OASIS Cyber Threat Intelligence (CTI) Technical Committee

A Cyber Threat Intelligence (CTI) Technical Committee has been proposed to Oasis (See proposed charter). This initiative is based on STIX.

The following are comments on the Oasis “Cyber Threat Intelligence (CTI) Technical Committee” draft charter from Cory Casanave of Model Driven Solutions.

Basis of interest: Model Driven Solutions is a submitter to the OMG Operational Threat & Risk Model RFP (http://www.omg.org/cgi-bin/doc.cgi?sysa/2014-6-17), which is referenced in the draft CTI charter (https://lists.oasis-open.org/archives/members/201504/msg00006.html ). There is substantial overlap but some important differences in the intent and substance of the OMG standards effort and that as proposed by the Oasis CTI TC. These comments are intended to help both organizations develop standards that are in the best interests of the community of vendors, consumers and other stakeholders.

Of particular importance is making sure that Cyber threats and risks are not made yet another “stovepipe” as we are faced with a world where the boundaries between the physical and cyber world are porous and an estimated 80% of threats are blended between cyber and physical. Protecting our citizens, property and critical infrastructure requires that we can “connect the dots” between all hazards and all risks from threat actors, system failures and natural disasters. This federation of information must happen at “machine speed” to enable effective and responsive analytics and information sharing to prevent and mitigate the impacts of threats and risks.

The STIX/TAXII/Cybox schema represent important work within the cyber community for cyber threats and risks. It is appropriate and necessary that the Cyber community have detailed and specific exchange formats that are tuned to the needs of cyber professionals. The same is true of other domains and “verticals” such as law enforcement, critical infrastructure protection, terrorism, biological, nuclear, and responses to natural disasters. Yet these domains and the related organizations must work closely together, often in difficult and unexpected situations.

To enable the focus needed for specific communities while preserving cross-community collaboration, information federation and information sharing the OMG threat & Risk model initiative is creating a standard UML conceptual model that federates the concepts from these multiple domains, based on the existing work such as is found in the STIX/TAXII/Cybox (as well as others). This UML model will then be mapped to the existing exchange formats, such as STIX (and others), to provide the basis for semantic and syntactic information federation, analytics and sharing. The OMG initiative is not defining any new data schema – we have enough. The RFP has been issued and initial submissions will be presented in May. The submission team is open (see http://www.threatrisk.org) and STIX community members have monitored our progress.

To relate the two efforts: The OMG effort is broader and shallower where as the CTI effort is deeper and narrower. Both efforts intend on providing UML models of the concepts (this fact is not explicit in the charter but has been made public on the STIX lists). The CTI effort is also specifying exchange data structures such as XML schema, the OMG effort is not defining any new schema but is mapping between schema (standard, community or proprietary). However, schema could be generated from the UML models. In that the OMG effort has STIX/TAXII/Cybox as a normative input and mapping the proper representation of the broad threat/risk and general concepts within STIX/TAXII/Cybox are or will be defined in the OMG conceptual model. Approximately 75% of this model has a direct correlation to STIX/TAXII/Cybox such that the STIX/TAXII/Cybox Cyber specific concepts could be considered an extension to the OMG conceptual model.

While STIX/TAXII/Cybox are clearly focused on Cyber, a reading of the charter where the term “Cyber” was removed would correspond almost directly to the intent of the OMG threat/risk effort. What this suggests is that much of what is needed is in fact cross domain and not specific to Cyber. If not specific to Cyber there is an almost complete overlap with the OMG effort. It would be confusing, a waist of effort and a disservice to both vendors and our defenders to come out with redundant standards covering almost the same space. As stewards of standards it is our responsibility to make sure such efforts are coordinated, complementary and properly scoped.

It is our position that these efforts must be complementary by charter and that the following be included in that charter:

  • That the CTI effort will include a UML representation of Cyber concepts (Our understanding is that this is the current intent)
  • That there will be an explicit mapping of this model to technology specific schema, such as XML schema (Our understanding is that this is the current intent)
  • That the CTI UML representation be an extension of the OMG operational threat and risk model (This is an additional constraint)
  • That the OMG effort must include a foundation appropriate for extension to the CTI model (A current requirement of the RFP)

 

Cross membership and cross participation will ensure that these requirements are both met and that both efforts meet their objectives. Based on the substantial time we have spent evaluating both models such collaboration and integration is practical and would benefit both efforts.

 

The above comments are from Cory Casanave representing Model Driven Solutions and do not necessarily represent the position of the other contributors and submitters to the OMG effort. Other stakeholders are encouraged to also submit comments to Oasis