CTI STIX Subcommittee

  • 1.  Re: Eight Arguments for an Infrastructure SDO for STIX 2.1

    Posted 11-13-2017 20:29
    Jane, Gary, et al, This (infrastructure SDO) might be something you want to give as an issue for the OASIS Standards Council. I believe they were chartered to provide a way for users to stay abreast and influence where needed, without getting involved in all the day-to-day details of the many TC's. Their scope says: Provide OASIS cybersecurity TCs with a direct mechanism for obtaining user feedback on technical disputes . Sounds like Infrastructure SDO is the kind of issue that might be right up their alley to get you more data to break your tie. Duncan Sparrell sFractal Consulting LLC iPhone, iTypo, iApologize


  • 2.  Re: [EXT] [cti-stix] Re: Eight Arguments for an Infrastructure SDO for STIX 2.1

    Posted 11-14-2017 21:39



    I think the user’s council can give 30,000 foot guidance on you should consider doing x or y. But for the actual design elements and how it would be done, they would need to be members of the actual TC to not have IPR considerations.


    Bret 

    Sent from my Commodore 128D


    PGP
    Fingerprint:  63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE  7415
    0050


    On Nov 14, 2017, at 4:29 AM, " duncan@sfractal.com " < duncan@sfractal.com > wrote:




    Jane, Gary, et al,

    This (infrastructure SDO) might be something you want to give as an issue for the OASIS Standards Council. I believe they were chartered to provide a way for users to stay abreast and influence where needed, without getting involved in all the day-to-day
    details of the many TC's.


    Their scope says:
    "Provide OASIS cybersecurity TCs with a direct mechanism for obtaining user feedback on technical disputes".

    Sounds like Infrastructure SDO is the kind of issue that might be right up their alley to get you more data to break your tie.



    Duncan Sparrell
    sFractal Consulting LLC
    iPhone, iTypo, iApologize







  • 3.  CTI/Council interaction on Infrastructure SDO’s

    Posted 11-14-2017 22:22
    Bret, I feel I t would be a good test case as Council gears up. I agree decisions would get made in TC not Council. But Council could liason with TC to provide input to members of the TC. Or members of the Council may choose to join the TC for a bit to participate in this issue. So I do think it would be worthwhile to bring it to them. The role of the Council got debated a lot prior to its formation and these kind of issues (ie TC has decision making power) were raised and that resulted in the scope being worded as it was. Joerg: what are your thoughts as Council Chair? Would this be within scope to bring up to Council? Carol: as you were involved in setting up the Council, what are your thoughts on whether it would be within scope? Can you also comment on Bret’s IPR concern? I thought Council had same IPR rules as TC. If IPR gets in the way of Council ability to interact with TC’s, then some thought should be put into what Council’s charter really is. iPhone, iTypo, iApologize Duncan Sparrell sFractal Consulting, LLC The closer you look, the more you see _____________________________ From: Bret Jordan < bret_jordan@symantec.com > Sent: Tuesday, November 14, 2017 4:40 PM Subject: Re: [EXT] [cti-stix] Re: Eight Arguments for an Infrastructure SDO for STIX 2.1 To: < duncan@sfractal.com > Cc: < cti-stix@lists.oasis-open.org >, Joerg < je@cybersecurityscout.eu > I think the user’s council can give 30,000 foot guidance on you should consider doing x or y. But for the actual design elements and how it would be done, they would need to be members of the actual TC to not have IPR considerations. Bret  Sent from my Commodore 128D PGP Fingerprint:  63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE  7415 0050 On Nov 14, 2017, at 4:29 AM, duncan@sfractal.com < duncan@sfractal.com > wrote: Jane, Gary, et al, This (infrastructure SDO) might be something you want to give as an issue for the OASIS Standards Council. I believe they were chartered to provide a way for users to stay abreast and influence where needed, without getting involved in all the day-to-day details of the many TC's. Their scope says: Provide OASIS cybersecurity TCs with a direct mechanism for obtaining user feedback on technical disputes . Sounds like Infrastructure SDO is the kind of issue that might be right up their alley to get you more data to break your tie. Duncan Sparrell sFractal Consulting LLC iPhone, iTypo, iApologize


  • 4.  Re: CTI/Council interaction on Infrastructure SDO’s

    Posted 11-16-2017 13:26
    I threw this one over the wall to Chet, and here's his take: ---- I don't think the question of IPR mode applies here. My read on Bret's comment is that he wants to be sure the detailed solutions are done by the CTI members who are obligated by the TC's IPR mode. That can be addressed easily enough by having t he Council draft whatever they want to send over, then approve submitting it to the CTI TC's comment mailing list. That would allay any concern of IPR concerns.  The questions being asked, I think, are (a) whether or not the Council can get down into the technical weeds in its feedback and (b) whether or not they can, should they.  I don't know whether the question being debated is an in-the-weeds technical discussion or not and I don't have a position on whether the Council should wade in. They'll have to decide on that. I note that in their scope statement, one of its goals is to "Provide OASIS cybersecurity TCs with a direct mechanism for obtaining user feedback on technical disputes." So this ongoing debate would seem to fall right under that clause and so long as they don't cross the provision that "The User Council ... will not develop any Standards Track Work product materials" (that is, Committee Specs), I don't see the problem with them taking up the discussion. Especially if it is proving to be a difficult topic for the TC members to reach consensus. Vender/user feedback would seem to be ideal in that case.  Perhaps the way for the Council to approach it would be to say something like "we need whatever solution y'all come up with to meet the following objectives (or solve the following problems or...)" rather than getting into something that sounds like "well, we vote for that technical solution." In other words, have the Council address the parameters of the problem rather than get into the debates about how to solve it.  I think the Council has a broad scope to do whatever could help here. I personally think they do want to stay out of the truly technical debate but that's my opinion.  ---- Hope that helps, Carol On Tue, Nov 14, 2017 at 5:21 PM, Duncan < duncan@sfractal.com > wrote: Bret, I feel I t would be a good test case as Council gears up. I agree decisions would get made in TC not Council. But Council could liason with TC to provide input to members of the TC. Or members of the Council may choose to join the TC for a bit to participate in this issue. So I do think it would be worthwhile to bring it to them. The role of the Council got debated a lot prior to its formation and these kind of issues (ie TC has decision making power) were raised and that resulted in the scope being worded as it was. Joerg: what are your thoughts as Council Chair? Would this be within scope to bring up to Council? Carol: as you were involved in setting up the Council, what are your thoughts on whether it would be within scope? Can you also comment on Bret’s IPR concern? I thought Council had same IPR rules as TC. If IPR gets in the way of Council ability to interact with TC’s, then some thought should be put into what Council’s charter really is. iPhone, iTypo, iApologize Duncan Sparrell sFractal Consulting, LLC The closer you look, the more you see _____________________________ From: Bret Jordan < bret_jordan@symantec.com > Sent: Tuesday, November 14, 2017 4:40 PM Subject: Re: [EXT] [cti-stix] Re: Eight Arguments for an Infrastructure SDO for STIX 2.1 To: < duncan@sfractal.com > Cc: < cti-stix@lists.oasis-open.org >, Joerg < je@cybersecurityscout.eu > I think the user’s council can give 30,000 foot guidance on you should consider doing x or y. But for the actual design elements and how it would be done, they would need to be members of the actual TC to not have IPR considerations. Bret  Sent from my Commodore 128D PGP Fingerprint:  63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE  7415 0050 On Nov 14, 2017, at 4:29 AM, " duncan@sfractal.com " < duncan@sfractal.com > wrote: Jane, Gary, et al, This (infrastructure SDO) might be something you want to give as an issue for the OASIS Standards Council. I believe they were chartered to provide a way for users to stay abreast and influence where needed, without getting involved in all the day-to-day details of the many TC's. Their scope says: "Provide OASIS cybersecurity TCs with a direct mechanism for obtaining user feedback on technical disputes". Sounds like Infrastructure SDO is the kind of issue that might be right up their alley to get you more data to break your tie. Duncan Sparrell sFractal Consulting LLC iPhone, iTypo, iApologize


  • 5.  Re: [cti-stix] Re: CTI/Council interaction on Infrastructure SDO’s

    Posted 11-17-2017 16:23
    On 16.11.2017 08:25:41, Carol Geyer wrote: > > Perhaps the way for the Council to approach it would be to say > something like "we need whatever solution y'all come up with to meet > the following objectives (or solve the following problems or...)" > rather than getting into something that sounds like "well, we vote > for that technical solution." In other words, have the Council > address the parameters of the problem rather than get into the > debates about how to solve it. > All - There's broad consensus within the CTI TC that we *need* an Infrastructure SDO in STIX. There's just a lot of work ahead of us to define the object's properties and relationships. Unless the Council are able to do that work for us, it's unclear to me how their input will help accelerate our velocity. -- Cheers, Trey ++--------------------------------------------------------------------------++ Director of Standards Development, New Context gpg fingerprint: 3918 9D7E 50F5 088F 823F 018A 831A 270A 6C4F C338 ++--------------------------------------------------------------------------++ -- "There are two types of people: those who fit into my taxonomy and those who do not." --anonymous Attachment: signature.asc Description: Digital signature


  • 6.  Re: [cti-stix] Re: CTI/Council interaction on Infrastructure SDO’s

    Posted 11-17-2017 19:15
    Duncan/Carol & All: My take on this debate is that it would be premature for the Council to take up an issue like this.  I think Duncan keyed off of my statement in an earlier email about a tie vote from a Straw Man poll we took at the F2F on the Infrastructure SDO.  That poll was non-binding and unofficial and not necessarily indicative of the view of the entire TC membership.  We would need to do a Ballot to gauge that; and I think it would be premature for a Ballot on this topic as well. As Sarah Kelley noted in her briefing on the status of the STIX 2.1 data objects during our full TC calls yesterday, we have not even had 1 of 3 focused, time-boxed calls within the TC on the potential for an Infrastructure SDO for 2.1.  We should take those steps next.  It has been my observation that the CTI TC is actually quite effective at working through a process of reasoned debate to come to some agreement on a path forward.  I see this proposed SDO as no different from any of the others that we've already worked through. There does seem to be some conflation of the idea of an Infrastructure SDO with a re-examination of the structure of the Observed Data SDO/STIX Cyber Observables (SCOs) relative to the other SDOs.  But, I believe, the debate that has commenced on this topic is quite healthy.  It is helping people to separate their thinking about STIX 2.x as an interchange graph-based model from the idea of a database that would be used as part of a product implementation.  Once we all align our thinking on this matter, I think the separation of these two topics (i.e., 1. adding an Infrastructure SDO to 2.1 and 2. elevating SCOs to top-level citizens) will be made. Then, the path forward to an Infrastructure SDO for 2.1 will be easier to see as a Crawl, Walk, Run approach.  I think we need to separate these issues.  An Infrastructure SDO solves an immediate implementation problem.  The structure of SCOs within the STIX 2.x graph model is a systemic issue that should be debated solely on its own merits. My 2 cents. Jane Ginn On 11/17/2017 9:22 AM, Trey Darley wrote: > On 16.11.2017 08:25:41, Carol Geyer wrote: >> Perhaps the way for the Council to approach it would be to say >> something like "we need whatever solution y'all come up with to meet >> the following objectives (or solve the following problems or...)" >> rather than getting into something that sounds like "well, we vote >> for that technical solution." In other words, have the Council >> address the parameters of the problem rather than get into the >> debates about how to solve it. >> > All - > > There's broad consensus within the CTI TC that we *need* an > Infrastructure SDO in STIX. There's just a lot of work ahead of us to > define the object's properties and relationships. Unless the Council > are able to do that work for us, it's unclear to me how their input > will help accelerate our velocity. > -- Jane Ginn, MSIA, MRP CTI TC Secretary, OASIS Co-Founder of Cyber Threat Intelligence Network, Inc. jg@ctin.us


  • 7.  Re: [cti-stix] Re: CTI/Council interaction on Infrastructure SDO’s

    Posted 11-17-2017 20:46
    I completely agree with Jane. This CTI TC is quite effective at eventually coming to agreement on topics after debating the issues - and generally we get to a consensus where everyone is equally unhappy :). I think the system operates well enough - although I would like to see some 'design principles' discussed and agreed to by the CTI TC to help compare and contrast competing proposals to help speed decision making.. Here's my ' starter for 10 ': Cheers Terry MacDonald   Chief Product Officer M:   +64 211 918 814 E:   terry.macdonald@cosive.com W:   www.cosive.com On Sat, Nov 18, 2017 at 8:14 AM, JG on CTI-TC < jg@ctin.us > wrote: Duncan/Carol & All: My take on this debate is that it would be premature for the Council to take up an issue like this.  I think Duncan keyed off of my statement in an earlier email about a tie vote from a Straw Man poll we took at the F2F on the Infrastructure SDO.  That poll was non-binding and unofficial and not necessarily indicative of the view of the entire TC membership.  We would need to do a Ballot to gauge that; and I think it would be premature for a Ballot on this topic as well. As Sarah Kelley noted in her briefing on the status of the STIX 2.1 data objects during our full TC calls yesterday, we have not even had 1 of 3 focused, time-boxed calls within the TC on the potential for an Infrastructure SDO for 2.1.  We should take those steps next.  It has been my observation that the CTI TC is actually quite effective at working through a process of reasoned debate to come to some agreement on a path forward.  I see this proposed SDO as no different from any of the others that we've already worked through. There does seem to be some conflation of the idea of an Infrastructure SDO with a re-examination of the structure of the Observed Data SDO/STIX Cyber Observables (SCOs) relative to the other SDOs.  But, I believe, the debate that has commenced on this topic is quite healthy.  It is helping people to separate their thinking about STIX 2.x as an interchange graph-based model from the idea of a database that would be used as part of a product implementation.  Once we all align our thinking on this matter, I think the separation of these two topics (i.e., 1. adding an Infrastructure SDO to 2.1 and 2. elevating SCOs to top-level citizens) will be made. Then, the path forward to an Infrastructure SDO for 2.1 will be easier to see as a Crawl, Walk, Run approach.  I think we need to separate these issues.  An Infrastructure SDO solves an immediate implementation problem.  The structure of SCOs within the STIX 2.x graph model is a systemic issue that should be debated solely on its own merits. My 2 cents. Jane Ginn On 11/17/2017 9:22 AM, Trey Darley wrote: > On 16.11.2017 08:25:41, Carol Geyer wrote: >> Perhaps the way for the Council to approach it would be to say >> something like "we need whatever solution y'all come up with to meet >> the following objectives (or solve the following problems or...)" >> rather than getting into something that sounds like "well, we vote >> for that technical solution." In other words, have the Council >> address the parameters of the problem rather than get into the >> debates about how to solve it. >> > All - > > There's broad consensus within the CTI TC that we *need* an > Infrastructure SDO in STIX. There's just a lot of work ahead of us to > define the object's properties and relationships. Unless the Council > are able to do that work for us, it's unclear to me how their input > will help accelerate our velocity. > -- Jane Ginn, MSIA, MRP CTI TC Secretary, OASIS Co-Founder of Cyber Threat Intelligence Network, Inc. jg@ctin.us ------------------------------ ------------------------------ --------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/ apps/org/workgroup/portal/my_ workgroups.php Attachment: STIX Core Design Principles.jpg Description: JPEG image


  • 8.  Re: [EXT] Re: [cti-stix] Re: CTI/Council interaction on Infrastructure SDO’s

    Posted 11-17-2017 20:59



    I agree with Jane 


    Bret 

    Sent from my Commodore 128D


    PGP
    Fingerprint:  63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


    On Nov 18, 2017, at 3:15 AM, JG on CTI-TC < jg@ctin.us > wrote:



    Duncan/Carol & All:

    My take on this debate is that it would be premature for the Council to
    take up an issue like this.  I think Duncan keyed off of my statement in
    an earlier email about a tie vote from a Straw Man poll we took at the
    F2F on the Infrastructure SDO.  That poll was non-binding and unofficial
    and not necessarily indicative of the view of the entire TC membership. 
    We would need to do a Ballot to gauge that; and I think it would be
    premature for a Ballot on this topic as well. As Sarah Kelley noted in
    her briefing on the status of the STIX 2.1 data objects during our full
    TC calls yesterday, we have not even had 1 of 3 focused, time-boxed
    calls within the TC on the potential for an Infrastructure SDO for 2.1. 
    We should take those steps next. 

    It has been my observation that the CTI TC is actually quite effective
    at working through a process of reasoned debate to come to some
    agreement on a path forward.  I see this proposed SDO as no different
    from any of the others that we've already worked through. There does
    seem to be some conflation of the idea of an Infrastructure SDO with a
    re-examination of the structure of the Observed Data SDO/STIX Cyber
    Observables (SCOs) relative to the other SDOs.  But, I believe, the
    debate that has commenced on this topic is quite healthy.  It is helping
    people to separate their thinking about STIX 2.x as an interchange
    graph-based model from the idea of a database that would be used as part
    of a product implementation.  Once we all align our thinking on this
    matter, I think the separation of these two topics (i.e., 1. adding an
    Infrastructure SDO to 2.1 and 2. elevating SCOs to top-level citizens)
    will be made. Then, the path forward to an Infrastructure SDO for 2.1
    will be easier to see as a Crawl, Walk, Run approach. 

    I think we need to separate these issues.  An Infrastructure SDO solves
    an immediate implementation problem.  The structure of SCOs within the
    STIX 2.x graph model is a systemic issue that should be debated solely
    on its own merits.


    My 2 cents.

    Jane Ginn


    On 11/17/2017 9:22 AM, Trey Darley wrote:
    On 16.11.2017 08:25:41, Carol Geyer wrote:


    Perhaps the way for the Council to approach it would be to say



    something like "we need whatever solution y'all come up with to meet



    the following objectives (or solve the following problems or...)"



    rather than getting into something that sounds like "well, we vote



    for that technical solution." In other words, have the Council



    address the parameters of the problem rather than get into the



    debates about how to solve it.






    All -



    There's broad consensus within the CTI TC that we *need* an

    Infrastructure SDO in STIX. There's just a lot of work ahead of us to

    define the object's properties and relationships. Unless the Council

    are able to do that work for us, it's unclear to me how their input

    will help accelerate our velocity.




    --
    Jane Ginn, MSIA, MRP
    CTI TC Secretary, OASIS
    Co-Founder of Cyber Threat Intelligence Network, Inc.
    jg@ctin.us










  • 9.  CTI/Council interaction on Infrastructure SDO’s

    Posted 11-17-2017 21:59
    No worries, I withdraw the request. You all are in much better position to tell if you need a broader user input to resolve this issue.  Jane is correct that I was keying off the ‘tie’ aspect of her email. I was combining it with the expressed worry that some of members were not engaging as much as previously. It was my understanding some CTI members had ‘moved’ to Standards Council because they didn’t want to be involved in all the day to day, but did want to be appraised when user (what they call non-vendor) input was desired. At least that was what several people said about CTI at the NYC Borderless Cyber meeting setting up the User’s Council. Since there hadn’t been any CTI/Council interaction as yet, I thought this might be a way to re-engage the lost sheep. But I defer to your judgement on whether you need a broader swath of user input to resolve this particular issue. iPhone, iTypo, iApologize Duncan Sparrell sFractal Consulting, LLC The closer you look, the more you see On Fri, Nov 17, 2017 at 2:15 PM -0500, JG on CTI-TC < jg@ctin.us > wrote: Duncan/Carol & All: My take on this debate is that it would be premature for the Council to take up an issue like this.  I think Duncan keyed off of my statement in an earlier email about a tie vote from a Straw Man poll we took at the F2F on the Infrastructure SDO.  That poll was non-binding and unofficial and not necessarily indicative of the view of the entire TC membership.  We would need to do a Ballot to gauge that; and I think it would be premature for a Ballot on this topic as well. As Sarah Kelley noted in her briefing on the status of the STIX 2.1 data objects during our full TC calls yesterday, we have not even had 1 of 3 focused, time-boxed calls within the TC on the potential for an Infrastructure SDO for 2.1.  We should take those steps next.  It has been my observation that the CTI TC is actually quite effective at working through a process of reasoned debate to come to some agreement on a path forward.  I see this proposed SDO as no different from any of the others that we've already worked through. There does seem to be some conflation of the idea of an Infrastructure SDO with a re-examination of the structure of the Observed Data SDO/STIX Cyber Observables (SCOs) relative to the other SDOs.  But, I believe, the debate that has commenced on this topic is quite healthy.  It is helping people to separate their thinking about STIX 2.x as an interchange graph-based model from the idea of a database that would be used as part of a product implementation.  Once we all align our thinking on this matter, I think the separation of these two topics (i.e., 1. adding an Infrastructure SDO to 2.1 and 2. elevating SCOs to top-level citizens) will be made. Then, the path forward to an Infrastructure SDO for 2.1 will be easier to see as a Crawl, Walk, Run approach.  I think we need to separate these issues.  An Infrastructure SDO solves an immediate implementation problem.  The structure of SCOs within the STIX 2.x graph model is a systemic issue that should be debated solely on its own merits. My 2 cents. Jane Ginn On 11/17/2017 9:22 AM, Trey Darley wrote: > On 16.11.2017 08:25:41, Carol Geyer wrote: >> Perhaps the way for the Council to approach it would be to say >> something like we need whatever solution y'all come up with to meet >> the following objectives (or solve the following problems or...) >> rather than getting into something that sounds like well, we vote >> for that technical solution. In other words, have the Council >> address the parameters of the problem rather than get into the >> debates about how to solve it. >> > All - > > There's broad consensus within the CTI TC that we *need* an > Infrastructure SDO in STIX. There's just a lot of work ahead of us to > define the object's properties and relationships. Unless the Council > are able to do that work for us, it's unclear to me how their input > will help accelerate our velocity. > -- Jane Ginn, MSIA, MRP CTI TC Secretary, OASIS Co-Founder of Cyber Threat Intelligence Network, Inc. jg@ctin.us --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php