CybOX
468 views
Skip to first unread message
Kyle Maxwell
Aug 7, 2012, 6:42:53 PM8/7/12
to ope...@googlegroups.com
I thought I'd inject a little life into the list by bringing up a bit
of controversy (hopefully not too much). Some of you might have seen
CybOX[1], the MITRE schema that is more or less directly comparable to
OpenIOC. In fact, their utilities page[2] has a OpenIOC->CybOX
transform, and I believe they have a CybOX->OpenIOC tool in beta.
Any thoughts on the differences and relative strengths & weaknesses of the two?
[1]: http://cybox.mitre.org/
[2]: http://cybox.mitre.org/utilities/index.html
--
Kyle Maxwell [krma...@gmail.com]
http://www.xwell.org
Twitter: @kylemaxwell
of controversy (hopefully not too much). Some of you might have seen
CybOX[1], the MITRE schema that is more or less directly comparable to
OpenIOC. In fact, their utilities page[2] has a OpenIOC->CybOX
transform, and I believe they have a CybOX->OpenIOC tool in beta.
Any thoughts on the differences and relative strengths & weaknesses of the two?
[1]: http://cybox.mitre.org/
[2]: http://cybox.mitre.org/utilities/index.html
--
Kyle Maxwell [krma...@gmail.com]
http://www.xwell.org
Twitter: @kylemaxwell
Brad Shoop
Aug 7, 2012, 7:51:21 PM8/7/12
to ope...@googlegroups.com
Just concern here, that too many approaches results in a further dilution and scatter consuming more of my cycles. Nice that they have an export tool in the works.
Brad
Douglas Wilson
Aug 15, 2012, 3:34:06 PM8/15/12
to ope...@googlegroups.com
I think it's a valid point to raise. It's definitely been raised before outside of this group.
I think that MITRE is trying to solve a much bigger problem set than we are, and I think that you should use the one that works for the problem at hand that you are trying to solve.
CybOX sets out to describe any event or item that can be observed in an enterprise. Of this, OpenIOC is a subset (it was actually the first set of observables instantiated in the CybOX schema -- MITRE absorbed our indicator terms as soon as we open sourced them, and they were part of the basis for the very first draft of CybOX).
OpenIOC is based on a much smaller set of data -- but one that is specifically tailored towards tracking the key indicators for locating and tracking the TTPs of persistent adversaries. It's also a field-tested one that works really well, with at least one dedicated community that has been using it for several years.
I think ultimate true "standards" are determined by who is using what -- unfortunately, a lot of government entities try to build something and call it a standard -- it's only a standard if it's what everyone agrees on and uses. Currently, OpenIOC has tools that use it that are deployable (be they the free tools or enterprise level paid tools) and an established track record. So, it's where I am putting my money (but obviously, I'm biased ;-).
Realistically, if there are completely lossless, pain-free transforms, it's a moot point. There will always be problems in doing that, though, unless a lot of effort is spent catching all the corner cases. But there is always (hopefully) going to be an alternative means of expressing data, and even if one is clearly superior, there are always going to be reasons or use cases such that there should be some sort of competition going on, to spur innovation if nothing else.
If anyone does real work w/ CybOX outside of MITRE, especially if you are using it for finding badness in your enterprise, I'd love to hear about it. But my counter question is then what tools are you going to use to plug your CybOX into?
Doug
Doug Wilson
douglas...@openioc.org
OpenIOC Technology Advocate at MANDIANT
douglas...@mandiant.com
Reply all
Reply to author
Forward
0 new messages