CTI STIX Subcommittee

In STIX 2.0 I would like to propose that we change the Report Object to contain just reference to the objects that it is binding.  I do not want to see it contain data itself.   [soap box] We need one way of doing things and the current data-model of STIX, while beautiful, makes writing a decision tree in code for some arbitrary data in a STIX package nearly impossible. . [/soap box] Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

+1 This was one of the original proposals for the report object.  Aharon Chernin CTO SOLTRA An FS-ISAC & DTCC Company 18301 Bermuda green Dr Tampa, fl 33647 813.470.2173 achernin@soltra.com www.soltra.com From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jordan, Bret <bret.jordan@bluecoat.com> Sent: Monday, July 27, 2015 10:57 AM To: cti-stix@lists.oasis-open.org Subject: [cti-stix] Proposal - Change Report Object   In STIX 2.0 I would like to propose that we change the Report Object to contain just reference to the objects that it is binding.  I do not want to see it contain data itself.   [soap box] We need one way of doing things and the current data-model of STIX, while beautiful, makes writing a decision tree in code for some arbitrary data in a STIX package nearly impossible. . [/soap box] Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

Brett,   How would this redesign of the report object align with your vision for a top level relationship object?   Jon   ============================================ Jonathan O. Baker J83D - Cyber Security Partnerships, Sharing, and Automation The MITRE Corporation Email: bakerj@mitre.org   From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Jordan, Bret Sent: Monday, July 27, 2015 10:57 AM To: cti-stix@lists.oasis-open.org Subject: [cti-stix] Proposal - Change Report Object   In STIX 2.0 I would like to propose that we change the Report Object to contain just reference to the objects that it is binding.  I do not want to see it contain data itself.     [soap box] We need one way of doing things and the current data-model of STIX, while beautiful, makes writing a decision tree in code for some arbitrary data in a STIX package nearly impossible. . [/soap box]   Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."   

+100, Bret! Cheers, Trey -- Trey Darley Senior Security Engineer Soltra An FS-ISAC & DTCC Company www.soltra.com From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jordan, Bret <bret.jordan@bluecoat.com> Sent: Monday, July 27, 2015 16:57 To: cti-stix@lists.oasis-open.org Subject: [cti-stix] Proposal - Change Report Object   In STIX 2.0 I would like to propose that we change the Report Object to contain just reference to the objects that it is binding.  I do not want to see it contain data itself.   [soap box] We need one way of doing things and the current data-model of STIX, while beautiful, makes writing a decision tree in code for some arbitrary data in a STIX package nearly impossible. . [/soap box] Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

I also +1 this if we are counting votes. - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown Trey Darley ---2015/07/27 12:13:59 PM---+100, Bret! Cheers, From: Trey Darley <trey@soltra.com> To: "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Date: 2015/07/27 12:13 PM Subject: [cti-stix] Re: Proposal - Change Report Object Sent by: <cti-stix@lists.oasis-open.org> +100, Bret! Cheers, Trey -- Trey Darley Senior Security Engineer Soltra An FS-ISAC & DTCC Company www.soltra.com From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jordan, Bret <bret.jordan@bluecoat.com> Sent: Monday, July 27, 2015 16:57 To: cti-stix@lists.oasis-open.org Subject: [cti-stix] Proposal - Change Report Object In STIX 2.0 I would like to propose that we change the Report Object to contain just reference to the objects that it is binding. I do not want to see it contain data itself. [soap box] We need one way of doing things and the current data-model of STIX, while beautiful, makes writing a decision tree in code for some arbitrary data in a STIX package nearly impossible. . [/soap box] Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

I'm going to throw out there that we should make ALL relationships between top-level constructs reference only. That would include Report, but also things like TTPs in Indicators, etc.








From: < cti-stix@lists.oasis-open.org > on behalf of Jason Keirstead
Date: Monday, July 27, 2015 at 11:59 AM
To: Trey Darley
Cc: "Jordan, Bret", " cti-stix@lists.oasis-open.org "
Subject: Re: [cti-stix] Re: Proposal - Change Report Object





I also +1 this if we are counting votes.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Trey Darley ---2015/07/27 12:13:59 PM---+100, Bret!
Cheers,

From: Trey Darley < trey@soltra.com >
To: "Jordan, Bret" < bret.jordan@bluecoat.com >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
Date: 2015/07/27 12:13 PM
Subject: [cti-stix] Re: Proposal - Change Report Object
Sent by: < cti-stix@lists.oasis-open.org >





+100, Bret!

Cheers,
Trey
--
Trey Darley
Senior Security Engineer
Soltra An FS-ISAC & DTCC Company
www.soltra.com




From:
cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Jordan, Bret < bret.jordan@bluecoat.com >
Sent: Monday, July 27, 2015 16:57
To:
cti-stix@lists.oasis-open.org
Subject: [cti-stix] Proposal - Change Report Object

In STIX 2.0 I would like to propose that we change the Report Object to contain just reference to the objects that it is binding. I do not want to see it contain data itself.


[soap box]
We need one way of doing things and the current data-model of STIX, while beautiful, makes writing a decision tree in code for some arbitrary data in a STIX package nearly impossible. .
[/soap box]


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

I could go with that...  Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Jul 27, 2015, at 10:07, Wunder, John A. < jwunder@mitre.org > wrote: I'm going to throw out there that we should make ALL relationships between top-level constructs reference only. That would include Report, but also things like TTPs in Indicators, etc. From: < cti-stix@lists.oasis-open.org > on behalf of Jason Keirstead Date: Monday, July 27, 2015 at 11:59 AM To: Trey Darley Cc: Jordan, Bret , cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Re: Proposal - Change Report Object I also +1 this if we are counting votes. - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown <graycol.gif> Trey Darley ---2015/07/27 12:13:59 PM---+100, Bret! Cheers, From: Trey Darley < trey@soltra.com > To: Jordan, Bret < bret.jordan@bluecoat.com >, cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > Date: 2015/07/27 12:13 PM Subject: [cti-stix] Re: Proposal - Change Report Object Sent by: < cti-stix@lists.oasis-open.org > +100, Bret! Cheers, Trey -- Trey Darley Senior Security Engineer Soltra An FS-ISAC & DTCC Company www.soltra.com From: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Jordan, Bret < bret.jordan@bluecoat.com > Sent: Monday, July 27, 2015 16:57 To: cti-stix@lists.oasis-open.org Subject: [cti-stix] Proposal - Change Report Object In STIX 2.0 I would like to propose that we change the Report Object to contain just reference to the objects that it is binding. I do not want to see it contain data itself. [soap box] We need one way of doing things and the current data-model of STIX, while beautiful, makes writing a decision tree in code for some arbitrary data in a STIX package nearly impossible. . [/soap box] Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg. <graycol.gif> Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

In general, I favor referencing over inline. The only thing I haven't put much thought on is how I feel about requiring referencing when doing something like composite indicators.  Aharon Chernin CTO SOLTRA An FS-ISAC & DTCC Company 18301 Bermuda green Dr Tampa, fl 33647 813.470.2173 achernin@soltra.com www.soltra.com From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jordan, Bret <bret.jordan@bluecoat.com> Sent: Monday, July 27, 2015 12:19 PM To: Wunder, John A. Cc: Jason Keirstead; Trey Darley; cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Proposal - Change Report Object   I could go with that...  Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."  On Jul 27, 2015, at 10:07, Wunder, John A. < jwunder@mitre.org > wrote: I'm going to throw out there that we should make ALL relationships between top-level constructs reference only. That would include Report, but also things like TTPs in Indicators, etc. From: < cti-stix@lists.oasis-open.org > on behalf of Jason Keirstead Date: Monday, July 27, 2015 at 11:59 AM To: Trey Darley Cc: "Jordan, Bret", " cti-stix@lists.oasis-open.org " Subject: Re: [cti-stix] Re: Proposal - Change Report Object I also +1 this if we are counting votes. - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown <graycol.gif> Trey Darley ---2015/07/27 12:13:59 PM---+100, Bret! Cheers, From: Trey Darley < trey@soltra.com > To: "Jordan, Bret" < bret.jordan@bluecoat.com >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Date: 2015/07/27 12:13 PM Subject: [cti-stix] Re: Proposal - Change Report Object Sent by: < cti-stix@lists.oasis-open.org > +100, Bret! Cheers, Trey -- Trey Darley Senior Security Engineer Soltra An FS-ISAC & DTCC Company www.soltra.com From: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Jordan, Bret < bret.jordan@bluecoat.com > Sent: Monday, July 27, 2015 16:57 To: cti-stix@lists.oasis-open.org Subject: [cti-stix] Proposal - Change Report Object In STIX 2.0 I would like to propose that we change the Report Object to contain just reference to the objects that it is binding. I do not want to see it contain data itself. [soap box] We need one way of doing things and the current data-model of STIX, while beautiful, makes writing a decision tree in code for some arbitrary data in a STIX package nearly impossible. . [/soap box] Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." <graycol.gif>

Agreed..  We need to talk through this and think about it.  We need to weigh the value of it and its complexity and impossibility to implement, versus something much easier to understand and easier to implement.   Some of the existing constructs in STIX I think need to be dropped and replaced in whole with something easier to understand and use. Composite indicators might be one of those case, but I have not spent enough time thinking about them yet.  Too focused on other areas that are hemorrhaging.  Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Jul 27, 2015, at 10:28, Aharon Chernin < achernin@soltra.com > wrote: In general, I favor referencing over inline. The only thing I haven't put much thought on is how I feel about requiring referencing when doing something like composite indicators.  Aharon Chernin CTO SOLTRA An FS-ISAC & DTCC Company 18301 Bermuda green Dr Tampa, fl 33647 813.470.2173 achernin@soltra.com www.soltra.com From: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Jordan, Bret < bret.jordan@bluecoat.com > Sent: Monday, July 27, 2015 12:19 PM To: Wunder, John A. Cc: Jason Keirstead; Trey Darley; cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Proposal - Change Report Object   I could go with that...  Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Jul 27, 2015, at 10:07, Wunder, John A. < jwunder@mitre.org > wrote: I'm going to throw out there that we should make ALL relationships between top-level constructs reference only. That would include Report, but also things like TTPs in Indicators, etc. From: < cti-stix@lists.oasis-open.org > on behalf of Jason Keirstead Date: Monday, July 27, 2015 at 11:59 AM To: Trey Darley Cc: Jordan, Bret , cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Re: Proposal - Change Report Object I also +1 this if we are counting votes. - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown <graycol.gif> Trey Darley ---2015/07/27 12:13:59 PM---+100, Bret! Cheers, From: Trey Darley < trey@soltra.com > To: Jordan, Bret < bret.jordan@bluecoat.com >, cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > Date: 2015/07/27 12:13 PM Subject: [cti-stix] Re: Proposal - Change Report Object Sent by: < cti-stix@lists.oasis-open.org > +100, Bret! Cheers, Trey -- Trey Darley Senior Security Engineer Soltra An FS-ISAC & DTCC Company www.soltra.com From: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Jordan, Bret < bret.jordan@bluecoat.com > Sent: Monday, July 27, 2015 16:57 To: cti-stix@lists.oasis-open.org Subject: [cti-stix] Proposal - Change Report Object In STIX 2.0 I would like to propose that we change the Report Object to contain just reference to the objects that it is binding. I do not want to see it contain data itself. [soap box] We need one way of doing things and the current data-model of STIX, while beautiful, makes writing a decision tree in code for some arbitrary data in a STIX package nearly impossible. . [/soap box] Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg. <graycol.gif> Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

FWIW this would potentially be overcome by the top-level relationship construct. Though, for things like indicator composition and the observable within an indicator you would probably not use that construct.


Aharon and Sean, how do you want to handle these types of discussions to work towards a decision? I know on the MITRE lists we would have these discussions and they would sometimes kind of peter out without a solid consensus. Any thoughts on how to avoid
that here?


John









From: "Jordan, Bret"
Date: Monday, July 27, 2015 at 12:33 PM
To: Aharon Chernin
Cc: "Wunder, John A.", Jason Keirstead, Trey Darley, " cti-stix@lists.oasis-open.org "
Subject: Re: [cti-stix] Proposal - Change Report Object





Agreed..  We need to talk through this and think about it.  We need to weigh the value of it and its complexity and impossibility to implement, versus something much easier to understand and easier to implement.   Some of the existing constructs in STIX I think
need to be dropped and replaced in whole with something easier to understand and use. Composite indicators might be one of those case, but I have not spent enough time thinking about them yet.  Too focused on other areas that are hemorrhaging. 











Thanks,


Bret











Bret Jordan CISSP

Director of Security Architecture and Standards Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











On Jul 27, 2015, at 10:28, Aharon Chernin < achernin@soltra.com > wrote:




In general, I favor referencing over inline. The only thing I haven't put much thought on is how I feel about requiring referencing when doing something like composite indicators. 






Aharon Chernin
CTO

SOLTRA
An FS-ISAC & DTCC Company
18301 Bermuda green Dr
Tampa, fl 33647

813.470.2173
achernin@soltra.com
www.soltra.com







From:
cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Jordan, Bret < bret.jordan@bluecoat.com >
Sent: Monday, July 27, 2015 12:19 PM
To: Wunder, John A.
Cc: Jason Keirstead; Trey Darley;
cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Proposal - Change Report Object
 

I could go with that... 










Thanks,


Bret











Bret Jordan CISSP

Director of Security Architecture and Standards Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











On Jul 27, 2015, at 10:07, Wunder, John A. < jwunder@mitre.org > wrote:




I'm going to throw out there that we should make ALL relationships between top-level constructs reference only. That would include Report, but also things like TTPs in Indicators, etc.








From: < cti-stix@lists.oasis-open.org > on behalf of Jason Keirstead
Date: Monday, July 27, 2015 at 11:59 AM
To: Trey Darley
Cc: "Jordan, Bret", " cti-stix@lists.oasis-open.org "
Subject: Re: [cti-stix] Re: Proposal - Change Report Object





I also +1 this if we are counting votes.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


<graycol.gif> Trey Darley ---2015/07/27 12:13:59 PM---+100, Bret! Cheers,

From: Trey Darley < trey@soltra.com >
To: "Jordan, Bret" < bret.jordan@bluecoat.com >, " cti-stix@lists.oasis-open.org "
< cti-stix@lists.oasis-open.org >
Date: 2015/07/27 12:13 PM
Subject: [cti-stix] Re: Proposal - Change Report Object
Sent by: < cti-stix@lists.oasis-open.org >





+100, Bret!

Cheers,
Trey
--
Trey Darley
Senior Security Engineer
Soltra An FS-ISAC & DTCC Company
www.soltra.com




From: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org >
on behalf of Jordan, Bret < bret.jordan@bluecoat.com >
Sent: Monday, July 27, 2015 16:57
To:
cti-stix@lists.oasis-open.org
Subject: [cti-stix] Proposal - Change Report Object

In STIX 2.0 I would like to propose that we change the Report Object to contain just reference to the objects that it is binding. I do not want to see it contain data itself.


[soap box]
We need one way of doing things and the current data-model of STIX, while beautiful, makes writing a decision tree in code for some arbitrary data in a STIX package nearly impossible. .
[/soap box]


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."







<graycol.gif>

I have a call with Sean later today. We will discuss and post back to the list. Aharon Chernin CTO SOLTRA An FS-ISAC & DTCC Company 18301 Bermuda green Dr Tampa, fl 33647 813.470.2173 achernin@soltra.com www.soltra.com From: Wunder, John A. <jwunder@mitre.org> Sent: Monday, July 27, 2015 12:40 PM To: Jordan, Bret; Aharon Chernin Cc: Jason Keirstead; Trey Darley; cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Proposal - Change Report Object   FWIW this would potentially be overcome by the top-level relationship construct. Though, for things like indicator composition and the observable within an indicator you would probably not use that construct. Aharon and Sean, how do you want to handle these types of discussions to work towards a decision? I know on the MITRE lists we would have these discussions and they would sometimes kind of peter out without a solid consensus. Any thoughts on how to avoid that here? John From: "Jordan, Bret" Date: Monday, July 27, 2015 at 12:33 PM To: Aharon Chernin Cc: "Wunder, John A.", Jason Keirstead, Trey Darley, " cti-stix@lists.oasis-open.org " Subject: Re: [cti-stix] Proposal - Change Report Object Agreed..  We need to talk through this and think about it.  We need to weigh the value of it and its complexity and impossibility to implement, versus something much easier to understand and easier to implement.   Some of the existing constructs in STIX I think need to be dropped and replaced in whole with something easier to understand and use. Composite indicators might be one of those case, but I have not spent enough time thinking about them yet.  Too focused on other areas that are hemorrhaging.  Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."  On Jul 27, 2015, at 10:28, Aharon Chernin < achernin@soltra.com > wrote: In general, I favor referencing over inline. The only thing I haven't put much thought on is how I feel about requiring referencing when doing something like composite indicators.  Aharon Chernin CTO SOLTRA An FS-ISAC & DTCC Company 18301 Bermuda green Dr Tampa, fl 33647 813.470.2173 achernin@soltra.com www.soltra.com From: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Jordan, Bret < bret.jordan@bluecoat.com > Sent: Monday, July 27, 2015 12:19 PM To: Wunder, John A. Cc: Jason Keirstead; Trey Darley; cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Proposal - Change Report Object   I could go with that...  Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."  On Jul 27, 2015, at 10:07, Wunder, John A. < jwunder@mitre.org > wrote: I'm going to throw out there that we should make ALL relationships between top-level constructs reference only. That would include Report, but also things like TTPs in Indicators, etc. From: < cti-stix@lists.oasis-open.org > on behalf of Jason Keirstead Date: Monday, July 27, 2015 at 11:59 AM To: Trey Darley Cc: "Jordan, Bret", " cti-stix@lists.oasis-open.org " Subject: Re: [cti-stix] Re: Proposal - Change Report Object I also +1 this if we are counting votes. - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown <graycol.gif> Trey Darley ---2015/07/27 12:13:59 PM---+100, Bret! Cheers, From: Trey Darley < trey@soltra.com > To: "Jordan, Bret" < bret.jordan@bluecoat.com >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Date: 2015/07/27 12:13 PM Subject: [cti-stix] Re: Proposal - Change Report Object Sent by: < cti-stix@lists.oasis-open.org > +100, Bret! Cheers, Trey -- Trey Darley Senior Security Engineer Soltra An FS-ISAC & DTCC Company www.soltra.com From: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Jordan, Bret < bret.jordan@bluecoat.com > Sent: Monday, July 27, 2015 16:57 To: cti-stix@lists.oasis-open.org Subject: [cti-stix] Proposal - Change Report Object In STIX 2.0 I would like to propose that we change the Report Object to contain just reference to the objects that it is binding. I do not want to see it contain data itself. [soap box] We need one way of doing things and the current data-model of STIX, while beautiful, makes writing a decision tree in code for some arbitrary data in a STIX package nearly impossible. . [/soap box] Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." <graycol.gif>

The conversations can occur in the mailing lists as long as people like. However, at some point the conversations should be logged as issues in the GitHub issue trackers so that we don't lose track and let the item peter out. Anyone can open the issue, but we may want to create a more sustainable process long term.  Aharon Chernin CTO SOLTRA An FS-ISAC & DTCC Company 18301 Bermuda green Dr Tampa, fl 33647 813.470.2173 achernin@soltra.com www.soltra.com From: Wunder, John A. <jwunder@mitre.org> Sent: Monday, July 27, 2015 12:40 PM To: Jordan, Bret; Aharon Chernin Cc: Jason Keirstead; Trey Darley; cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Proposal - Change Report Object   FWIW this would potentially be overcome by the top-level relationship construct. Though, for things like indicator composition and the observable within an indicator you would probably not use that construct. Aharon and Sean, how do you want to handle these types of discussions to work towards a decision? I know on the MITRE lists we would have these discussions and they would sometimes kind of peter out without a solid consensus. Any thoughts on how to avoid that here? John From: "Jordan, Bret" Date: Monday, July 27, 2015 at 12:33 PM To: Aharon Chernin Cc: "Wunder, John A.", Jason Keirstead, Trey Darley, " cti-stix@lists.oasis-open.org " Subject: Re: [cti-stix] Proposal - Change Report Object Agreed..  We need to talk through this and think about it.  We need to weigh the value of it and its complexity and impossibility to implement, versus something much easier to understand and easier to implement.   Some of the existing constructs in STIX I think need to be dropped and replaced in whole with something easier to understand and use. Composite indicators might be one of those case, but I have not spent enough time thinking about them yet.  Too focused on other areas that are hemorrhaging.  Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."  On Jul 27, 2015, at 10:28, Aharon Chernin < achernin@soltra.com > wrote: In general, I favor referencing over inline. The only thing I haven't put much thought on is how I feel about requiring referencing when doing something like composite indicators.  Aharon Chernin CTO SOLTRA An FS-ISAC & DTCC Company 18301 Bermuda green Dr Tampa, fl 33647 813.470.2173 achernin@soltra.com www.soltra.com From: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Jordan, Bret < bret.jordan@bluecoat.com > Sent: Monday, July 27, 2015 12:19 PM To: Wunder, John A. Cc: Jason Keirstead; Trey Darley; cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Proposal - Change Report Object   I could go with that...  Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."  On Jul 27, 2015, at 10:07, Wunder, John A. < jwunder@mitre.org > wrote: I'm going to throw out there that we should make ALL relationships between top-level constructs reference only. That would include Report, but also things like TTPs in Indicators, etc. From: < cti-stix@lists.oasis-open.org > on behalf of Jason Keirstead Date: Monday, July 27, 2015 at 11:59 AM To: Trey Darley Cc: "Jordan, Bret", " cti-stix@lists.oasis-open.org " Subject: Re: [cti-stix] Re: Proposal - Change Report Object I also +1 this if we are counting votes. - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown <graycol.gif> Trey Darley ---2015/07/27 12:13:59 PM---+100, Bret! Cheers, From: Trey Darley < trey@soltra.com > To: "Jordan, Bret" < bret.jordan@bluecoat.com >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Date: 2015/07/27 12:13 PM Subject: [cti-stix] Re: Proposal - Change Report Object Sent by: < cti-stix@lists.oasis-open.org > +100, Bret! Cheers, Trey -- Trey Darley Senior Security Engineer Soltra An FS-ISAC & DTCC Company www.soltra.com From: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Jordan, Bret < bret.jordan@bluecoat.com > Sent: Monday, July 27, 2015 16:57 To: cti-stix@lists.oasis-open.org Subject: [cti-stix] Proposal - Change Report Object In STIX 2.0 I would like to propose that we change the Report Object to contain just reference to the objects that it is binding. I do not want to see it contain data itself. [soap box] We need one way of doing things and the current data-model of STIX, while beautiful, makes writing a decision tree in code for some arbitrary data in a STIX package nearly impossible. . [/soap box] Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." <graycol.gif>

The problem I have with the Github trackers is there is no way to vote on anything. You can log and issue and comment... that is about it. There is no way for prioritization to take place. Does the OASIS wiki have voting support like Mediawiki? I'd really like to have some type of voting or star-type system on issues that are logged. This has always been one of my largest gripes against Github. - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown Aharon Chernin ---2015/07/28 10:21:18 AM---The conversations can occur in the mailing lists as long as people like. However, at some point the From: Aharon Chernin <achernin@soltra.com> To: "Wunder, John A." <jwunder@mitre.org>, "Jordan, Bret" <bret.jordan@bluecoat.com> Cc: Jason Keirstead/CanEast/IBM@IBMCA, Trey Darley <trey@soltra.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Date: 2015/07/28 10:21 AM Subject: Re: [cti-stix] Proposal - Change Report Object The conversations can occur in the mailing lists as long as people like. However, at some point the conversations should be logged as issues in the GitHub issue trackers so that we don't lose track and let the item peter out. Anyone can open the issue, but we may want to create a more sustainable process long term. Aharon Chernin CTO SOLTRA An FS-ISAC & DTCC Company 18301 Bermuda green Dr Tampa, fl 33647 813.470.2173 achernin@soltra.com www.soltra.com From: Wunder, John A. <jwunder@mitre.org> Sent: Monday, July 27, 2015 12:40 PM To: Jordan, Bret; Aharon Chernin Cc: Jason Keirstead; Trey Darley; cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Proposal - Change Report Object FWIW this would potentially be overcome by the top-level relationship construct. Though, for things like indicator composition and the observable within an indicator you would probably not use that construct. Aharon and Sean, how do you want to handle these types of discussions to work towards a decision? I know on the MITRE lists we would have these discussions and they would sometimes kind of peter out without a solid consensus. Any thoughts on how to avoid that here? John From: "Jordan, Bret" Date: Monday, July 27, 2015 at 12:33 PM To: Aharon Chernin Cc: "Wunder, John A.", Jason Keirstead, Trey Darley, " cti-stix@lists.oasis-open.org " Subject: Re: [cti-stix] Proposal - Change Report Object Agreed.. We need to talk through this and think about it. We need to weigh the value of it and its complexity and impossibility to implement, versus something much easier to understand and easier to implement. Some of the existing constructs in STIX I think need to be dropped and replaced in whole with something easier to understand and use. Composite indicators might be one of those case, but I have not spent enough time thinking about them yet. Too focused on other areas that are hemorrhaging. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." On Jul 27, 2015, at 10:28, Aharon Chernin < achernin@soltra.com > wrote: In general, I favor referencing over inline. The only thing I haven't put much thought on is how I feel about requiring referencing when doing something like composite indicators. Aharon Chernin CTO SOLTRA An FS-ISAC & DTCC Company 18301 Bermuda green Dr Tampa, fl 33647 813.470.2173 achernin@soltra.com www.soltra.com From: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Jordan, Bret < bret.jordan@bluecoat.com > Sent: Monday, July 27, 2015 12:19 PM To: Wunder, John A. Cc: Jason Keirstead; Trey Darley; cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Proposal - Change Report Object I could go with that... Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." On Jul 27, 2015, at 10:07, Wunder, John A. < jwunder@mitre.org > wrote: I'm going to throw out there that we should make ALL relationships between top-level constructs reference only. That would include Report, but also things like TTPs in Indicators, etc. From: < cti-stix@lists.oasis-open.org > on behalf of Jason Keirstead Date: Monday, July 27, 2015 at 11:59 AM To: Trey Darley Cc: "Jordan, Bret", " cti-stix@lists.oasis-open.org " Subject: Re: [cti-stix] Re: Proposal - Change Report Object I also +1 this if we are counting votes. - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown <graycol.gif> Trey Darley ---2015/07/27 12:13:59 PM---+100, Bret! Cheers, From: Trey Darley < trey@soltra.com > To: "Jordan, Bret" < bret.jordan@bluecoat.com >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Date: 2015/07/27 12:13 PM Subject: [cti-stix] Re: Proposal - Change Report Object Sent by: < cti-stix@lists.oasis-open.org > +100, Bret! Cheers, Trey -- Trey Darley Senior Security Engineer Soltra An FS-ISAC & DTCC Company www.soltra.com From: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Jordan, Bret < bret.jordan@bluecoat.com > Sent: Monday, July 27, 2015 16:57 To: cti-stix@lists.oasis-open.org Subject: [cti-stix] Proposal - Change Report Object In STIX 2.0 I would like to propose that we change the Report Object to contain just reference to the objects that it is binding. I do not want to see it contain data itself. [soap box] We need one way of doing things and the current data-model of STIX, while beautiful, makes writing a decision tree in code for some arbitrary data in a STIX package nearly impossible. . [/soap box] Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." <graycol.gif>

I think this is the latest write up we have on this issue on the github schema project:   https://github.com/STIXProject/schemas/issues/291   Making this change to STIX (including John Wunder’s suggestion) would help flatten many of our heavily nested structures and quickly remove one source of the too many ways to do things problem.   Thanks,   Jon   ============================================ Jonathan O. Baker J83D - Cyber Security Partnerships, Sharing, and Automation The MITRE Corporation Email: bakerj@mitre.org   From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Jordan, Bret Sent: Monday, July 27, 2015 12:20 PM To: Wunder, John A. <jwunder@mitre.org> Cc: Jason Keirstead <Jason.Keirstead@ca.ibm.com>; Trey Darley <trey@soltra.com>; cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Proposal - Change Report Object   I could go with that...    Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."    On Jul 27, 2015, at 10:07, Wunder, John A. < jwunder@mitre.org > wrote:   I'm going to throw out there that we should make ALL relationships between top-level constructs reference only. That would include Report, but also things like TTPs in Indicators, etc.   From: < cti-stix@lists.oasis-open.org > on behalf of Jason Keirstead Date: Monday, July 27, 2015 at 11:59 AM To: Trey Darley Cc: "Jordan, Bret", " cti-stix@lists.oasis-open.org " Subject: Re: [cti-stix] Re: Proposal - Change Report Object   I also +1 this if we are counting votes. - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown <graycol.gif> Trey Darley ---2015/07/27 12:13:59 PM---+100, Bret! Cheers, From: Trey Darley < trey@soltra.com > To: "Jordan, Bret" < bret.jordan@bluecoat.com >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Date: 2015/07/27 12:13 PM Subject: [cti-stix] Re: Proposal - Change Report Object Sent by: < cti-stix@lists.oasis-open.org > +100, Bret! Cheers, Trey -- Trey Darley Senior Security Engineer Soltra An FS-ISAC & DTCC Company www.soltra.com From: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Jordan, Bret < bret.jordan@bluecoat.com > Sent: Monday, July 27, 2015 16:57 To: cti-stix@lists.oasis-open.org Subject: [cti-stix] Proposal - Change Report Object In STIX 2.0 I would like to propose that we change the Report Object to contain just reference to the objects that it is binding. I do not want to see it contain data itself. [soap box] We need one way of doing things and the current data-model of STIX, while beautiful, makes writing a decision tree in code for some arbitrary data in a STIX package nearly impossible. . [/soap box] Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." <graycol.gif>