersecurity strategy - the analog of the White >House's framework initiatives. > >o Chris Ensor who heads up cybersecurity work in the UK's CESG >organization - also similar to Rich's responsibilities. > >o Marc Henauer of Switzerland's MELANI organization that is similar the >principal Swiss threat intelligence sharing body. > >o Edri an Belmonte, who plays the lead role in this area in ENISA > >All of the presentations except Cris Ensor's are available at: > http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SE >TTINGTHESCENE/ > >In the discussion session following the presentations, speaking at the >ETSI TC CYBER threat intelligence sharing rapporteur, I had the >opportunity to explain the creation of the new TC CTI committee and how >the platforms being pursued in CTI were proven best-of-breed models and >structured information sharing specifications that provided an ideal >match to each of their objectives. > >It was quite amazing how each of the parties - even in Europe - was >rather independently pursuing similar objectives. > >We also discussed how the work of TC CYBER was to survey the global >cybersecurity ecosystem and make use of the most successful existing >standards and not pursue duplicative work.  Everyone seemed in agreement, >and going forward, there seems like an excellent basis for convergence >with the CTI work now getting underway. > >There will be further discussion at the workshop over the next two days >as well as definitive actions at the TC CYBER meeting on Thursday and >Friday.  It was a good beginning that was continued usefully over local >provence wine and hors d'oeuves this evening (and setting a useful >precedent for future TC CTI physical gatherings). > >--tony > > > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > [attachment "CTI Standards Adoption.docx" deleted by Peter Allor/Atlanta/IBM] --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php   --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php Attachment: STIX TAXII Integration 2015-May22.pdf Description: STIX TAXII Integration 2015-May22.pdf

One of the more notable common themes after the third day of the cybersecurity workshop that brings together a broad swath of groups and sectors here at ETSI, is how cyber threat intelligence sharing is manifested as one of the most important needs by almost everyone. Whether it is telecommunications, mobile networks, Internet, IoT, cloud/virtual networks, critical infrastructure/cyberphysical systems, automobile IT...whatever - CTI is a core need going forward. It is, by the way, one of the two essential activities by the European Commission. The CTI TC challenge will be maintaining enough threads and bandwidth to engage with all the activities and groups at which it now sets in the center. --tony

Tony, I would completely agree. Even before attending ETSI security week I would also have said that CTI is right at the top of our priority list in the UK and with our colleagues in the US and Europe.  Happy to help where we can if bandwidth is a problem as this is of vital importance.  Thanks, Adam On Wednesday, June 24, 2015, Tony Rutkowski < tony@yaanatech.com > wrote: One of the more notable common themes after the third day of the cybersecurity workshop that brings together a broad swath of groups and sectors here at ETSI, is how cyber threat intelligence sharing is manifested as one of the most important needs by almost everyone. Whether it is telecommunications, mobile networks, Internet, IoT, cloud/virtual networks, critical infrastructure/cyberphysical systems, automobile IT...whatever - CTI is a core need going forward. It is, by the way, one of the two essential activities by the European Commission. The CTI TC challenge will be maintaining enough threads and bandwidth to engage with all the activities and groups at which it now sets in the center. --tony --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php -- Adam Cooper Identity Assurance Programme Government Digital Service 125 Kingsway, London,  WC2B 6NH Tel: 07973 123 038 official:  adam.cooper@digital.cabinet-office.gov.uk official sensitive: adam.cooper@govdigital.gsi.gov.uk Advance Warning of Annual Leave: 27th July to 31st July inclusive

Mark I sent a note to Richard Struse on this very topic. You are entirely correct, in my judgment. It's one thing for moving a technical body through established vetting, credentialing, and maturing mechanisms. It's quite another for establishing buy-in and support for a structural change in the way society operates between the public and private spheres. In other words, if we want to "operationalize" information between the public and private sectors, we need Definition for What IS the public-private partnership?! In the US, the ISAO effort is moving in this direction, I believe. I also believe that the CTI TC and momentum will help drive the technical side of this broader challenge. The hard part, in my judgment, is changing the organizing challenge from a top-down (government led) to a bottom-up (private led) model. At the moment, there is insufficient awareness for this need, and near-zero perceived incentive for the private sector. Yet, from a CTI TC perspective, STIX/TAXII/CyBox adoption fails its commercialization success story if massive adoption through information sharing bodies doesn't materialize. In the US, there are certain structures (ISACs, coordinating councils, and soon ISAOs). So far, in my opinion, there isn't any sort of mobilization occurring to make such structures part of the societal consciousness. It's still early in their maturity (except, arguably, a few ISACs). I'd be very pleased to work on this effort, but again I believe it's a broader effort than just this CTI TC. Doug Douglas M. DePeppe Cyberlaw Attorney LLM, JD EosEdge Legal A Cyberlaw and Services Firm Cyberlaw at Catalyst Campus 559 E. Pikes Peak Ave. Suite 101 Colorado Springs, CO 80903 Direct 719.357.8025 c 703.283.2349 Skype ID: doug.depeppe www.eosedgelegal.com Conferencing: https://join.me/cybercloak My Homepage www.cyberjurist.net This electronic mail transmission and any attachments contain information belonging to the sender which may be confidential and legally privileged. This information is intended only for the use of the individual or entity to whom this electronic mail transmission was sent as indicated above. If you are not the intended recipient, any disclosure, copy, distribution, or action taken in reliance on the contents of the information contained in this transmission is strictly prohibited. If you have received this transmission in error, please immediately inform me by email and delete the message. Thank you.
Original Message----- From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On Behalf Of Mark Clancy Sent: Wednesday, June 24, 2015 8:17 AM To: Peter F Brown; tony@yaanatech.com; Rich Struse Cc: cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion All, I agree with need this SC and am happy to help. I have been doing a lot this as part of my role as DTCC's CISO in addition to my Soltra role. I have been presenting/meeting in the US, Europe and Asia. I spend a lot of time with legislators, policy makers, and global financial regulators on information sharing and why automation is a key part of capablity needs. By the same token most of the challenges in the global context are not purely technical but national and regualtory impediments. Not to say the technical things we are doing in CTI commitee in Oasis isn't also critical as it certianly is, but that if we only address the technical side of this problem we won't achieve the risk mitigation benefits we all desire. So at some level what do we think "engagement" means vs. "outreach"? -Mark Mark Clancy Chief Executive Officer SOLTRA An FS-ISAC and DTCC Company +1.813.470.2400 office +1.610.659.6671 US mobile ? +44 7823 626 535 +UK mobile mclancy@soltra.com soltra.com One organization's incident becomes everyone's defense. ? ________________________________________ From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Peter F Brown <peter@peterfbrown.com> Sent: Tuesday, June 23, 2015 6:37 PM To: tony@yaanatech.com; Rich Struse Cc: cti@lists.oasis-open.org Subject: RE: [cti] CTI-Outreach Sub-Committee Nominations/Discussion +1 Also agree with comment in an earlier thread that this SC ought to have engagement as a core focus rather than outreach - and that ought to be reflected in the name of any proposed SC. Regards, Peter
Original Message----- From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On Behalf Of Tony Rutkowski Sent: 22 June, 2015 13:08 To: Rich Struse Cc: cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion Hi Rich, There is a great symmetry occurring here on a global scale. The first day of the annual cybersecurity workshop was held this afternoon here in Sophia Antipolis in France's approximation of Silicon Valley in the hills of Valbonne, France. There are people here from around the world, but this afternoon was somewhat Euro centric with key officials describing what was essential to regional and national cybersecurity. Perhaps not by coincidence, cyber threat intelligence sharing was at the top of their lists - along with security assurance. The four people who were engaged at this session were: o Florent Frederix who heads the key Network Information Security (NIS) initiative of the the European Commission and has some responsibilities at the Directorate level similar to Rich Struse's as the execution arm of the EU cybersecurity strategy - the analog of the White House's framework initiatives. o Chris Ensor who heads up cybersecurity work in the UK's CESG organization - also similar to Rich's responsibilities. o Marc Henauer of Switzerland's MELANI organization that is similar the principal Swiss threat intelligence sharing body. o Edri an Belmonte, who plays the lead role in this area in ENISA All of the presentations except Cris Ensor's are available at: http://docbox.etsi.org/Workshop/2015/201506_SECURITYWEEK/SECURITYWS/S01_SETTINGTHESCENE/ In the discussion session following the presentations, speaking at the ETSI TC CYBER threat intelligence sharing rapporteur, I had the opportunity to explain the creation of the new TC CTI committee and how the platforms being pursued in CTI were proven best-of-breed models and structured information sharing specifications that provided an ideal match to each of their objectives. It was quite amazing how each of the parties - even in Europe - was rather independently pursuing similar objectives. We also discussed how the work of TC CYBER was to survey the global cybersecurity ecosystem and make use of the most successful existing standards and not pursue duplicative work. Everyone seemed in agreement, and going forward, there seems like an excellent basis for convergence with the CTI work now getting underway. There will be further discussion at the workshop over the next two days as well as definitive actions at the TC CYBER meeting on Thursday and Friday. It was a good beginning that was continued usefully over local provence wine and hors d'oeuves this evening (and setting a useful precedent for future TC CTI physical gatherings). --tony --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Sorry for replying to an old version of this thread, but this was the last message I could find discussing the topic of Co-Chairs for the Standards Adoption, Engagement and Outreach Sub-Committee.  I’m not sure if it’s needed to trigger a ballot, but I second the several proposals / motions to create this sub-committee.   I’d like to throw one more hat in the ring, given the amount of time he’s spent doing exactly this job over the past few years:  David Eilken, who was our “evangelist” for the Security Automation Working Group (SAWG) and now works with the FS-ISAC and Soltra.   If my count is right, these individuals have also been nominated:   ·         Joep Gommers ·         Patrick Maroney ·         Tony Rutkowski   Thanks,   Alex   From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of Patrick Maroney Sent: Monday, June 22, 2015 1:44 PM To: Eric Burger; cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion   Not looking to put Joep or myself out of a job, but want to nominate Tony Rutkowski as a good candidate to co-chair the yet to be named Outreach & Engagement SC. Patrick Maroney Office: (856)983-0001 Cell: (609)841-5104 pmaroney@specere.org From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Eric Burger < Eric.Burger@georgetown.edu > Sent: Monday, June 22, 2015 10:21:53 AM To: cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion   I think it’s great to have Joep and Patrick lead this effort. I would be glad to help, but NOT in a leadership role.   On Jun 19, 2015, at 12:45 PM, Joep Gommers < joep@INTELWORKS.COM > wrote:   Would love to team up @Patrick! Sent from my iPhone On 19 Jun 2015, at 18:16, Jordan, Bret < bret.jordan@bluecoat.com > wrote: You and Joep will be great on this effort.   Bret  Sent from my Commodore 64 On Jun 19, 2015, at 10:11 AM, Patrick Maroney < Pmaroney@Specere.org > wrote: I graciously accept the nomination on proviso that everyone is patient until such time as I can safely remove my OASIS "training wheels". I'm not confident that I am sufficiently competent in OASIS processes and procedures, but have a number of  highly qualified Mentors to guide me.  Please free to do so as well when/if I stumble. Patrick Maroney Office: (856)983-0001 Cell: (609)841-5104 pmaroney@specere.org From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Terry MacDonald < terry.macdonald@threatloop.com > Sent: Friday, June 19, 2015 7:45:53 AM To: Joep Gommers Cc: jg@ctin.us ; cti@lists.oasis-open.org Subject: Re: [cti] CTI-Outreach Sub-Committee Nominations/Discussion   I would officially like to nominate the creation of the Outreach Sub-committee, for discussion at the next CTI TC meeting. I think having a group dedicated to evangelizing STIX/TAXII and CybOX and finding how we can best integrate with other work being performed by other groups around the world would be substantially beneficial.   I would like to second Patrick as co-chair for the community outreach sub-committee if one is formed. He always has such a broad vision, identifying ways that STIX / TAXII and CybOX could integrate cohesively with others efforts. I think he is a great candidate.   I would also like to nominate Joep Gommers as co-chair for this sub-committee (if it eventually exists). Joep and his team have provided the community with free libraries to encourage the creation of tools. He has taken every opportunity to help increase awareness of STIX/TAXII/CybOX within the security community within Europe, and his selection would help give the committee some international flavour.   Cheers Terry MacDonald STIX, TAXII, CybOX Consultant   M: +61-407-203-026 E:  terry.macdonald@threatloop.com W:  www.threatloop.com     Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers.   On 19 June 2015 at 19:51, Joep Gommers < joep@intelworks.com > wrote: I would be comfortable committing either time and resource as a member or a chair/co-chair for this committee: - Large network and reach in Europe, which is our main focus and needs allot of work for STIX/TAXII - Passioned about compatibility and the community we need to create around it (certifications, tooling, summer of code, etc.) - Been- and will be evangelizing STIX/TAXII across the intel supply and tech vendor space J- On 6/18/15, 10:41 PM, " jg@ctin.us " < jg@ctin.us > wrote: > >CTI-TC: > >During the Thursday, June 18 call there was a suggestion that we form >a Sub-Committee for outreach, specifically to the international >community.  Later, after the call another suggestion was made for a >Sub-Committee specifically for ISAO-Outreach. > >Here is a thread we can use for nominations and discussions on this topic. > >Jane Ginn >CTIN > > >--------------------------------------------------------------------- >To unsubscribe from this mail list, you must leave the OASIS TC that >generates this mail.  Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php     This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.