Newsletter Newsletter N°5

United we stand: Protecting against cyber threats with standards for sharing

Richard Struse of US DHS

The CDEP Working Party on Security and Privacy in the Digital Economy has the recurring topic of ‘Developments on Cybersecurity’ on its agenda for the purpose of sharing insights and initiatives amongst its members and to identify opportunities for co-operation. New standardization efforts within OASIS are underway on the exchange of cyber threat intelligence data to help prevention, detection, and remediation.

When it comes to cyber attacks, the best defense may not be a good offense so much as a good standard–or better yet, three good standards. STIX, TAXII, and CybOX, designed to enable the automated sharing of cyber threat intelligence, have now ‘graduated’ into the international open standards process at OASIS.

“Security professionals are overwhelmed and simply don’t have time for analyzing data in disparate formats. STIX, TAXII, and CybOX streamline the process, putting the focus where it belongs—on prevention, detection, and remediation,” said Jon Oltsik, Senior Principal Analyst at Enterprise Strategy Group. “Using data converted to these standard formats can help security practitioners rapidly identify and access current threats, and determine how they act, who is responsible, and what course of action is needed.”


Initiated three years ago by the U.S. Department of Homeland Security (DHS), STIX, TAXII, and CybOX are now supported by a record number of organizations from around the world which have come together in the new OASIS Cyber Threat Intelligence (CTI) Technical Committee.

The specifications can work in concert or be implemented separately. STIX (Structured Threat Information Expression) is a language for describing cyber threat information so that it can be analyzed and/or exchanged. STIX makes it possible to explicitly characterize a cyber adversary’s motivations, capabilities, and activities, and in doing so, determine how to best defend against them. TAXII (Trusted Automated Exchange of Indicator Information) defines services and message exchanges that enable organizations to share the information they choose with the partners they choose. CybOX (Cyber Observable Expression) is a language for specifying, capturing, and communicating events or stateful properties that are observable in system and network operations. Together, STIX, TAXII, and CybOX are instrumental in supporting a wide variety of applications including security event management, malware characterization, intrusion detection, incident response, and digital forensics.

“STIX, TAXII, and CybOX have reached a level of maturity where they will benefit from a more formal collaboration guided by a globally recognized standards development process that ensures transparency, international participation, stability, reciprocity, and perpetual ease of access,” said Richard Struse of the U.S. DHS Office of Cybersecurity and Communications, who chairs the OASIS CTI Technical Committee. “OASIS provides all of this and is also an authorized PAS1 Submitter to ISO, which ensures our standards will be implementable by the broadest possible stakeholder community.”

As necessary as cyber threat intelligence sharing is, it still take courage and commitment to begin the process. “Sharing confidential information has been one of the things private industry has been very leery of doing because they not sure they can share this kind of threat vulnerability information securely,” said Mark Weatherford, former DHS cyber chief and principal at The Chertoff Group. “STIX, TAXII, and CybOX developers are heroes in my book.”

Additional information
OASIS CTI Technical Committee