CTI STIX Subcommittee

Everyone,


Please be aware that today’s STIX SC call will be at 4:00pm Eastern.
For some reason the incorrect invite for 2:00pm is still hanging around. I have killed it several times but it keeps coming back.
We apologize for the confusion and will continue to try to kill it.


Thanks,


sean

Hi Sean, One of the areas of growing importance that oddly seems missing is some focus on applying STIX and the subtending capabilities to virtualization/NFV environments. Seems worth adding it as a bullet somewhere. Meanwhile, folks in the virtualization/NFV communities can fit STIX into their work items. --tony

On 20.11.2015 07:09:31, Tony Rutkowski wrote: > > One of the areas of growing importance that oddly seems missing is > some focus on applying STIX and the subtending capabilities to > virtualization/NFV environments. Seems worth adding it as a bullet > somewhere. > Good eye, Tony! Just yesterday Ivan and I were going through the CybOX objects and aligning them to use cases. We observed that (embarrasingly) despite all the mobile malware out there, CybOX utterly fails to address this. Likewise, we take your comment about the need to address virtualization on board and will incorporate that into our planning. Great feedback, Tony, keep it coming!!! -- Cheers, Trey -- Trey Darley Senior Security Engineer 4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 Soltra An FS-ISAC & DTCC Company www.soltra.com -- "It Has To Work." --RFC 1925 Attachment: signature.asc Description: PGP signature

Hi Trey, As mentioned in a note at yesterday's meeting, the GSMA Fraud and Security Group (FASG) has two extremely active provider-vendor subgroups that deal with both device security and mobile malware. (The GSMA is the London based principal global organization of mobile providers.) Typically threats are reported to them confidentially at about the same point as the vendor is contacted and CVEs are created, or somebody pops up at DEVCON, CCC, etc. GSMA has long planned to create within itself a structured means for exchanging this information. There are two crossovers with the NFV/virtualization security world. One is via 3GPP SA5 and SA3 into the ISG NGV security group. Another is into the ISG MEC group. The former is converting the mobile infrastructure to NFV. The latter is adding Mobile Edge Computing data centers into the infrastructure. (Think cabletTV headends). Already, NFV SEC has several work items that are effectively "STIX ready." The GSMA material is unfortunately not publicly available, but there are several ways to get around that. The NFV and MEC material can be found off the ETSI secretariat portal. https://portal.etsi.org/tb.aspx?tbid=789&SubTB=789,832,831,801,798,799,802,828 https://portal.etsi.org/tb.aspx?tbid=826&SubTB=826,835 --tony On 2015-11-20 7:16 AM, Trey Darley wrote: On 20.11.2015 07:09:31, Tony Rutkowski wrote: One of the areas of growing importance that oddly seems missing is some focus on applying STIX and the subtending capabilities to virtualization/NFV environments. Seems worth adding it as a bullet somewhere. Good eye, Tony! Just yesterday Ivan and I were going through the CybOX objects and aligning them to use cases. We observed that (embarrasingly) despite all the mobile malware out there, CybOX utterly fails to address this. Likewise, we take your comment about the need to address virtualization on board and will incorporate that into our planning. Great feedback, Tony, keep it coming!!! Attachment: smime.p7s Description: S/MIME Cryptographic Signature

On 20.11.2015 07:56:46, Tony Rutkowski wrote: > > etc. GSMA has long planned to create within itself > a structured means for exchanging this information. > Hi, Tony - Ivan and I are trying to be strategic in our CybOX 3.0 work. We want to get a vastly improved work product out the door ASAP, then pivot into working on more specific use cases in subsequent point releases. Put another way, we envisage CybOX 3.0 including a refactored Core (ie, the datatypes CybOX objects are built upon) and a good swath of the current CybOX objects (including those people are actually using today and some that people probably *would* use if the objects structures were easier to work with.) But then you might see something like: * CybOX 3.1 - network forensics focused * CybOX 3.2 - endpoint forensic focused * CybOX 3.3 - mobile focused * CybOX 3.4 - virtualization focused The idea being that for each of these narrower use cases, we would assemble a group of subject matter experts from the communities of interest to help us go deeply into domains that are outside Ivan and my areas of specialization. In the case of mobile, we'll go ahead and reach out to the GSMA Fraud and Security Group to get them on board. In the case of virtualization, ditto the NFV SEC. Tony, would you be so kind as to make the appropriate introductions on behalf of Ivan and myself? Again, just to set realistic expectations, we're trying not to bite off more than we can chew at the moment, but we definitely want to flesh out these additional use cases ASAP. -- Cheers, Trey -- Trey Darley Senior Security Engineer 4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 Soltra An FS-ISAC & DTCC Company www.soltra.com -- "There are only two hard things in Computer Science: cache invalidation and naming things." --Phil Karlton Attachment: signature.asc Description: PGP signature