STIX and TAXII Provide a Higher Standard for Threat Intelligence

The new standards provide agencies with simple, flexible standards for real-time sharing of threat intelligence.

IT security is a growing focus for state and local agencies. And as agencies begin to improve and expand their security arsenals, they often find themselves juggling devices and intelligence feeds from numerous vendors. But who has the time – and the staff – to take advantage of these during cyberattacks?

Unfortunately, there is no single solution for the security manager – but help is on the way in the form of the STIX (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Indicator Information) standards developed collectively by the nonprofit Mitre Corp., Department of Homeland Security and the open-source community. Both standards are flexible models for automated sharing of actionable cyberthreat information between organizations and across products and vendors and were the subject of discussion at a recent StateTech Cybersecurity Summit held in Chicago.

Think of STIX as the rules of football and TAXII as team strategies and set plays. The teams are any organizations participating in information sharing and analysis centers (ISACs) that implement STIX and TAXII to share threat intelligence.

STIX is a standardized framework and language for threat information. It sets the parameters for the sharing of intelligence. TAXII defines the transport mechanisms for this sharing – not in the form of a predefined database or tool but as an agreed upon set of service and message definitions. It is the collection of actions that organizations use as they “play” the security-sharing “game.”

TAXII is focused on organizing four specific sharing actions:

  • Discovery: Learning what services the participant supports
  • Collection Management: Learning about and requesting subscriptions to participants’ data collections
  • Inbox: Receiving pushed content
  • Pull: Requesting content

Consider this example: Agency A’s security devices register an attack. STIX and TAXII provide a means for the automated sharing of data from those devices, providing agencies B, C and D with pertinent intelligence in real time. This information is a valuable alert as to actions that could be happening inside the networks of agencies B, C and D. If a questionable activity occurs on B’s network, it can more quickly respond to this potential problem with the help of this shared data.

The value of this immediate sharing rises even more when you consider the nature of ISACs. They are organized around shared security concerns such as financial services (see the Financial Services Information Sharing and Analysis Center). They’re often collectively targeted by the same attacks. STIX and TAXII facilitate real-time actionable threat information to the most likely targets on the list of attackers.

STIX and TAXII are flexible, allowing for singular arrangements that meet the unique needs of each member of the ISAC. This flexibility is also key for interoperability, allowing different vendor devices to feed into the data flow. While STIX and TAXII are currently formatted using XML, they can accommodate other protocols and languages. This flexibility makes it easy for improved intelligence sharing across industries and communities.

HYWARDS/ThinkStock
Jun 15 2015