CTI STIX Subcommittee

Hello all. One thing that has become apparent during the past month of debate - STIX 2.0, no matter what it may end up being - is going to be quite a ways off before ratification as a standard. There are a lot of problems to solve and a lot more debate to be had, and this is going most certainly take time. However, I am growing a bit concerned that, while all this fantastic debate has been going on - we are neglecting many real-world important deficiencies in the STIX 1.X lineage.   I am referring to a number of non-breaking enhancements to STIX that have been discussed back-and-forth on the Oasis and MITRE lists for almost a year.   - The need for a new trust-model based marking standard that either significantly enhances the current TLP mechanisms, or replaces them altogether - The need for improvements to the Sighting mechanisms (the whole +1 discussion) - The need for sequence based testing   I would like to propose that - temporarily - the CTI-STIX subcommittee try to focus on solving some of these immediate concerns that are impacting users of STIX today in the hear-and-now. The futures conversations should continue of course - but I am wondering if we should try to come up with a separate track or committee for these two threads of this discussion, so that the 1.X line can keep moving forward?   I just worry a lot that we are suffering from split-brain scenario, and as a result the 1.X line is not moving forward.   Does anyone else feel this way?   - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown

Definitely agree.  We are rehashing the same arguments over and over, but making little to no real progress.
 
 
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Jason Keirstead
Sent: Friday, October 09, 2015 5:26 PM
To: cti-stix@lists.oasis-open.org
Subject: [cti-stix] Moving STIX 1.X Forward
 


Hello all. One thing that has become apparent during the past month of debate - STIX 2.0, no matter what it may
end up being - is going to be quite a ways off before ratification as a standard. There are a lot of problems to solve and a lot more debate to be had, and this is going most certainly take time. However, I am growing a bit concerned that, while all this fantastic
debate has been going on - we are neglecting many real-world important deficiencies in the STIX 1.X lineage.


 


I am referring to a number of non-breaking enhancements to STIX that have been discussed back-and-forth on the
Oasis and MITRE lists for almost a year.


 


- The need for a new trust-model based marking standard that either significantly enhances the current TLP mechanisms,
or replaces them altogether


- The need for improvements to the Sighting mechanisms (the whole +1 discussion)


- The need for sequence based testing


 


I would like to propose that - temporarily - the CTI-STIX subcommittee try to focus on solving some of these
immediate concerns that are impacting users of STIX today in the hear-and-now. The futures conversations should continue of course - but I am wondering if we should try to come up with a separate track or committee for these two threads of this discussion,
so that the 1.X line can keep moving forward?


 


I just worry a lot that we are suffering from split-brain scenario, and as a result the 1.X line is not moving
forward.


 


Does anyone else feel this way?


 


-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown



--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses.  The company accepts no liability for any damage caused by any virus transmitted by this email.

It seems like I proposed that day one of the OASIS formation, as I could foresee these issues and problems forming.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Oct 9, 2015, at 15:25, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: Hello all. One thing that has become apparent during the past month of debate - STIX 2.0, no matter what it may end up being - is going to be quite a ways off before ratification as a standard. There are a lot of problems to solve and a lot more debate to be had, and this is going most certainly take time. However, I am growing a bit concerned that, while all this fantastic debate has been going on - we are neglecting many real-world important deficiencies in the STIX 1.X lineage.   I am referring to a number of non-breaking enhancements to STIX that have been discussed back-and-forth on the Oasis and MITRE lists for almost a year.   - The need for a new trust-model based marking standard that either significantly enhances the current TLP mechanisms, or replaces them altogether - The need for improvements to the Sighting mechanisms (the whole +1 discussion) - The need for sequence based testing   I would like to propose that - temporarily - the CTI-STIX subcommittee try to focus on solving some of these immediate concerns that are impacting users of STIX today in the hear-and-now. The futures conversations should continue of course - but I am wondering if we should try to come up with a separate track or committee for these two threads of this discussion, so that the 1.X line can keep moving forward?   I just worry a lot that we are suffering from split-brain scenario, and as a result the 1.X line is not moving forward.   Does anyone else feel this way?   - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

If possible, I would suggest a weekly status of the issues tracked in github. On Saturday, 10 October 2015, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: Hello all. One thing that has become apparent during the past month of debate - STIX 2.0, no matter what it may end up being - is going to be quite a ways off before ratification as a standard. There are a lot of problems to solve and a lot more debate to be had, and this is going most certainly take time. However, I am growing a bit concerned that, while all this fantastic debate has been going on - we are neglecting many real-world important deficiencies in the STIX 1.X lineage.   I am referring to a number of non-breaking enhancements to STIX that have been discussed back-and-forth on the Oasis and MITRE lists for almost a year.   - The need for a new trust-model based marking standard that either significantly enhances the current TLP mechanisms, or replaces them altogether - The need for improvements to the Sighting mechanisms (the whole +1 discussion) - The need for sequence based testing   I would like to propose that - temporarily - the CTI-STIX subcommittee try to focus on solving some of these immediate concerns that are impacting users of STIX today in the hear-and-now. The futures conversations should continue of course - but I am wondering if we should try to come up with a separate track or committee for these two threads of this discussion, so that the 1.X line can keep moving forward?   I just worry a lot that we are suffering from split-brain scenario, and as a result the 1.X line is not moving forward.   Does anyone else feel this way?   - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

I'm not so sold on the idea of an interim version of STIX. I guess I don't feel that we are dragging our heels with STIX v2.0. The STIX group have been focused on getting STIX v1.2 out the door, so its only fairly recently that focus has moved back towards v2.0.  I believe that once some of the big 'direction' decisions are taken with STIX v2.0 that the actual implementation at the lower levels will flow quite smoothly. At these initial stages, there will always be some passionate arguments over the major design decisions that will take some time to sort through; this is part of working within a standards body. A lot of this has already been discussed even before STIX moved to OASIS from MITRE, so I don't think it will take as long as some people are feeling it will.  I am worried that work on a STIX v1.3 would just delay STIX v2.0 even longer than it otherwise would be.  Cheers Terry MacDonald STIX, TAXII, CybOX Consultant M: +61-407-203-026 E:  terry.macdonald@threatloop.com W:  www.threatloop.com Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers. On 10 October 2015 at 15:21, Jerome Athias < athiasjerome@gmail.com > wrote: If possible, I would suggest a weekly status of the issues tracked in github. On Saturday, 10 October 2015, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: Hello all. One thing that has become apparent during the past month of debate - STIX 2.0, no matter what it may end up being - is going to be quite a ways off before ratification as a standard. There are a lot of problems to solve and a lot more debate to be had, and this is going most certainly take time. However, I am growing a bit concerned that, while all this fantastic debate has been going on - we are neglecting many real-world important deficiencies in the STIX 1.X lineage.   I am referring to a number of non-breaking enhancements to STIX that have been discussed back-and-forth on the Oasis and MITRE lists for almost a year.   - The need for a new trust-model based marking standard that either significantly enhances the current TLP mechanisms, or replaces them altogether - The need for improvements to the Sighting mechanisms (the whole +1 discussion) - The need for sequence based testing   I would like to propose that - temporarily - the CTI-STIX subcommittee try to focus on solving some of these immediate concerns that are impacting users of STIX today in the hear-and-now. The futures conversations should continue of course - but I am wondering if we should try to come up with a separate track or committee for these two threads of this discussion, so that the 1.X line can keep moving forward?   I just worry a lot that we are suffering from split-brain scenario, and as a result the 1.X line is not moving forward.   Does anyone else feel this way?   - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

On 11.10.2015 18:57:04, Terry MacDonald wrote: > > I am worried that work on a STIX v1.3 would just delay STIX v2.0 > even longer than it otherwise would be. > +1 - the last thing we need is *two* parallel bikeshedding discussions. :-/ -- Cheers, Trey -- Trey Darley Senior Security Engineer 4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 Soltra An FS-ISAC & DTCC Company www.soltra.com Attachment: signature.asc Description: PGP signature

I concur with Trey and Terry. Also, I believe all of the features/changes that Jason brought up wouldn’t be backwards compatible, and so would necessitate a major release anyway. Regards, Ivan On 10/12/15, 4:04 AM, "Trey Darley" <cti-stix@lists.oasis-open.org on behalf of trey@soltra.com> wrote: >On 11.10.2015 18:57:04, Terry MacDonald wrote: >> >> I am worried that work on a STIX v1.3 would just delay STIX v2.0 >> even longer than it otherwise would be. >> > >+1 - the last thing we need is *two* parallel bikeshedding >discussions. :-/ > >-- >Cheers, >Trey >-- >Trey Darley >Senior Security Engineer >4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 >Soltra An FS-ISAC & DTCC Company >www.soltra.com