About using standards...
David Bizeul
Co-founder & Chief Scientific Officer @ Sekoia.io | SOCPlatform ? CTI | #openxdrarchitecture
We are very proud to announce that SEKOIA just became a member of OASIS.
But the rationale behind this decision is important for us as a tech cyber company.
What is OASIS ?
OASIS is an organization where companies and people create collaborative standards. To quote them : "One of the most respected, non-profit standards bodies in the world, OASIS Open offers projects—including open source projects—a path to standardization and de jure approval for reference in international policy and procurement."
Why using standards ?
Using a standard is for sure the best way to have a common language with others. In tech industry, either you consider you know better & faster than anyone else how to deal with a collaborative topic or you decide to use a standard or an upcoming standard.
We decided to use the standard's way because we are part of an ecosystem and want to interact with it the best manner.
Our story
When we started SEKOIA.IO project we had questions and several challenges to overcome:
1?? - How to model threat intelligence correctly to make it something that can stay reliable from an intelligence cycle point of view and be actionable enough, especially for detection purposes and associated decision making?
2?? - How to share this threat intelligence with others as it can be customers, partners, internal tools aiming from different views of our threat intelligence database.
3?? - How to propose actions plans when an alert is raised and make sure these actions can be enforced at the end
For each of these challenges, OASIS is working on standards (1-STIX, 2-TAXII, 3-CACAO/OpenC2) in a collaborative approach where interested parties can contribute.
Of course, standards might not be ready when you need it or have some disadvantages compared with a siloed approach, but when you give standards enough time and envision a large adoption, it's the only way.
Internally, we chose to use:
1?? - STIX for our threat intelligence. We have a threat database full of STIX 2.1 objects. That means contextualized data, pivot everywhere, capitalization of intelligence, possibility to express detection rules and much more...
2?? - TAXII for intelligence sharing. We are using TAXII 2.1 for that. We also have an API for special features but to share our threat intelligence with the maximum of technology providers (using their TAXII clients), this is definitely the best solution.
3?? - OpenC2 for automation. We work as a cloud solution, not on premises, so when we trigger an alert, we propose different actions that can be launched on the customer side. To organize all these actions, we currently have our orchestration language but will invest time on how CACAO could be an option too.
Next steps:
When we have discussions with partners, we often feel frustrated because the ecosystem is not ready yet to support cyber standards correctly. Few solutions know how to exploit STIX 2.x and OpenC2 is not even known by many providers that could be automated through this language.
Anyway, we are convinced this collaborative direction is the good one and we will use our OASIS membership to push forward some ideas that make sense to improve these standards.