Re: OCSF Information Sharing


Jason Keirstead
 

The NDA we were all under was with AWS who is the entity who kind of “got everyone together”, but is not really steering anything alone now. Currently, there is no association, or 503c, or anything of the sort - it is just an open-source project under the Github “MVG” governance model (ref: https://github.com/github/MVG). The slack and call info is not on Github, I am trying to figure out why - in the meantime I can invite individuals to the slack, email me directly for an invite.

The shortest summary I can offer – this group has good intentions, but is also “moving fast”, and since many participants are inexperienced running or participating in an organization like this, “they don’t know what they don’t know” until it becomes obvious. We/I  are/am trying to help them get steered in the right direction over time.


RE the standards you listed – I view OCSF as complimentary to all of them. OCSF is very focused on large-scale, flat, cybersecurity telemetry – like in a SIEM or Cloud. It does not solve for the use cases STIX solves for, nor does it try to. Similarly, STIX, as a rich graph, is not well-suited to be a native format for logs and telemetry – it is too verbose.

 

-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management | www.ibm.com/security

Declare an Emergency: USA +1 888 241 9812, Global +1 312 212 8034

 

Assistant - Mauricio Durán Cambronero (mauduran@...)

See my calendar - https://ibm.biz/jkcalendar


Co-Chair - Open Cybersecurity Alliance, Project Governing Board

www.opencybersecurityalliance.org

 

 

From: oca-pgb@... <oca-pgb@...> on behalf of duncan@sfractal <duncan@...>
Date: Wednesday, August 17, 2022 at 1:29 PM
To: oca-pgb@... <oca-pgb@...>
Subject: [EXTERNAL] Re: [oca-pgb] OCSF Information Sharing

Jason, You mention the meetings are open to all, yet up until recently lawyers wouldn’t allow you to tell us of it’s existence. I sense some tension there. Where do I find the information on how to attend the meetings? ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍

ZjQcmQRYFpfptBannerStart

This Message Is From an External Sender

This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd

Jason,

You mention the meetings are open to all, yet up until recently lawyers wouldn’t allow you to tell us of it’s existence. I sense some tension there. Where do I find the information on how to attend the meetings?

 

You mention possible OCA ‘endorsement’ of OCSF. Could you explain what OCSF is from an organization viewpoint? If there were NDA’s and lawyers then I assume it’s an industry association or a foundation or a 5013c or something. I’d like to understand ‘who’ we’d be talking about organizationally. I’d hesitate to endorse “one company” and that extends a little to ‘a cabal of companies’ unless they had some figleaf organizationally. I certainly don’t want to get into favoring AWS over Microsoft/Google/… without more understanding of exactly what we are favoring – and especially if they aren’t OCA members. I don’t want to start our own version of Japanese keiretsu.

 

I’d also like the answers to the various FAQs I emailed you about (the PR’s against the OCSF documentation repo https://github.com/ocsf/ocsf-docs/pulls). I recognize getting approved OCSF answers would take time. I’d like your opinion on whether OCSF is “complimentary to” or “in competition with” (or “too soon to tell”):

  • STIX
  • OpenC2
  • PACE
  • Kestrel
  • Stixshifter
  • OCA Ontology

 

I am hopeful I’ll like all the answers you’d provide but I’m worried I won’t. My ‘think evilly’ part of my brain is hard to turn off so I default to assuming the worst.

 

-- 

Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more at http://vsre.info/

 

 

 

From: oca-pgb@... <oca-pgb@...> on behalf of Jason Keirstead via lists.oasis-open-projects.org <Jason.Keirstead=ca.ibm.com@...>
Date: Wednesday, August 17, 2022 at 10:40 AM
To: oca-pgb@... <oca-pgb@...>
Subject: [oca-pgb] OCSF Information Sharing

Hello fellow PGB members. By now you have probably heard about the announcement of Open Cybersecurity Schema Format (OCSF) - https://github.com/ocsf/, which was announced at BlackHat last week. As I relayed to others – IBM was unfortunately under an NDA so I was unable to share this with other OCA members until now (beyond Rapid7, who was also part of the launch).

I have been receiving a lot of questions on how OCSF relates to OCA, and some are asking why it is not part of the OCA, etc. - and I want to share my point of view. I believe that OCSF and the OCA are complimentary efforts. Our mission statement at the OCA is to build an open ecosystem where cybersecurity products can interoperate without the need for customized integrations, using open standards and projects. OCSF clearly aligns with that mission. While we have been focused on using the STIX 2.1 data model for most efforts, it is even today not the only standard we use - and as such OCSF can be a format that OCA may use in future efforts. OCSF, as a purposefully designed format for large-scale log ingestion, has some benefits over the STIX 2.1 SCO model for some use cases including log management and SIEM.


I also want to make it clear that from what I have seen, the efforts to be a true open standard in this community are genuine. Everyone I have interacted with thus far has been very committed to doing everything collaboratively with a true, open approach. The calls are open and free to join to anyone, and the process for how to submit PRs into the codebase are clearly documented. Simultaneously however – there are clear gaps in the governance structure, the things you run into when you do not have a neutral organization like the OCA stewarding. Some of these became even more obvious when we were launching this (who owns the website? Who owns the twitter handle? Who owns the LinkedIn? Etc).  IBM has been taking this opportunity to promote OCA to the OCSF community, and making the importance of open governance in efforts like this. Maybe someday, OCSF could come over to OCA.

 

I hope for the OCA to support the mission of OCSF after it's announce. It will be up to the OCA PGB to decide if the we want to issue any official statements of support or not with OCSF, or develop any closer relationship between the efforts. I think that regardless of if the PGB wants to support or not, we need to work on a message for the community to share our point of view. We can discuss this at the next PGB call (and also here on the mailing list of course).

As always, open to any other questions or thoughts on this;

 

 

-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management | www.ibm.com/security

Declare an Emergency: USA +1 888 241 9812, Global +1 312 212 8034

 

Assistant - Mauricio Durán Cambronero (mauduran@...)

See my calendar - https://ibm.biz/jkcalendar


Co-Chair - Open Cybersecurity Alliance, Project Governing Board

www.opencybersecurityalliance.org

 

Join oca-pgb@lists.oasis-open-projects.org to automatically receive all group messages.