Posted April 30, 2018
In part 1 of this blog series I highlighted why organizations require independent cyber security systems that can be combined in a collaborative manner to provide more effective threat response.
In this week’s final installment of the series, I will answer a key question: How do organizations ensure they are either developing or leveraging technologies that are interoperable off-the-shelf?
Lessons for Interoperability
Industry efforts such as OASIS STIX Preferred help technology companies develop their products in a manner that ensures effective interoperability. This effort is being developed as part of the OASIS CTI Interoperability Sub-committee (-https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti-interoperability) and is focused on business-driven use cases for interoperability of CTI products.
The STIX Preferred program focuses on defined roles that products deployed in a security ecosystem can easily be matched against for verification. The STIX Preferred program defines those product roles as ‘persona’.
STIX Preferred Persona Deployment
These personas are the basis of what is expected for each product deployed in that ‘role’ in the network.
- Data Feed Provider (DFP)
- Software products that act as a producers of STIX 2 content.
- Threat Intelligence:
Evidence-based knowledge about an existing hazard designed to help organizations make inform decisions regarding their response to the threat. Platform (TIP)
- Software products that act as a producers and/or respondents of STIX 2 content primarily used to aggregate, refine and share intelligence with other machines or security personnel operating other security infrastructure.
- Security Incident and Event Management system (SIEM)
- Software products that act as a producers and/or respondents of STIX 2 content. A SIEM that produces STIX content will typically create incidents and indicators. A SIEM that consumes STIX content will typically consume sightings, indicators.
- TAXII Server (TXS)
- Software products that act as TAXII Servers enabling the sharing of STIX 2 content among producers and respondents.
- TAXII Feed (TXF)
- Software products that publish STIX data as a read-only TAXII Server where respondents may receive the STIX data from the TXF.
- Threat Mitigation System (TMS)
- Software products that act on course of actions and other threat mitigations such as a firewall or IPS, Endpoint Detection and Response (EDR) software, etc.
- Threat Detection System (TDS)
- Software products that monitor and/or detect such as Intrusion Detection Software (IDS), Endpoint Detection and Response (EDR) software, web proxy, etc.
- Threat Intelligence Sink (TIS)
- Software products that consume STIX 2 content in order to perform translations to domain specific formats consumable by enforcement and/or detection systems that do not natively support STIX 2. These consumers may or may not have the capability of reporting sightings. A TIS will typically consume intelligence identified in the STIX content but will not produce any STIX content itself.
In addition to these personas, another key part of ensuring interoperability is a set of tests that define both expected data and expected behavior in as complete a set of scenarios as possible.
Interoperability Key Tenants
The Interoperability testing has focused several common use cases:
- Indicator Sharing
- Primarily focused on intelligence that identifies indications of malicious activity
- Sighting Sharing
- Primarily focused on intelligence that identifies both indications of malicious activity and reports on specific instances of where that malicious activity was observed
- Data Feed Sharing
- Primarily for providers producing intelligence being shared via a TAXII server
- Collaboration Sharing
- Primarily for providers producing or consuming intelligence in a collaborative environment such as multi-analyst team sharing environments.
If you are an organization considering deploying STIX/TAXII version 2 based products to leverage CTI, I encourage you to consider researching and leveraging the STIX Preferred self-certified products as a basis for your evaluation. The STIX Preferred program will do a lot of the pre-validation of CTI products to consider during your product evaluation and assessment process.
If you are a vendor considering building STIX/TAXII version 2 based products to exchange CTI, consider self-certification of your products.
Today’s cyber threat defense technologies must work together to combat the security challenges organizations face. Just like fighter jets that lack integrated communication systems, the cybersecurity industry must overcome those issues for more effective solutions.