CTI STIX Subcommittee

 View Only
  • 1.  Mind Mapping

    Posted 07-12-2016 07:44
      |   view attached
    Hi, Sometimes I let my mind doing stuff while listening the Ravel Bolero... @CTI: Attached is a (not-perfect) high-level asset-centric mind map @SACM: A Software is an Asset, so here identified by a synthetic-id. Also a Software is composed of software components... Best regards Refs: http://www.frhack.org/research/xorcism.php https://en.wikipedia.org/wiki/Bol%C3%A9ro Attachment: ASSET-MM-J-ATHIAS.png Description: PNG image


  • 2.  Re: [sacm] Mind Mapping

    Posted 07-12-2016 14:13
    In a rapidly emerging NFV world with service function chaining and network slicing, much of this mind map changes, no? Arguably, one of SACM's major deficiencies is its being grounded in a legacy world that is fast disappearing. --tony On 2016-07-12 3:44 AM, Jerome Athias wrote: Hi, Sometimes I let my mind doing stuff while listening the Ravel Bolero... @CTI: Attached is a (not-perfect) high-level asset-centric mind map @SACM: A Software is an Asset, so here identified by a synthetic-id. Also a Software is composed of software components... Best regards Refs: http://www.frhack.org/research/xorcism.php https://en.wikipedia.org/wiki/Bol%C3%A9ro _______________________________________________ sacm mailing list sacm@ietf.org https://www.ietf.org/mailman/listinfo/sacm -- ________________________________ Anthony Michael Rutkowski EVP, Industry Standards & Regulatory Affairs tony@yaanatech.com +1 703 999 8270 ________________________________ Yaana Technologies LLC 542 Gibraltar Drive Milpitas CA 95035 USA


  • 3.  Re: [sacm] Mind Mapping

    Posted 07-12-2016 15:21
    I get your point on NFV. Yes and No. The tool used for this map (FreeMind), from what I currently now of it, don't allow recursive arrows/relationships. (a lot are missing, but meantime would make the map messy) I would envision that Service/API under "Automaton/Service" would basically 'do the job'. (you could also move "physical/logical/virtual" to "Automaton/System/Service"...) Feel free to produce your own abstracted mind map of the cyberspace... (and listen to Three Little Birds :p) PS: Ref. the "synthetic-id" concept, if my memory is ok, comes from Asset Identification https://scap.nist.gov/specifications/ai/ NB: Sean Barnum 'documented' a similar concept, called "identifiers construct" (see i.e. https://stixproject.github.io/getting-started/whitepaper/ ) (what was lost in github issues...) 2016-07-12 17:13 GMT+03:00 Tony Rutkowski <tony@yaanatech.com>: > In a rapidly emerging NFV world with > service function chaining and network > slicing, much of this mind map changes, > no? > > Arguably, one of SACM's major deficiencies > is its being grounded in a legacy world that > is fast disappearing. > > --tony > > > On 2016-07-12 3:44 AM, Jerome Athias wrote: > > Hi, > > Sometimes I let my mind doing stuff while listening the Ravel Bolero... > > @CTI: Attached is a (not-perfect) high-level asset-centric mind map > > @SACM: A Software is an Asset, so here identified by a synthetic-id. > Also a Software is composed of software components... > > Best regards > > Refs: > http://www.frhack.org/research/xorcism.php > https://en.wikipedia.org/wiki/Bol%C3%A9ro > > > > _______________________________________________ > sacm mailing list > sacm@ietf.org > https://www.ietf.org/mailman/listinfo/sacm > > > -- > > ________________________________ > > Anthony Michael Rutkowski > > EVP, Industry Standards & Regulatory Affairs > > tony@yaanatech.com > > +1 703 999 8270 > > ________________________________ > > Yaana Technologies LLC > > 542 Gibraltar Drive > > Milpitas CA 95035 USA


  • 4.  Re: [cti-stix] Re: [sacm] Mind Mapping

    Posted 07-12-2016 16:07
    I still feel quite strongly that any model which derrives Threat Actors from Assets is going to lose most everyone. It is simply not how the CTI space conceptualizes an Asset. As to the remainder of the model - our own normalized Asset model that contains most of the objects being discussed, has over 55 entities in it, so there is much more complexity here. I am not sure I can actually share a diagram of our data model at a high level... I will look into this. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown Jerome Athias ---07/12/2016 12:21:05 PM---I get your point on NFV. Yes and No. The tool used for this map (FreeMind), from what I currently no From: Jerome Athias <athiasjerome@gmail.com> To: Tony Rutkowski <tony@yaanatech.com> Cc: cti-stix@lists.oasis-open.org, "sacm@ietf.org" <sacm@ietf.org> Date: 07/12/2016 12:21 PM Subject: [cti-stix] Re: [sacm] Mind Mapping Sent by: <cti-stix@lists.oasis-open.org> I get your point on NFV. Yes and No. The tool used for this map (FreeMind), from what I currently now of it, don't allow recursive arrows/relationships. (a lot are missing, but meantime would make the map messy) I would envision that Service/API under "Automaton/Service" would basically 'do the job'. (you could also move "physical/logical/virtual" to "Automaton/System/Service"...) Feel free to produce your own abstracted mind map of the cyberspace... (and listen to Three Little Birds :p) PS: Ref. the "synthetic-id" concept, if my memory is ok, comes from Asset Identification https://scap.nist.gov/specifications/ai/ NB: Sean Barnum 'documented' a similar concept, called "identifiers construct" (see i.e. https://stixproject.github.io/getting-started/whitepaper/  ) (what was lost in github issues...) 2016-07-12 17:13 GMT+03:00 Tony Rutkowski <tony@yaanatech.com>: > In a rapidly emerging NFV world with > service function chaining and network > slicing, much of this mind map changes, > no? > > Arguably, one of SACM's major deficiencies > is its being grounded in a legacy world that > is fast disappearing. > > --tony > > > On 2016-07-12 3:44 AM, Jerome Athias wrote: > > Hi, > > Sometimes I let my mind doing stuff while listening the Ravel Bolero... > > @CTI: Attached is a (not-perfect) high-level asset-centric mind map > > @SACM: A Software is an Asset, so here identified by a synthetic-id. > Also a Software is composed of software components... > > Best regards > > Refs: > http://www.frhack.org/research/xorcism.php > https://en.wikipedia.org/wiki/Bol%C3%A9ro > > > > _______________________________________________ > sacm mailing list > sacm@ietf.org > https://www.ietf.org/mailman/listinfo/sacm > > > -- > > ________________________________ > > Anthony Michael Rutkowski > > EVP, Industry Standards & Regulatory Affairs > > tony@yaanatech.com > > +1 703 999 8270 > > ________________________________ > > Yaana Technologies LLC > > 542 Gibraltar Drive > > Milpitas CA 95035 USA --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  


  • 5.  Re: [cti-stix] Re: [sacm] Mind Mapping

    Posted 07-14-2016 16:02
      |   view attached
    Hi all - after getting the OK, I have created a high level overview of our own internal data model (extracted from a relational database then edited) of assets and vulnerability instances based on how it is modeled in our own software. I do this not to prescribe - but to attempt to inform the conversation - as to some of the things that may need to be considered when modeling IT assets. Some caveats: - I have purposefully deleted many other references to object types (mostly surrounding vulnerabilities and scanning) that I don't think are relevant to the STIX conversation at this point - The "xref" intermediary objects obviously would not exist in STIX, as they aren't required in a true graph model. However they make the model easier to understand so I left them in there. - There are obviously many more things to be considered than exist here, as the below is currently IPV4/IPv6 centric (not yet taking into account mobile as an example). Explained in prose: - An IT asset may have affiliated with it one or more product variants. A product variant is a specific instance of a product, which may be either an operating system instance or an application instance or a firmware instance. - Those product variants may have one or more vulnerabilities affiliated with them. - The asset also has a series of hardware interfaces, each of which has a series of one or more IP addresses (this is where the model needs to extend to include other Layer 3 protocols beyond IP). - The address and interface combination may be affiliated with product variant instances via open TCP or UDP ports, each of which may or may not have affiliated vulnerabilities exposed on those specific instances of the ports. - The asset may also has a series of affiliated users, which may have one or more account aliases. ** At this point, all of User Identity modeling may come into play. - The asset may also be present in one or more logical asset groupings (ie NetBIOS group, LDAP group, etc). - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown Jason Keirstead---07/12/2016 01:07:24 PM---I still feel quite strongly that any model which derrives Threat Actors from Assets is going to lose From: Jason Keirstead/CanEast/IBM@IBMCA To: Jerome Athias <athiasjerome@gmail.com> Cc: Tony Rutkowski <tony@yaanatech.com>, cti-stix@lists.oasis-open.org, "sacm@ietf.org" <sacm@ietf.org> Date: 07/12/2016 01:07 PM Subject: Re: [cti-stix] Re: [sacm] Mind Mapping Sent by: <cti-stix@lists.oasis-open.org> I still feel quite strongly that any model which derrives Threat Actors from Assets is going to lose most everyone. It is simply not how the CTI space conceptualizes an Asset. As to the remainder of the model - our own normalized Asset model that contains most of the objects being discussed, has over 55 entities in it, so there is much more complexity here. I am not sure I can actually share a diagram of our data model at a high level... I will look into this. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown Jerome Athias ---07/12/2016 12:21:05 PM---I get your point on NFV. Yes and No. The tool used for this map (FreeMind), from what I currently no From: Jerome Athias <athiasjerome@gmail.com> To: Tony Rutkowski <tony@yaanatech.com> Cc: cti-stix@lists.oasis-open.org, "sacm@ietf.org" <sacm@ietf.org> Date: 07/12/2016 12:21 PM Subject: [cti-stix] Re: [sacm] Mind Mapping Sent by: <cti-stix@lists.oasis-open.org> I get your point on NFV. Yes and No. The tool used for this map (FreeMind), from what I currently now of it, don't allow recursive arrows/relationships. (a lot are missing, but meantime would make the map messy) I would envision that Service/API under "Automaton/Service" would basically 'do the job'. (you could also move "physical/logical/virtual" to "Automaton/System/Service"...) Feel free to produce your own abstracted mind map of the cyberspace... (and listen to Three Little Birds :p) PS: Ref. the "synthetic-id" concept, if my memory is ok, comes from Asset Identification https://scap.nist.gov/specifications/ai/ NB: Sean Barnum 'documented' a similar concept, called "identifiers construct" (see i.e. https://stixproject.github.io/getting-started/whitepaper/  ) (what was lost in github issues...) 2016-07-12 17:13 GMT+03:00 Tony Rutkowski <tony@yaanatech.com>: > In a rapidly emerging NFV world with > service function chaining and network > slicing, much of this mind map changes, > no? > > Arguably, one of SACM's major deficiencies > is its being grounded in a legacy world that > is fast disappearing. > > --tony > > > On 2016-07-12 3:44 AM, Jerome Athias wrote: > > Hi, > > Sometimes I let my mind doing stuff while listening the Ravel Bolero... > > @CTI: Attached is a (not-perfect) high-level asset-centric mind map > > @SACM: A Software is an Asset, so here identified by a synthetic-id. > Also a Software is composed of software components... > > Best regards > > Refs: > http://www.frhack.org/research/xorcism.php > https://en.wikipedia.org/wiki/Bol%C3%A9ro > > > > _______________________________________________ > sacm mailing list > sacm@ietf.org > https://www.ietf.org/mailman/listinfo/sacm > > > -- > > ________________________________ > > Anthony Michael Rutkowski > > EVP, Industry Standards & Regulatory Affairs > > tony@yaanatech.com > > +1 703 999 8270 > > ________________________________ > > Yaana Technologies LLC > > 542 Gibraltar Drive > > Milpitas CA 95035 USA --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php