OASIS Cyber Threat Intelligence (CTI) TC

  • 1.  Taking a step back to gain some perspective

    Posted 12-10-2015 07:35
    Hi, everybody - Two seemingly opposing camps have emerged within our community. For lack of better terminology (and with no offense intended to either side) I'd call these the ontology and messaging tribes. There seems to be a natural human tendency to focus on our differences. I sometimes think if there were only two people left alive on an island after some apocalyptic event, in short order they'd find cause for war between them. Let's take a step back and consider what problem we're actually trying to solve here. The entire internet is rickety. Say you're out on a hike and need to cross a stream. You step gingerly from one stone to another, carefully testing each next step before shifting your entire center of gravity to the next stone. As a civilization, we've managed to place our center of gravity on an unsteady rock called the internet and there's no going back. The attackers currently have the advantage. This is the situation we confront. The ultimate goal of information-sharing is to build herd immunity. We can't possibly find all the software bugs faster than the attackers can, much less patch them in time. Given that, the best we can do right now on the defender side is to work together to build a sort of immune system for the internet. Now we all come to this community with our own prejudices, based on our respective professional experiences and the various sectors we represent. But while on the microscopic scale it may appear that our goals are divergent, on the macro level I would argue that our goal is unified: to pass on to the next generation a world in which our children can put money in their savings account and sleep soundly, confident that it will be there the next morning, a world in which our children can board a plane with some assurance that hackers won't make it fall out of the sky, and a world in which the normative nation state relationships aren't thrust back a century due to the inability of our culture to keep pace with technological development. My hope is that we can move beyond our apparent differences to take a meaningful, purposeful step in this direction. Our legacy is ultimately not just a data model or another internet protocol but a safer world. -- Cheers, Trey -- Trey Darley Senior Security Engineer 4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 Soltra An FS-ISAC & DTCC Company www.soltra.com -- "One size never fits all." --RFC 1925 Attachment: signature.asc Description: PGP signature


  • 2.  Re: [cti] Taking a step back to gain some perspective

    Posted 12-10-2015 08:44
    I would recommend to define different Working Groups (WG) On Thursday, 10 December 2015, Trey Darley < trey@soltra.com > wrote: Hi, everybody - Two seemingly opposing camps have emerged within our community. For lack of better terminology (and with no offense intended to either side) I'd call these the ontology and messaging tribes. There seems to be a natural human tendency to focus on our differences. I sometimes think if there were only two people left alive on an island after some apocalyptic event, in short order they'd find cause for war between them. Let's take a step back and consider what problem we're actually trying to solve here. The entire internet is rickety. Say you're out on a hike and need to cross a stream. You step gingerly from one stone to another, carefully testing each next step before shifting your entire center of gravity to the next stone. As a civilization, we've managed to place our center of gravity on an unsteady rock called the internet and there's no going back. The attackers currently have the advantage. This is the situation we confront. The ultimate goal of information-sharing is to build herd immunity. We can't possibly find all the software bugs faster than the attackers can, much less patch them in time. Given that, the best we can do right now on the defender side is to work together to build a sort of immune system for the internet. Now we all come to this community with our own prejudices, based on our respective professional experiences and the various sectors we represent. But while on the microscopic scale it may appear that our goals are divergent, on the macro level I would argue that our goal is unified: to pass on to the next generation a world in which our children can put money in their savings account and sleep soundly, confident that it will be there the next morning, a world in which our children can board a plane with some assurance that hackers won't make it fall out of the sky, and a world in which the normative nation state relationships aren't thrust back a century due to the inability of our culture to keep pace with technological development. My hope is that we can move beyond our apparent differences to take a meaningful, purposeful step in this direction. Our legacy is ultimately not just a data model or another internet protocol but a safer world. -- Cheers, Trey -- Trey Darley Senior Security Engineer 4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430 Soltra An FS-ISAC & DTCC Company www.soltra.com -- "One size never fits all." --RFC 1925


  • 3.  RE: [cti] Taking a step back to gain some perspective

    Posted 12-10-2015 12:39
    This is great Trey, thank you. Not being around this group when all of this first started (long before Oasis took it), I kind of assumed this sort of exercise had already happened, as I'm not sure how the group can be productive without it. How can you march in one direction without any sort of charter? It sound to me like your statement below is the executive summary, and now we need to define what the major areas are that make that happen. We need the 3 to 5 areas that will make for a safer internet (as you describe below). Those should become our "bill of rights" so to speak,


  • 4.  Re: [cti] Taking a step back to gain some perspective

    Posted 12-10-2015 12:44
    All - Just to be clear, I do *not* underestimate the challenges confronting us in the infosec space *nor* am I claiming that information-sharing is the silver bullet that will save the world. Nor do I take it as a given that our common project will ultimately prove successful in making a substantial impact. But I *do* firmly maintain that when you look beyond the issues that currently divide our community, there is a common goal of trying to make the internet more secure and thereby make the world a safer place. The extent to which we're able to come together in spite of our differences and build upon what unites us in order to forge ahead with renewed vigor is the overwhelming factor that will determine the fate of our project and what sort of legacy we leave behind. We confront some hard problems. But we're a resilient species and have proven time and again that when the chips are down, we can pull together to achieve the seemingly impossible. Let us not lose heart, nor allow our momentum to be deflected by ego or tribalism. As someone who's emerged as something of a polarizing figure in the messaging tribe, let me be clear: I'm extending an olive branch. We're all fighting for the same cause. We can do this together. -- Cheers, Trey -- Trey Darley Senior Security Engineer 4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 Soltra An FS-ISAC & DTCC Company www.soltra.com -- "There's never enough time. Thank you for yours." --Dan Geer Attachment: signature.asc Description: PGP signature


  • 5.  RE: [cti] Taking a step back to gain some perspective

    Posted 12-10-2015 14:36
    Trey,   I couldn't agree with you more – thank you for this.   The past few months have been a period of adjustment and change for this community and in the midst of all that it is sometimes easy for us to lose sight of the bigger picture.   Since mid-June - basically five short months ago - we have accomplished the following: 1.        Created a brand-new TC within OASIS that is now the largest in OASIS history 2.        Successfully transitioned STIX, TAXII and CybOX to the TC and instituted an entirely new governance model 3.        Executed on the work program identified as phase 1 in the TC charter – codifying the existing specifications as OASIS standards 4.        Begun the very hard work of figuring out what we want the next major releases of STIX, TAXII and CybOX to look like   These are not insignificant achievements.  I believe that most of the friction we have seen as of late is due to genuine passion to solve the parts of the problem that we can through cyber threat intelligence combined with a sense of urgency that the world isn’t standing still as we figure out where we need to go.  I for one would much rather have a TC where many passionate voices express their strongly-held beliefs than the alternative – no passion or energy at all.  However, it is critically important that these conversations be as cordial and professional as possible, otherwise we risk turning differences of opinion into just plain differences.  Your olive branch is therefore much appreciated and hopefully will serve as an inspiration for all of us in this community.   Thank you to everyone in this community for your time, energy and insights as we work to make STIX, TAXII and CybOX  the best we possibly can.  As Trey pointed out, the challenges we face in cybersecurity demand nothing less.   Regards, Rich  


  • 6.  Re: [cti] Taking a step back to gain some perspective

    Posted 12-10-2015 15:38
      |   view attached
    On Thursday, 10 December 2015, Struse, Richard < Richard.Struse@hq.dhs.gov > wrote: Trey,   I couldn't agree with you more – thank you for this.   The past few months have been a period of adjustment and change for this community and in the midst of all that it is sometimes easy for us to lose sight of the bigger picture.   Since mid-June - basically five short months ago - we have accomplished the following: 1.        Created a brand-new TC within OASIS that is now the largest in OASIS history 2.        Successfully transitioned STIX, TAXII and CybOX to the TC and instituted an entirely new governance model 3.        Executed on the work program identified as phase 1 in the TC charter – codifying the existing specifications as OASIS standards 4.        Begun the very hard work of figuring out what we want the next major releases of STIX, TAXII and CybOX to look like   These are not insignificant achievements.  I believe that most of the friction we have seen as of late is due to genuine passion to solve the parts of the problem that we can through cyber threat intelligence combined with a sense of urgency that the world isn’t standing still as we figure out where we need to go.  I for one would much rather have a TC where many passionate voices express their strongly-held beliefs than the alternative – no passion or energy at all.  However, it is critically important that these conversations be as cordial and professional as possible, otherwise we risk turning differences of opinion into just plain differences.  Your olive branch is therefore much appreciated and hopefully will serve as an inspiration for all of us in this community.   Thank you to everyone in this community for your time, energy and insights as we work to make STIX, TAXII and CybOX  the best we possibly can.  As Trey pointed out, the challenges we face in cybersecurity demand nothing less.   Regards, Rich  


  • 7.  Re: [cti] Taking a step back to gain some perspective

    Posted 12-10-2015 14:59
    I wholeheartedly agree with Trey’s sentiments here. We have a common foe and we all fight for the same purpose and principles. In everything we do I encourage us all to look for our common ground and to seek options and solutions that address our own concerns without excluding or ignoring the concerns of others. This may involve lively debate at times but in the end should be convergent rather than divergent. I truly believe it is possible to find such consensus solutions. They may not always give everyone 100% of what they desire but they should ideally include all perspectives and offer best value to the community as a whole. In the interests of community consensus and progress I will extend a similar olive branch and agree to halt my personal efforts to lobby towards JSON-LD as an official decision for the time being. sean On 12/10/15, 7:43 AM, "Trey Darley" <cti@lists.oasis-open.org on behalf of trey@soltra.com> wrote: >All - > >Just to be clear, I do *not* underestimate the challenges confronting >us in the infosec space *nor* am I claiming that information-sharing >is the silver bullet that will save the world. Nor do I take it as a >given that our common project will ultimately prove successful in >making a substantial impact. > >But I *do* firmly maintain that when you look beyond the issues that >currently divide our community, there is a common goal of trying to >make the internet more secure and thereby make the world a safer >place. The extent to which we're able to come together in spite of our >differences and build upon what unites us in order to forge ahead with >renewed vigor is the overwhelming factor that will determine the fate >of our project and what sort of legacy we leave behind. > >We confront some hard problems. But we're a resilient species and have >proven time and again that when the chips are down, we can pull >together to achieve the seemingly impossible. Let us not lose heart, >nor allow our momentum to be deflected by ego or tribalism. > >As someone who's emerged as something of a polarizing figure in the >messaging tribe, let me be clear: I'm extending an olive branch. We're >all fighting for the same cause. We can do this together. > >-- >Cheers, >Trey >-- >Trey Darley >Senior Security Engineer >4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 >Soltra An FS-ISAC & DTCC Company >www.soltra.com >-- >"There's never enough time. Thank you for yours." --Dan Geer


  • 8.  Re: [cti] Taking a step back to gain some perspective

    Posted 12-10-2015 16:17
    Well said Trey, and I too offer an olive branch.  Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Dec 10, 2015, at 05:43, Trey Darley < trey@SOLTRA.COM > wrote: All - Just to be clear, I do *not* underestimate the challenges confronting us in the infosec space *nor* am I claiming that information-sharing is the silver bullet that will save the world. Nor do I take it as a given that our common project will ultimately prove successful in making a substantial impact. But I *do* firmly maintain that when you look beyond the issues that currently divide our community, there is a common goal of trying to make the internet more secure and thereby make the world a safer place. The extent to which we're able to come together in spite of our differences and build upon what unites us in order to forge ahead with renewed vigor is the overwhelming factor that will determine the fate of our project and what sort of legacy we leave behind. We confront some hard problems. But we're a resilient species and have proven time and again that when the chips are down, we can pull together to achieve the seemingly impossible. Let us not lose heart, nor allow our momentum to be deflected by ego or tribalism. As someone who's emerged as something of a polarizing figure in the messaging tribe, let me be clear: I'm extending an olive branch. We're all fighting for the same cause. We can do this together. -- Cheers, Trey -- Trey Darley Senior Security Engineer 4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430 Soltra An FS-ISAC & DTCC Company www.soltra.com -- There's never enough time. Thank you for yours. --Dan Geer Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 9.  Re: [cti] Taking a step back to gain some perspective

    Posted 12-10-2015 19:38
    +100%... Thanks for the visual Jerome. Jane Ginn, MSIA, MRP Cyber Threat Intelligence Network, Inc. jg@ctin.us