1 / 13

CTI STIX SC Monthly Meeting

www.oasis-open.org. CTI STIX SC Monthly Meeting. September 30, 2015. www.oasis-open.org. Agenda. STIX 1.2.1 specs Status Next Steps STIX 2.0 Status Use Cases Issue Trackers Open discussion if time allows. STIX 1.2.1 specification status.

simpsonj
Download Presentation

CTI STIX SC Monthly Meeting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. www.oasis-open.org CTI STIX SCMonthly Meeting September 30, 2015

  2. www.oasis-open.org Agenda • STIX 1.2.1 specs • Status • Next Steps • STIX 2.0 • Status • Use Cases • Issue Trackers • Open discussion if time allows

  3. STIX 1.2.1 specification status • Full multipart specification drafts completed and submitted for SC review – 9/24/15 • SC review goals focused on • SC member awareness of specification form and content • SC member familiarity with OASIS format • Identify editorial issues • NOT focus on substantive issues • STIX SC review period ends 10/2/15 • STIX Version 1.2.1 Part 1: Overview. • STIX Version 1.2.1 Part 2: Common. • STIX Version 1.2.1 Part 3: Core. • STIX Version 1.2.1 Part 4: Indicator. • STIX Version 1.2.1 Part 5: TTP. • STIX Version 1.2.1 Part 6: Incident. • STIX Version 1.2.1 Part 7: Threat Actor. • STIX Version 1.2.1 Part 8: Campaign. • STIX Version 1.2.1 Part 9: Course of Action. • STIX Version 1.2.1 Part 10: Exploit Target. • STIX Version 1.2.1 Part 11: Report. • STIX Version 1.2.1 Part 12: Extensions. • STIX Version 1.2.1 Part 13: Data Marking. • STIX Version 1.2.1 Part 14: Vocabularies. • STIX Version 1.2.1 Part 15: UML Model. • Uml Model Serialization • XMI files • Diagrams

  4. STIX 1.2.1 specification next steps • Review any SC review comments and make appropriate modifications • Call a vote for SC approval of specification drafts • Repackage and upload content to TC internal site • Notify TC chair that specification drafts have been approved by SC • TC chair calls a TC meeting so a vote can be held to approve them as a Committee Specification Public Review Draft • TC will follow process for issuing as a Committee Specification Public Review Draft including 30 day public review period • After 30 day public review period TC will dispose of any comments then call for a TC Special Majority Vote to approve the documents as a Committee Specification. • At this point STIX 1.2.1 will be official • TC will likely continue further progression as an OASIS Standard

  5. STIX 2.0 • Will officially kickoff once 1.2.1 specs handed off to TC (hopefully next week) • We will need to select editors • Deliberative process will begin • Use Cases • Issue Trackers

  6. Use Cases • Need for high-level use cases to understand and scope the domain we are looking to serve • Need for more detailed use cases to understand specific information needs to drive to structural decisions • Reality Check: the infosec domain relying on CTI is non-trivial and WILL involve a substantial number of use cases

  7. Use Cases • We will need everyone to be involved in identifying, fleshing out, discussing and deciding on use cases • This will be done using the STIXProject/use-cases wiki on github • Separate wiki page for each use case using simple template similar to one used across SCs

  8. Use Case Template • Use case title (replace with your title) • Abstraction Level (High, Medium or Low): High (replace with your value) • Related Use Cases: Related use case (replace with your content) • Description: Use case objective and flow description (replace with your content) • Stakeholders/Goals: • Stakeholder: Stakeholder description (replace with your content) • Goal: Goal description (replace with your content) • Preconditions: • Precondition description (replace with your content) • Dependencies: • Dependency description (replace with your content) • Main Success Scenario: • Scenario description (replace with your content)

  9. Use Cases • Wiki home page contains template as well as initial taxonomy of high-level use cases and more fleshed out taxonomy of more detailed use cases • Current taxonomies are a starting point based on community identified use cases that have resulted in the current expressivity and capability that is in STIX today • Caveat: the taxonomies are NOT complete. Please add as appropriate • Caveat: the large majority of use cases in the taxonomy are currently only titles and need iteratively fleshed out • When editing existing use cases please try to add your thoughts with attribution rather than just changing others content

  10. Use Case Scoping Considerations • Scoping decisions will likely be part of use case analysis • Proposed additions • Proposed removals • We will need to agree on criteria for these decisions • Proposal: Bias towards status quo • Clear justification and rough consensus needed to add new considerations (work) • Clear justification and strong consensus needed to remove existing capability (break things for people depending on these capabilities)

  11. Issue Trackers • Immediate need for SC members to conduct their own triage of current issue trackers • Add new entries for desired issues not covered • Add comments to existing issues • Identify issues you think should be in scope for 2.0 • Assert your prioritization of issues by importance • After 2.0 kickoff we can • analyze/normalize issues • identify initial consensus scoping • map to use cases • prioritize based on importance and dependence • focus on 1-3 issues at a time

  12. Reminder of STIX SC work processes • Under formal governance our work will need to be open, deliberative, ordered and tracked. • Encourage ideas and discussion but caution that consensus and decisions will need to follow process. • Please keep talking. :-) • Encourage contributions beyond just thoughts • As work product efforts are stood up, editors will be needed • Contributions of use cases, conceptual models, schema structures, normative or informative language suggestions, test data, etc. will be invaluable to collaborative progression • MITRE folks will continue to be involved but we will need a broader base of active contributors going forward

  13. Next meeting • Wednesday, October 21st @ 2:00pm EDT

More Related