[Openid-specs-risc] FW: [internal] FW: Call for Comment: proposed Charter for OASIS Cyber Threat Intelligence (CTI) Technical Committee

Adam Dawes adawes at google.com
Fri Apr 24 13:03:51 UTC 2015


adding right risc list this time.

On Fri, Apr 24, 2015 at 6:02 AM, Adam Dawes <adawes at google.com> wrote:

> Adding discussion of STIX and TAXII to today's agenda.
>
>
> *From:* Chet Ensign
>> *Sent:* Monday, April 20, 2015 11:09:05 AM (UTC-08:00) Pacific Time (US
>> & Canada)
>> *To:* tc-announce at lists.oasis-open.org; members at lists.oasis-open.org;
>> OASIS Charter Discuss List
>> *Cc:* Struse, Richard; Barnum, Sean D.; Davidson II, Mark S; Wunder,
>> John A.; achernin at soltra.com; mona.magathan at usbank.com;
>> bret.jordan at bluecoat.com; Foley, Alexander; tony at yaanatech.com; Fleck,
>> Joel J.; richard_freeman at symantec.com; Rob_Walters at symantec.com; Paul
>> McKitrick; Smith, Pamela A.; Rajagopal, Raj; sara barbir; Ram Jeyaraman (MS
>> OPEN TECH); Smith, Thomas C.; OASIS TAB
>> *Subject:* Call for Comment: proposed Charter for OASIS Cyber Threat
>> Intelligence (CTI) Technical Committee
>>
>> OASIS Members and other interested parties:
>>
>>
>>
>> A draft TC charter has been submitted to establish the OASIS Cyber Threat
>> Intelligence (CTI) Technical Committee. In accordance with the OASIS TC
>> Process Policy section 2.2: (
>> https://www.oasis-open.org/policies-guidelines/tc-process#formation) the
>> proposed charter is hereby submitted for comment. The comment period shall
>> remain open until 23:59 UTC on 04 May 2015.
>>
>>
>>
>> OASIS maintains a mailing list for the purpose of submitting comments on
>> proposed charters. Any OASIS member may post to this list by sending email
>> to: oasis-charter-discuss at lists.oasis-open.org. All messages will be
>> publicly archived at:
>> http://lists.oasis-open.org/archives/oasis-charter-discuss/. Members who
>> wish to receive emails must join the group by selecting "join group" on the
>> group home page:
>> http://www.oasis-open.org/apps/org/workgroup/oasis-charter-discuss/.
>> Employees of organizational members do not require primary representative
>> approval to subscribe to the oasis-charter-discuss e-mail.
>>
>>
>>
>> A telephone conference will be held among the Convener, the OASIS TC
>> Administrator, and those proposers who wish to attend within four days of
>> the close of the comment period. The announcement and call-in information
>> will be noted on the OASIS Charter Discuss Group Calendar.
>>
>>
>>
>> We encourage member comment and ask that you note the name of the
>> proposed TC (CTI) in the subject line of your email message.
>>
>>
>>
>> --- TC Charter
>>
>>
>>
>> Section 1: TC Charter
>>
>>
>>
>> (1)(a) TC Name
>>
>>
>>
>> OASIS Cyber Threat Intelligence (CTI) Technical Committee
>>
>>
>>
>> (1)(b) Statement of Purpose
>>
>>
>>
>> Traditional approaches for cyber security that focus inward on
>> understanding and addressing vulnerabilities, weaknesses, and
>> configurations are necessary but insufficient in today?s dynamic cyber
>> landscape. Effective defense against current and future threats also
>> requires the addition of an outward focus on understanding the adversary's
>> behavior, capability, and intent. Only through a balanced understanding of
>> both the adversary and ourselves can we understand enough about the true
>> nature of the threats we face to make intelligent defensive decisions.  The
>> development of this understanding is known as cyber threat intelligence
>> (CTI).
>>
>>
>>
>> Cyber threat intelligence itself poses a challenge in that no single
>> organization can have enough information to create and maintain accurate
>> situational awareness of the threat landscape. This limitation is overcome
>> by sharing of relevant cyber threat information among trusted partners and
>> communities. Through information sharing, each sharing partner can achieve
>> a more complete understanding of the threats they face and how to defeat
>> them.
>>
>>
>>
>> The purpose of the Cyber Threat Intelligence (CTI) Technical Committee is
>> to define a set of information representations and protocols to address the
>> need to model, analyze, and share cyber threat intelligence. A composable
>> set of information sharing services will be defined to enable peer-to-peer,
>> hub and spoke, and source subscriber threat intelligence sharing models.
>> These services will not dictate one architecture, but strive to allow for
>> organizations to develop standards-based sharing architectures that meet
>> their needs. Standardized representations will be developed for campaigns,
>> threat actors, incidents, tactics techniques and procedures (TTPs),
>> indicators, exploit targets, observables, and courses of action.  These
>> core components and their inter-relationships together will enable robust
>> cyber threat analysis and intelligence sharing.
>>
>>
>>
>> The TC will base its efforts on the Structured Threat Information
>> Expression (STIX) and Trusted Automated Exchange of Indicator Information
>> (TAXII) specifications developed and contributed to the TC by U.S.
>> Department of Homeland Security (DHS). Prior to creation of the CTI TC, the
>> STIX and TAXII initiatives have been led by DHS through development based
>> on open community collaboration. STIX and TAXII, as well as STIX?s
>> dependent specification of Cyber Observable Expression (CybOX), have
>> already achieved significant international adoption among threat
>> intelligence vendors, end-user organizations, and cyber threat information
>> sharing communities. By building upon the success of these existing
>> specifications, the CTI TC can offer immediate value as well as provide a
>> solid foundation on which to base future development.
>>
>>
>>
>> (1)(c) Scope
>>
>>
>>
>> In order to leverage existing value of STIX/TAXII/CybOX in the CTI
>> community while working towards future capabilities and advancements, the
>> OASIS CTI TC work will be divided into two phases: in phase one, existing
>> input specifications contributed by the United States Department of
>> Homeland Security (DHS) will be formally codified as OASIS specifications.
>> In the second phase, continued development of STIX, TAXII, and CybOX will
>> begin based on the needs identified by the CTI TC Members.
>>
>>
>>
>> Phase One Scope:
>>
>>
>>
>> * Specifications identified in Section (2)(h) (STIX 1.2, TAXII 1.1, and
>> CybOX 2.1) will be contributed to the OASIS CTI TC by DHS
>>
>>
>>
>> * The TC will use these contributions as the basis for corresponding
>> OASIS Standards Track Work Products. A key objective of the TC will be to
>> limit changes to the input specifications in order to minimize impacts on
>> existing implementations
>>
>>
>>
>> * The OASIS CTI TC will develop the specifications under the OASIS TC
>> Process with the goal of submitting them at the appropriate time to the
>> membership of the organization for consideration as OASIS Standards
>>
>>
>>
>> Other contributions will be accepted for consideration without any
>> prejudice or restrictions and evaluated based on technical merit insofar as
>> they conform to this charter.
>>
>>
>>
>> Phase Two Scope:
>>
>>
>>
>> Phase two will take the specifications defined in phase one and evolve
>> them under the direction of the OASIS CTI TC. Further work related to
>> information representations for codifying, analyzing, or sharing of cyber
>> threat intelligence that was not included in the input specifications is
>> also in scope.
>>
>>
>>
>> In addition to Standards Track Work Products, the OASIS CTI TC work
>> products in both phase one and phase two may include supporting
>> documentation, open source tooling, and any other materials deemed
>> necessary to encourage the adoption of the TC?s specifications.
>>
>>
>>
>> (1)(d) Deliverables
>>
>>
>>
>> The OASIS CTI TC will establish three Subcommittees to develop and refine
>> the specifications and supporting materials of the TC:
>>
>>
>>
>> * The STIX Subcommittee
>>
>> * The TAXII Subcommittee
>>
>> * The CybOX Subcommittee
>>
>>
>>
>> In phase one, each Subcommittee will submit initial draft deliverables to
>> the OASIS CTI TC for approval based on making minimal changes to the input
>> specification as necessary conform to OASIS publication formats and support
>> OASIS CTI TC design requirements:
>>
>>
>>
>> * The STIX Subcommittee will submit STIX 1.2.1
>>
>> * The TAXII Subcommittee will submit TAXII 1.1.1
>>
>> * The CybOX Subcommittee will submit CybOX 2.1.1
>>
>>
>>
>> In phase two, the OASIS CTI TC will make substantive additions and other
>> changes to the specifications to correct errors and evolve capabilities
>> based on requirements and capabilities identified by OASIS TC members.
>> Deliverables will include updated versions of the specifications (STIX,
>> TAXII, CybOX, and possibly others) as deemed appropriate by the
>> Subcommittees and by the OASIS CTI TC as a whole.
>>
>>
>>
>> In addition to the specification deliverables, the OASIS CTI TC may
>> deliver supporting documentation and open source tooling on an ongoing
>> basis in support of the CTI TC?s published standards.
>>
>>
>>
>> (1)(e) IPR Mode
>>
>>
>>
>> This TC will operate under the Non-Assertion IPR mode as defined in
>> Section 10.3 of the OASIS IPR Policy document.
>>
>>
>>
>> (1)(f) Audience
>>
>>
>>
>> The anticipated audience for this work includes:
>>
>>
>>
>> * Vendors of products and services that produce, consume, or process
>> cyber threat intelligence, in particular that which is expressed via
>> STIX/CybOX and shared via TAXII
>>
>>
>>
>> * Organizations that produce or consume cyber threat intelligence, in
>> particular that which is expressed via STIX or CybOX and shared via TAXII
>>
>>
>>
>> * Organizations that purchase or may purchase products that support STIX,
>> TAXII, or CybOX
>>
>>
>>
>> * Information Sharing and Analysis Organizations (ISAOs), including
>> Information Sharing and Analysis Centers (ISACs)
>>
>>
>>
>> (1)(g) Language
>>
>>
>>
>> TC business will be conducted in English.  The output documents will be
>> written in (US) English. Translations to other languages may be made based
>> on interest and ability.
>>
>>
>>
>>
>>
>> Section 2: Additional Information
>>
>>
>>
>> (2)(a) Identification of Similar Work
>>
>>
>>
>> Similar efforts include:
>>
>>
>>
>> * IODEF/RID/RID-T (RFC 5070, RFC 6545, RFC 6546): IODEF, RID, and RID-T
>> are IETF specifications (https://tools.ietf.org/wg/mile/) to describe
>> and share incident information. They have a much narrower scope than
>> STIX/TAXII and therefore are often not adequate to most potential users of
>> STIX/TAXII.
>>
>>
>>
>> * OpenIOC (http://www.openioc.org): OpenIOC is a specification developed
>> by FireEye (a commercial company) to describe Indicators of Compromise and
>> made available for public use. OpenIOC addresses a narrow use case
>> (observable patterns for Indicators of Compromise) and represents a partial
>> solution to part of the overall cyber threat information problem, but does
>> not fully address the needs of a holistic cyber threat intelligence
>> information model. Additionally, though OpenIOC is developed as a public
>> specification by FireEye it is not a consensus standard in an international
>> standards body.
>>
>>
>>
>> * VERIS (http://veriscommunity.net): The VERIS Framework is a set of
>> metrics designed to provide a common language for describing security
>> incidents. VERIS addresses a narrow use case and represents a partial
>> solution to part of the overall cyber threat information problem but does
>> not fully address the needs of a holistic cyber threat intelligence
>> information model. Additionally, though VERIS is a published format
>> available on GitHub, it is developed at the sole discretion of the VERIS
>> community rather than as a consensus standard in an international standards
>> body.
>>
>>
>>
>> * OMG Threat Modeling Working Group (
>> http://www.omg.org/hot-topics/threat-modeling.htm): The Object
>> Management Group (OMG) has issued a proposal for a combined risk-threat
>> information model that incorporates STIX (among other things). That model
>> is expected to cover a broader scope (cyber and physical, threat and risk)
>> in order to coordinate across these domains but does not seek to re-define
>> a model within the domain to the low level that STIX and CybOX do.
>>
>>
>>
>> (2)(b) First TC Meeting
>>
>>
>>
>> The first TC meeting will be held on 18 June 2015 at 17:00 UTC / 1:00 PM
>> EDT / 10:00 AM PDT via teleconference. The teleconference infrastructure
>> will be Microsoft Lync hosted by The MITRE Corporation.
>>
>>
>>
>> (2)(c) Ongoing Meeting Schedule
>>
>>
>>
>> The full OASIS CTI TC plans to meet monthly via a teleconference hosted
>> via MITRE Lync. Subcommittees will set their own meeting schedules,
>> initially meeting bi-weekly by teleconference hosted via MITRE Lync.
>>
>>
>>
>> (2)(d) TC Proposers
>>
>>
>>
>> * Richard Struse, Department of Homeland Security,
>> Richard.Struse at hq.dhs.gov
>>
>>
>>
>> * Sean Barnum, The MITRE Corporation, sbarnum at mitre.org
>>
>>
>>
>> * Mark Davidson, The MITRE Corporation, mdavidson at mitre.org
>>
>>
>>
>> * John Wunder, The MITRE Corporation, jwunder at mitre.org
>>
>>
>>
>> * Aharon Chernin, Soltra, achernin at soltra.com
>>
>>
>>
>> * Mona Magathan, US Bancorp, mona.magathan at usbank.com
>>
>>
>>
>> * Bret Jordan, Blue Coat Systems Inc, bret.jordan at bluecoat.com
>>
>>
>>
>> * Alexander Foley, Bank of America, alexander.foley at bankofamerica.com
>>
>>
>>
>> * Tony Rutkowski, Yaana Technologies, LLC, tony at yaanatech.com
>>
>>
>>
>> * Joel J. Fleck, Hewlett-Packard, joel.fleck at hp.com
>>
>>
>>
>> * Richard Freeman, Symantec Corporation, richard_freeman at symantec.com
>>
>>
>>
>> * Rob Walters, Symantec Corporation, Rob_Walters at symantec.com
>>
>>
>>
>> * Paul McKitrick, Microsoft, pmckit at microsoft.com
>>
>>
>>
>> * Pam Smith, Johns Hopkins University Applied Physics Laboratory
>> (JHU/APL), pam.smith at jhuapl.edu
>>
>>
>>
>> (2)(e) Primary Representatives' Support
>>
>>
>>
>> * I, Richard Struse, Richard.Struse at hq.dhs.gov, as the US Department of
>> Homeland Security Office of Cybersecurity and Communications Primary
>> Representative to OASIS, I confirm our support for the proposed OASIS Cyber
>> Threat Intelligence (CTI) Technical Committee charter and endorse our
>> participation as a TC Proposer.
>>
>>
>>
>> * I, Raj Rajagopal, rajagop at mitre.org, as Primary Representative for
>> MITRE approve the CTI TC Charter, and endorse our participation as a TC
>> Proposer.
>>
>>
>>
>> * I, Aharon Chernin, achernin at soltra.com, as Primary Representative for
>> Soltra approve the CTI TC Charter, and endorse all our proposers listed in
>> (2)(d).
>>
>>
>>
>> * As the US Bancorp's Primary Representative at OASIS, I, Mona Magathan,
>> mona.magathan at usbank.com, confirm our support for the proposed OASIS
>> Cyber Threat Intelligence (CTI) Technical Committee charter and endorse our
>> participation as a TC Proposer.
>>
>>
>>
>> * I, Bret Jordan, bret.jordan at bluecoat.com, as the Blue Coat Systems
>> Primary Representative at OASIS, confirm our support for the proposed OASIS
>> Cyber Threat Intelligence (CTI) Technical Committee charter and endorse our
>> participation as a TC Proposer.
>>
>>
>>
>> * I Abbie Barbir, abbie.barbir at bankofamerica.com, Bank of America
>> primary rep approve adding Alexander Foley as a co-proposer of the OASIS
>> Cyber Threat Intelligence (CTI) Technical Committee.
>>
>>
>>
>> * I, Anthony M. Rutkowski, tony at yaanatech.com, as Primary Representative
>> for Yaana Technologies, LLC, approve the OASIS Cyber Threat Intelligence
>> (CTI) Technical Committee Charter, support this proposal of formation
>> together with the other proposers and are committed to the Charter and
>> projected meeting schedule.
>>
>>
>>
>> * As principal representative of Hewlett-Packard at OASIS, I, Joel J.
>> Fleck, joel.fleck at hp.com, am pleased to endorse the creation of a new
>> OASIS Technical Committee on Cyber Threat Intelligence to support, maintain
>> and advance the work on the specifications for the STIX/TAXII protocols.
>>
>>
>>
>> * I, Richard Freeman, richard_freeman at symantec.com, as Primary
>> Representative for Symantec Corporation approve the CTI TC Charter, and
>> endorse all our proposers listed in (2)(d). (2)(d) currently consists of
>> myself and Rob Walters Rob_Walters at symantec.com.
>>
>>
>>
>> * I, Ram Jeyaraman, Ram.Jeyaraman at microsoft.com, as Primary
>> Representative for Microsoft Corporation approve the OASIS Cyber Threat
>> Intelligence Technical Committee Charter, and endorse our Proposer, Paul
>> McKitrick, as listed in section (2)(d).
>>
>>
>>
>> * I, Tom Smith, tom.smith at jhuapl.edu, as Primary Representative for
>> Johns Hopkins University Applied Physics Laboratory, approve the OASIS
>> Cyber Threat Intelligence Technical Committee Charter, and endorse our
>> proposer, Pam Smith, as listed in (2)(d).
>>
>>
>>
>> (2)(f) TC Convener
>>
>>
>>
>> The TC Convener is Richard Struse of the U.S. Department of Homeland
>> Security, Richard.Struse at hq.dhs.gov.
>>
>>
>>
>> (2)(g) OASIS Member Section
>>
>>
>>
>> N/A
>>
>>
>>
>> (2)(h) Anticipated Contributions
>>
>>
>>
>> The U.S. Department of Homeland Security will contribute the following
>> materials, delivered by the Homeland Security Systems Engineering and
>> Development Institute (operated by The MITRE Corporation):
>>
>>
>>
>> * STIX 1.2
>>
>>   - The specification itself, including specification documents, UML, and
>> schemas: http://stix.mitre.org/language/version1.2/
>>
>>   - Supporting non-normative documentation: http://stixproject.github.io
>>
>>   - Sample documents:
>> http://stix.mitre.org/language/version1.2/samples.html
>>
>>   - Profiles and Profile Documentation:
>> http://stix.mitre.org/language/profiles.html
>>
>>   - Open source tools and utilities: http://github.com/STIXProject/
>>
>>
>>
>> * TAXII 1.1
>>
>>   - The specification itself, including specification documents and
>> schemas: http://taxii.mitre.org/specifications/version1.1/
>>
>>   - Supporting non-normative documentation: http://taxiiproject.github.io
>>
>>   - Open source tools and utilities: http://github.com/TAXIIProject/
>>
>>
>>
>> * CybOX 2.1
>>
>>   - The specification itself, including specification documents, UML, and
>> schemas: http://cybox.mitre.org/language/version2.1/
>>
>>   - Supporting non-normative documentation: http://cyboxproject.github.io
>>
>>   -  Open source tools and utilities: http://github.com/CybOXProject/
>>
>>
>>
>> (2)(i) FAQ Document
>>
>>
>>
>> https://stixproject.github.io/oasis-faq.pdf
>>
>>
>>
>> (2)(j) Work Product Titles and Acronyms
>>
>>
>>
>> The OASIS CTI TC will produce material related to the following work
>> products:
>>
>>
>>
>> * Structured Threat Information Expression (STIX)
>>
>> * Trusted Automated Exchange of Indicator Information (TAXII)
>>
>> * Cyber Observable Expression (CybOX)
>>
>>
>>
>> --
>>
>>
>> /chet   [§]
>> ----------------
>> Chet Ensign
>> Director of Standards Development and TC Administration
>> OASIS: Advancing open standards for the information society
>> http://www.oasis-open.org
>>
>> Primary: +1 973-996-2298
>> Mobile: +1 201-341-1393
>>
>>
>>
>> Check your work using the Support Request Submission Checklist at
>> http://www.oasis-open.org/committees/download.php/47248/tc-admin-submission-checklist.html
>>
>>
>> TC Administration information and support is available at
>> http://www.oasis-open.org/resources/tcadmin
>>
>> Follow OASIS on:
>> LinkedIn:    http://linkd.in/OASISopen
>> Twitter:        http://twitter.com/OASISopen
>> Facebook:  http://facebook.com/oasis.open
>>
>
>
>
> --
> Eric Sachs | Director of Product Management for Identity |
> esachs at google.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20150424/e3285abf/attachment-0001.html>


More information about the Openid-specs-risc mailing list