Allen I think we (or at least you and I do) agree that BPMN is probably overkill for what we need.
To re-iterate my perspective, I think a subset of what BPMN does in JSON is sufficient for most requirements. I m not sure I agree the JSON translation that was pointed to is the best approach from my perspective. Taking something that
was designed for XML and much broader uses is not necessarily the most effective way to design something.
My point was that the group should discuss the pros/cons in the upcoming meeting on approaches (not just BPMN) so that we can have consensus on an approach that works for all orgs participating.
Regards
Allan
From: Allen Hadden <
ahadden@us.ibm.com>
Date: Monday, October 14, 2019 at 5:08 AM
To: Allan Thomson <
athomson@lookingglasscyber.com>
Cc: "Bret_Jordan@symantec.com" <
Bret_Jordan@symantec.com>, "cacao@lists.oasis-open.org" <
cacao@lists.oasis-open.org>, Jason Keirstead <
Jason.Keirstead@ca.ibm.com>
Subject: RE: [cacao] Agenda for next Tuesday's call
Our product uses BPMN for playbooks today. I'd say that there's nothing that CACAO will want to do that cannot in some way be represented in BPMN. There is nothing (or at least
very little) in BPMN that wouldn't be useful for CACAO. This shouldn't be surprising since BPMN is intended to express business processes and what we're talking about with playbooks are exactly that...business processes, but in the security domain.
The problem is that if you look at BPMN, a lot of what's there would just be considered "nice to have" from a CACAO perspective. Good example: swim lanes. Could you come up
with a CACAO use case that could make use of swim lanes? Sure. Would they be required? Not really.
A lot of the advanced BPMN features are only useful when you start trying to express general organizational playbooks (e.g. CompanyX's Malware Process) instead of playbooks targeted
at mitigating specific threats (e.g. Mitigate MalwareX).
Another problem is that full BPMN is so large that realistically the only way to develop a product with it is to integrate an existing BPMN product. Implementing your own would
be a ton of work and adapting it to fit a less flexible model in an existing product would be tough. So on the one hand, it's great to be able to leverage an existing library. OTOH, is that a position we want to take as a spec?
One option worth of consideration is to take the JSON-translation that Jason K. linked and define the following:
1) a "whitelist" showing which elements are to be included (e.g. don't include "swim lanes" if we don't think they're important).
2) specific extensions to the model (BPMN supports extension elements and we'd very likely need some...for example, "service tasks" for OpenC2, Ansible, etc.)
3) object models on which the process will depend (e.g. it could be that a playbook works against a "threat", which would probably be a STIX model)
Probably there are other things we'd need besides those 3, but that should get the ball rolling if we decide to consider that path.
Allen
Allen Hadden
STSM & Chief Architect IBM Resilient
w: 508-560-3502
e:
ahadden@us.ibm.com