CTI STIX Subcommittee

  • 1.  Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0

    Posted 10-28-2015 18:13




    All,




    On the STIX SC call last week we talked about the issue of making immediate progress on STIX v2.0 while we work out prioritizing the full issues list and fleshing out use cases.

    We proposed that we simply choose the first 2-3 issues to officially tackle based on list interest rather than any official “voting” and listed a few possible options asking for your opinions.

    The list of “hot” issue options given was:


    Sightings Relationships ID format Abstracting constructs (identity, victim, source and asset) In-line vs referencing of content Data Markings Other suggestions?


    We did not really get back very many explicit opinions but the activity on the list since the meeting and architectural level considerations make the first two items on the list (Sightings and Relationships) fairly obvious choices for initial issues.




    So, we would like to propose officially establishing that the following two issues are the active issues currently under consideration for STIX v2.0:



    Abstract Sightings into an independent construct rather than embedded within Indicator  ( #306)


    Abstract relationships as top-level constructs rather than embedded within other constructs  ( #291)


    If anyone has any serious objections to this decision please let us know.

    Hopefully we can continue the great discussions on these topics, going even deeper on the details, considering various options and implications and eventually reach some consensus and move on to other topics.

    While the cti-stix email list is likely to continue as the primary venue for these discussions we encourage everyone to capture key thoughts, observations, opinions and proposals within the issue tracker as well as this will be the official record of our discourse
    and where we will eventually be declaring our consensus.




    If no strong objections are heard these issues will be the primary issue topics of discussion in relation to STIX v2.0 for the SC on the cti-stix list and elsewhere.

    This does not mean that other issues cannot be raised or commented on if there is need but in the interests of focus and keeping up with list traffic we would like to encourage everyone as much as possible to focus on the active issues under consideration and
    minimize other issue topics that are likely to distract from deliberative progress on these issues. This should be a pretty fundamental guideline for all issues as we go forward. If you have new issue topics you would like to raise or comments on existing
    issue topics that are not under active consideration we encourage you to enter these in the issue trackers at any time.







    Sean 

    STIX SC Co-chair








  • 2.  Re: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0

    Posted 10-28-2015 18:19



    Question: What would happen if we realize a resolution for a not-so-hot issue is needed to resolve the hot issue we're working on?

    -Marlon
     

    From : Barnum, Sean D. [mailto:sbarnum@mitre.org]

    Sent : Wednesday, October 28, 2015 02:12 PM
    To : cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org>
    Subject : [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0

     


    All,




    On the STIX SC call last week we talked about the issue of making immediate progress on STIX v2.0 while we work out prioritizing the full issues list and fleshing out use cases.

    We proposed that we simply choose the first 2-3 issues to officially tackle based on list interest rather than any official “voting” and listed a few possible options asking for your opinions.

    The list of “hot” issue options given was:


    Sightings Relationships ID format Abstracting constructs (identity, victim, source and asset) In-line vs referencing of content Data Markings Other suggestions?


    We did not really get back very many explicit opinions but the activity on the list since the meeting and architectural level considerations make the first two items on the list (Sightings and Relationships) fairly obvious choices for initial issues.




    So, we would like to propose officially establishing that the following two issues are the active issues currently under consideration for STIX v2.0:



    Abstract Sightings into an independent construct rather than embedded within Indicator  ( #306)


    Abstract relationships as top-level constructs rather than embedded within other constructs  ( #291)


    If anyone has any serious objections to this decision please let us know.

    Hopefully we can continue the great discussions on these topics, going even deeper on the details, considering various options and implications and eventually reach some consensus and move on to other topics.

    While the cti-stix email list is likely to continue as the primary venue for these discussions we encourage everyone to capture key thoughts, observations, opinions and proposals within the issue tracker as well as this will be the official record of our discourse
    and where we will eventually be declaring our consensus.




    If no strong objections are heard these issues will be the primary issue topics of discussion in relation to STIX v2.0 for the SC on the cti-stix list and elsewhere.

    This does not mean that other issues cannot be raised or commented on if there is need but in the interests of focus and keeping up with list traffic we would like to encourage everyone as much as possible to focus on the active issues under consideration and
    minimize other issue topics that are likely to distract from deliberative progress on these issues. This should be a pretty fundamental guideline for all issues as we go forward. If you have new issue topics you would like to raise or comments on existing
    issue topics that are not under active consideration we encourage you to enter these in the issue trackers at any time.







    Sean 

    STIX SC Co-chair








  • 3.  Re: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0

    Posted 10-28-2015 18:28





    That is certainly part of the dependency and architectural significance factors that need to go into how we prioritize the order we tackle issues in.
    If, in the course or actively considering one issue we realize that we will first need to address another issue then we will need to place consideration of the dependent issue on hold and reprioritize the other issue on which it is dependent as the current
    issue under active consideration.
    Hopefully, we can avoid most of this sort of context switching by looking through our issues and considering these factors up front as we prioritize the order we will pursue. 
    Of course, we likely won’t catch them all up front so some dynamic context switching is likely to occur.


    BTW, my personal opinion is that solving the Sightings issue appropriately will almost certainly have dependencies on the Relationship issue. That is part of the reason we are suggesting tackling these at the same time.


    Does that make sense?


    sean









    From: "Taylor, Marlon" < Marlon.Taylor@hq.dhs.gov >
    Date: Wednesday, October 28, 2015 at 2:18 PM
    To: "Barnum, Sean D." < sbarnum@mitre.org >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: Re: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0





    Question: What would happen if we realize a resolution for a not-so-hot issue is needed to resolve the hot issue we're working on?

    -Marlon
     

    From : Barnum, Sean D. [ mailto:sbarnum@mitre.org ]

    Sent : Wednesday, October 28, 2015 02:12 PM
    To : cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org >

    Subject : [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0

     


    All,




    On the STIX SC call last week we talked about the issue of making immediate progress on STIX v2.0 while we work out prioritizing the full issues list and fleshing out use cases.

    We proposed that we simply choose the first 2-3 issues to officially tackle based on list interest rather than any official “voting” and listed a few possible options asking for your opinions.

    The list of “hot” issue options given was:


    Sightings Relationships ID format Abstracting constructs (identity, victim, source and asset) In-line vs referencing of content Data Markings Other suggestions?


    We did not really get back very many explicit opinions but the activity on the list since the meeting and architectural level considerations make the first two items on the list (Sightings and Relationships) fairly obvious choices for initial issues.




    So, we would like to propose officially establishing that the following two issues are the active issues currently under consideration for STIX v2.0:



    Abstract Sightings into an independent construct rather than embedded within Indicator  ( #306)


    Abstract relationships as top-level constructs rather than embedded within other constructs  ( #291)


    If anyone has any serious objections to this decision please let us know.

    Hopefully we can continue the great discussions on these topics, going even deeper on the details, considering various options and implications and eventually reach some consensus and move on to other topics.

    While the cti-stix email list is likely to continue as the primary venue for these discussions we encourage everyone to capture key thoughts, observations, opinions and proposals within the issue tracker as well as this will be the official record of our discourse
    and where we will eventually be declaring our consensus.




    If no strong objections are heard these issues will be the primary issue topics of discussion in relation to STIX v2.0 for the SC on the cti-stix list and elsewhere.

    This does not mean that other issues cannot be raised or commented on if there is need but in the interests of focus and keeping up with list traffic we would like to encourage everyone as much as possible to focus on the active issues under consideration and
    minimize other issue topics that are likely to distract from deliberative progress on these issues. This should be a pretty fundamental guideline for all issues as we go forward. If you have new issue topics you would like to raise or comments on existing
    issue topics that are not under active consideration we encourage you to enter these in the issue trackers at any time.







    Sean 

    STIX SC Co-chair











  • 4.  Re: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0

    Posted 10-28-2015 18:44



    Understood and makes sense.

    -Marlon
     

    From : Barnum, Sean D. [mailto:sbarnum@mitre.org]

    Sent : Wednesday, October 28, 2015 02:27 PM
    To : Taylor, Marlon; 'cti-stix@lists.oasis-open.org' <cti-stix@lists.oasis-open.org>

    Subject : Re: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0

     



    That is certainly part of the dependency and architectural significance factors that need to go into how we prioritize the order we tackle issues in.
    If, in the course or actively considering one issue we realize that we will first need to address another issue then we will need to place consideration of the dependent issue on hold and reprioritize the other issue on which it is dependent as the current
    issue under active consideration.
    Hopefully, we can avoid most of this sort of context switching by looking through our issues and considering these factors up front as we prioritize the order we will pursue. 
    Of course, we likely won’t catch them all up front so some dynamic context switching is likely to occur.


    BTW, my personal opinion is that solving the Sightings issue appropriately will almost certainly have dependencies on the Relationship issue. That is part of the reason we are suggesting tackling these at the same time.


    Does that make sense?


    sean









    From: "Taylor, Marlon" < Marlon.Taylor@hq.dhs.gov >
    Date: Wednesday, October 28, 2015 at 2:18 PM
    To: "Barnum, Sean D." < sbarnum@mitre.org >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: Re: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0





    Question: What would happen if we realize a resolution for a not-so-hot issue is needed to resolve the hot issue we're working on?

    -Marlon
     

    From : Barnum, Sean D. [ mailto:sbarnum@mitre.org ]

    Sent : Wednesday, October 28, 2015 02:12 PM
    To : cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org >

    Subject : [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0

     


    All,




    On the STIX SC call last week we talked about the issue of making immediate progress on STIX v2.0 while we work out prioritizing the full issues list and fleshing out use cases.

    We proposed that we simply choose the first 2-3 issues to officially tackle based on list interest rather than any official “voting” and listed a few possible options asking for your opinions.

    The list of “hot” issue options given was:


    Sightings Relationships ID format Abstracting constructs (identity, victim, source and asset) In-line vs referencing of content Data Markings Other suggestions?


    We did not really get back very many explicit opinions but the activity on the list since the meeting and architectural level considerations make the first two items on the list (Sightings and Relationships) fairly obvious choices for initial issues.




    So, we would like to propose officially establishing that the following two issues are the active issues currently under consideration for STIX v2.0:



    Abstract Sightings into an independent construct rather than embedded within Indicator  ( #306)


    Abstract relationships as top-level constructs rather than embedded within other constructs  ( #291)


    If anyone has any serious objections to this decision please let us know.

    Hopefully we can continue the great discussions on these topics, going even deeper on the details, considering various options and implications and eventually reach some consensus and move on to other topics.

    While the cti-stix email list is likely to continue as the primary venue for these discussions we encourage everyone to capture key thoughts, observations, opinions and proposals within the issue tracker as well as this will be the official record of our discourse
    and where we will eventually be declaring our consensus.




    If no strong objections are heard these issues will be the primary issue topics of discussion in relation to STIX v2.0 for the SC on the cti-stix list and elsewhere.

    This does not mean that other issues cannot be raised or commented on if there is need but in the interests of focus and keeping up with list traffic we would like to encourage everyone as much as possible to focus on the active issues under consideration and
    minimize other issue topics that are likely to distract from deliberative progress on these issues. This should be a pretty fundamental guideline for all issues as we go forward. If you have new issue topics you would like to raise or comments on existing
    issue topics that are not under active consideration we encourage you to enter these in the issue trackers at any time.







    Sean 

    STIX SC Co-chair











  • 5.  Re: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0

    Posted 10-29-2015 09:37
    On 28.10.2015 18:12:32, Barnum, Sean D. wrote: > > So, we would like to propose officially establishing that the > following two issues are the active issues currently under > consideration for STIX v2.0: > > * Abstract Sightings into an independent construct rather than > embedded within Indicator > < https://github.com/STIXProject/schemas/issues/306 > > (< https://github.com/STIXProject/schemas/issues/306 >#306)< https://github.com/STIXProject/schemas/issues/306 > > > * Abstract relationships as top-level constructs rather than > embedded within other constructs > < https://github.com/STIXProject/schemas/issues/291 > > (< https://github.com/STIXProject/schemas/issues/291 >#291)< https://github.com/STIXProject/schemas/issues/291 > > Hey, Sean - I like this approach. Those two constructs are interrelated, have long been hot topics, and seem like a very sensible place to focus our discussion. +1 -- Cheers, Trey -- Trey Darley Senior Security Engineer 4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 Soltra An FS-ISAC & DTCC Company www.soltra.com -- "Good, Fast, Cheap: Pick any two (you can't have all three)." --RFC 1925 Attachment: signature.asc Description: PGP signature