© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited: 12-4167 The MITRE Corporation TAXII: An Overview.

Slides:



Advertisements
Similar presentations
EzScoreboard.com A Fully Integrated Administration Service.
Advertisements

DISTRIBUTED COMPUTING PARADIGMS
Copyright © 2005 – Clickshare Service Corp. All rights reserved. Payment Aggregation & Affinity Management Clickshare for the Media Industry For more information.
Tivoli Service Request Manager
Push Technology Humie Leung Annabelle Huo. Introduction Push technology is a set of technologies used to send information to a client without the client.
Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group
Jabber and Extensible Messaging and Presence Protocol (XMPP) Presenter: Michael Smith Cisc 856 Dec. 6, 2005.
PantherSoft Financials Smart Internal Billing. Agenda  Benefits  Security and User Roles  Definitions  Workflow  Defining/Modifying Items  Creating.
© 2013 The MITRE Corporation. All rights reserved. Sean Barnum Nov Sponsored by the US Department of Homeland Security PRACTICAL.
Introduction to push technology © 2009 Research In Motion Limited.
28.2 Functionality Application Software Provides Applications supply the high-level services that user access, and determine how users perceive the capabilities.
Query Health Technical WG 9/14/2011. Agenda TopicTime Allocation Administrative Stuff and Reminders11:05 – 11:10 am Summer Concert Series Patterns Discussion11:10.
A New Computing Paradigm. Overview of Web Services Over 66 percent of respondents to a 2001 InfoWorld magazine poll agreed that "Web services are likely.
Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.
Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.
Layer 7- Application Layer
Networks: HTTP and DNS1 The Internet and HTTP and DNS Examples.
Networks: HTTP and DNS 1 The Internet and HTTP and DNS Examples.
Integration of Applications MIS3502: Application Integration and Evaluation Paul Weinberg Adapted from material by Arnold Kurtz, David.
Networks: HTTP and DNS1 The Internet and HTTP and DNS Examples.
Networks: HTTP and DNS1 Internet, HTTP and DNS Examples.
1 of 4 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Understanding and Leveraging MU2 Optional Transports Paul M. Tuten, PhD Senior Consultant, ONC Leader, Implementation Geographies Workgroup, Direct Project.
A Guide to Getting Started
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
A Scalable Application Architecture for composing News Portals on the Internet Serpil TOK, Zeki BAYRAM. Eastern MediterraneanUniversity Famagusta Famagusta.
Cross Vendor Exchange Testing and Certification Plans April 18, 2013.
SWIS Digital Inspections Project (SWIS DIP) Chris Allen, Information Management Branch California Integrated Waste Management Board November 5, 2008 The.
Classroom User Training June 29, 2005 Presented by:
P2PSIP Charter Proposal Many people helped write this charter…
Chapter 10 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain how the functions of the application layer,
Cross Vendor Exchange Testing and Certification Plans April 18, 2013 Meaningful Use Stage 2 Exchange Summit Avinash Shanbhag, ONC.
Chapter Intranet Agents. Chapter Background Intranet: an internal corporate network based on Internet technology. Typically, an intranet can.
Trade Software Developer Technical Seminar Document Imaging System March 7, 2012.
7 1 ADVANCED Using Mailing Lists and Exploring Wireless Options New Perspectives on THE INTERNET.
1.View Description 2.Primary Presentation 3.Element Catalog Elements and Their Properties Relations and Their Properties Element Interfaces Element Behavior.
Disaster Management - Open Platform for Emergency Networks (DM OPEN)‏ Introduction to the Interoperability Environment.
Designing System for Internet Commerce 6. Functional Architecture Jinwon Lee.
© Copyright 2007 Arbinet-thexchange, Inc. All Rights Reserved. Voice Peering Steve Heap Chief Technology Officer.
PostalOne! / FAST Data Exchange - Vision 02/15/05.
Web Security : Secure Socket Layer Secure Electronic Transaction.
Computer Emergency Notification System (CENS)
Web Services Based on SOA: Concepts, Technology, Design by Thomas Erl MIS 181.9: Service Oriented Architecture 2 nd Semester,
A Flexible Access Control Model for Web Services Elisa Bertino CERIAS and CS Department, Purdue University Joint work with Anna C. Squicciarini – University.
Distributed Information Retrieval Using a Multi-Agent System and The Role of Logic Programming.
An XML based Security Assertion Markup Language
Customer Interface for wuw.com 1.Context. Customer Interface for wuw.com 2. Content Our web-site can be classified as an service-dominant website. 3.
Module 7 Planning and Deploying Messaging Compliance.
Health eDecisions Use Case 2: CDS Guidance Service Strawman of Core Concepts Use Case 2 1.
OAI Overview DLESE OAI Workshop April 29-30, 2002 John Weatherley
© 2009 Research In Motion Limited Advanced Java Application Development for the BlackBerry Smartphone Trainer name Date.
SWIS Digital Inspections Project Chris Allen, Information Management Branch California Integrated Waste Management Board August 22, 2008.
Electronic Submission of Medical Documentation (esMD)
Web Technologies Lecture 10 Web services. From W3C – A software system designed to support interoperable machine-to-machine interaction over a network.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
Program Assessment User Session Experts (PAUSE) Information Sessions: RSS & Subscription Services October , 2006.
Copyright 2007, Information Builders. Slide 1 iWay Web Services and WebFOCUS Consumption Michael Florkowski Information Builders.
Web Services Blake Schernekau March 27 th, Learning Objectives Understand Web Services Understand Web Services Figure out SOAP and what it is used.
1 Options Clearing Corporation Encore Data Distribution Services April 22, 2004.
1 Overview of the Hub Concept & Prototype for Secure Method of Information Exchange (SMIE) April 2013 Prepared by NZ & USA.
WREC Working Group IETF 49, San Diego Co-Chairs: Mark Nottingham Ian Cooper WREC Working Group.
E-commerce Architecture Ayşe Başar Bener. Client Server Architecture E-commerce is based on client/ server architecture –Client processes requesting service.
International Planetary Data Alliance Registry Project Update September 16, 2011.
Sabri Kızanlık Ural Emekçi
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Mobility And IP Addressing
The Internet and HTTP and DNS Examples
Presentation transcript:

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited: The MITRE Corporation TAXII: An Overview | 1 || 1 |

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited: What is TAXII?  Trusted Automated eXchange of Indicator Information  Defines a set of services and message exchanges for exchanging cyber threat information –led by DHS –managed by MITRE  TAXII is NOT –A specific sharing initiative  but sharing initiatives can use it –A specific tool  but tools can use it to share information –Mandate particular trust agreements or sharing  instead, use it to share what you want with the parties you choose | 2 || 2 |

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited: Why was TAXII Created?  DHS identified an operational need for sharing –Existing standards did not solve the problem  DHS wanted the solution to be open –Solution can improve national cyber security, which is part of the DHS mission  DHS funded MITRE to facilitate a community-based solution –TAXII developed with feedback from a broad array of potential users –Ensures that TAXII addresses real challenges in real environments | 3 || 3 |

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  Facilitate rather than re-architect existing sharing arrangements  Do not force inclusion of undesired capabilities  Sharing communities each have their own character – a one- size-fits-all approach will be more disruptive than beneficial –Do not impose a single sharing model architecture | 4 || 4 | Design Philosophy

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  Minimal requirements imposed on data consumers –Does not require data consumers to field internet services or establish a particular security capability  Minimal data management requirements on data producers –Does not require use of particular data management technologies or constrain how producers manage access to their data  Flexible sharing model support –Does not force a particular sharing model on users  Appropriately secure communication –Supports multiple security mechanisms without forcing adoption of unnecessary measures  Push and Pull content dissemination –Users can exchange data using either or both models  Flexible protocol and message bindings –Does not require a particular network protocol or message format | 5 || 5 | TAXII Requirements

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  Most sharing models are variants of these three basic models –TAXII services can support participation in any of these models or multiple models simultaneously | 6 || 6 | Flexible Sharing Models Source Subscriber Peer E Peer D Peer C Peer B Peer A Hub Spoke (Consumer only) Spoke (Consumer & Producer) Spoke (Producer only) Spoke (Consumer & Producer)

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  TAXII defines four core services –Discovery – A way to learn what services an entity supports and how to interact with them –Feed Management – A way to learn about and request subscriptions to data feeds –Inbox – A way to receive pushed content (push messaging) –Poll – A way to request content (pull messaging)  Each service is optional – implement only the ones you wish  Services can be combined in different ways for different sharing models | 7 || 7 | TAXII Services

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited: Hub & Spoke Example © 2013 The MITRE Corporation. All rights reserved. For internal MITRE use Discovery Poll Inbox Feed Manage. Hub Spoke 1 Spoke 2 Spoke 3 Spoke 4 Get connection info Subscribe to data feeds Client Push new data to the hub Pull recent data from the hub Push recent data to a spoke

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  TAXII does not require a specific protocol or message format –TAXII 1.0 defines how to express messages in XML –TAXII 1.0 defines how to transport messages over HTTP –TAXII does not require these and allows future and custom formats and protocols  “Binding” specifications –Map the core TAXII Services Specification to an expression using a particular network protocol or message format  Gives organizations with strict network/format requirements ability to still use TAXII –When using differing bindings, direct interoperation is not possible –Indirect interoperation is possible because all bindings can be mapped to the same core message model  Gateways can provide automated translation between bindings | 9 || 9 | Message and Protocol Bindings

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  TAXII Overview –Defines the primary concepts of TAXII  Services Specification –Defines TAXII Services, as well as the information conveyed by TAXII Messages and TAXII Message Exchanges.  Message Binding Specification –Defines normative requirements for representing TAXII Messages in a particular format (e.g., XML).  Protocol Binding Specification –Defines normative requirements for transporting TAXII Messages over some network protocol (e.g., HTTP).  Content Binding Reference –Lists Content Binding IDs for use within TAXII. | 10 | TAXII Specifications and Documentation

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited: | 11 | Normative TAXII Specifications TAXII Services Specification  Defines TAXII Services  Defines TAXII Message Types  Defines TAXII Message Exchanges TAXII Protocol Binding Specifications  Define requirements for network transport of TAXII Messages TAXII Message Binding Specifications  Define TAXII Message format bindings

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  TAXII Website –Contains official releases and other info –  Sign up for the TAXII Discussion and Announcement mailing lists –  Open issues can be discussed on GitHub –  TAXII-related software can be found on GitHub –  Related sites – | 12 | For more information

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited: | 13 |

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  Hosted by data producers  Receives queries about offered TAXII data feeds –Provides feed names and descriptions –How TAXII data feed content can be accessed (“pull” or indicate delivery protocols) –Any other information about a TAXII data feed (e.g., membership requirements, payment requirements, etc.)  Receives requests to manage TAXII data feed subscriptions –Subscribe, unsubscribe, pause delivery, resume delivery, modify subscription, status query –TAXII does not specify the process for deciding whether to allow the requested action to occur nor how the action manifests  Note this just deals with arranging subscriptions, not actual data dissemination | 14 | TAXII Feed Management Service

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  TAXII does not dictate how data producers store or organize their data… …but TAXII requires some common handle for communication  TAXII Data Feed – a producer-dictated organization of their data –A given data record might exist in one or more TAXII data feeds –Producers decide what data feeds represent. Examples:  Topic – e.g., a feed for spear-phishing, a feed for botnets, etc.  Subject – e.g., a feed for each identified STIX campaign  Access – e.g., a feed for gold-level subscribers, a feed for silver-level, etc.  Or producer might just have one feed with everything in it  In TAXII, all solicited data distribution (push or pull) occurs relative to a TAXII Data Feed | 15 | TAXII Data Feeds

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  Inbox Service –Hosted by consumers to receive pushed content –Basically a listener for incoming content  Poll Service –Hosted by data producers –Consumers request updates relative to a TAXII data feed –To support this, TAXII requires all records within a TAXII data feed to be assigned a timestamp  Data producers can decided the meaning, if any, of the timestamp  Poll requests indicate a range of timestamps to collect  Poll responses identify returned range – recipient can track to avoid re- requesting content  Discovery Service –Identify services and how to contact them | 16 | TAXII Inbox, Poll, and Discovery Services

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited: | 17 | Source/Subscriber Walkthrough

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  One possible way to use TAXII to implement Source/Subscriber –Others may make different choices  Assume an existing sharing arrangement –A vendor (the source) publishes threat alerts as information becomes known –Customers (subscribers) can pay to receive these daily updates  Multiple levels of access depending on contract costs –Currently, customers log into the vendor web site to view updates | 18 | Background

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  Vendor organizes data records into TAXII Data Feeds –Decides on “contract level” for feeds  Many records will be present in all feeds, but some fields may be stripped before dissemination –Access to a feed contingent upon the purchasing of a contract  Vendor labels all data within each TAXII Data Feed with a timestamp –Decides to use the time of posting as that timestamp  More than one data record may have the same timestamp – not a problem  A single record could have the same timestamp in all data feeds – not a requirement | 19 | Step 1: Source Organizes its Data

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  Decides to implement a Feed Management Service –Feed Information Requests  Lists available feeds  Explain what information is provided via each feed (i.e., contract levels)  Reference to site where one can purchase necessary contracts –Feed Management Requests  Forward management requests to back-end for comparison to purchased contracts  Decides to implement a Poll Service –Give customers the option to pull content from a feed  Decides to interface with Customers’ Inbox Services –Support pushing content to customer Inbox Services  Decides NOT to implement a Discovery Service –Vendor decides to continue publishing this information using HTML | 20 | Step 2a: Source Implements TAXII Services MUST do at least one

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  May implement an Inbox Service –If customer wishes have updates pushed, must implement Inbox –Inbox listens to appropriate port for connections  In TAXII 1.0, this would be a (truncated) HTTP server –May avoid implementing if all content to be pulled via Poll Service  Subscribers may interface with the Vendor’s TAXII Poll Service for pull messaging  For this design, subscribers must interface with the Vendor’s TAXII Feed Management Service | 21 | Step 2b: Subscriber Implements TAXII Service

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  Customer contacts vendor Feed Management Service to get list of feeds  Customer purchases a contract via Vendor web site –Also establishes authentication credentials  Customer contacts vendor Feed Management Service to establish subscription –Request verified before acceptance | 22 | Step 3: Establish Sharing Relationships Customer Vendor TAXII Feed Management Service

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  Content pushed to Customer’s Inbox Service  Customer pulls from Vendor’s Poll Service –Request verified before being fulfilled | 23 | Step 4: Share Customer Vendor Poll Service Customer Inbox Service Vendor

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited: | 24 | Hub and Spoke Walkthrough

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  One possible way to use TAXII to implement Hub and Spoke –Others may make different choices  Assume an existing sharing arrangement –Community exists with a pre-existing intra-group sharing agreement –Currently all threat alerts sent via to the group mailing list  Automatically re-distributed to all group members | 25 | Background

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  Decide to implement a Inbox Service –Used to receive all input from spokes (Hub does not poll)  Decide to interface with Spokes’ TAXII Inbox Services for message delivery –Support pushing of alerts to spokes  Decide to implement a Poll Service –Support spokes pulling current and/or archived alerts –Decide on only one TAXII data feed for all information –Decide timestamps = the time the alert arrives in Hub’s Inbox  Decide NOT to implement a Discovery Service –Members informed of the Hub’s services via other means  Decide NOT to implement a Feed Management Service –Spokes automatically enrolled when they join the sharing group | 26 | Step 1a: Hub Implements TAXII Services

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  Spokes that produce data interface with the Hub’s TAXII Inbox Service  May implement an Inbox Service –If spoke wants pushed info, must implement Inbox –May avoid implementing if all content to be pulled via Poll Service  Some spokes may interface with the Hub’s TAXII Poll Service –May avoid this use if all content to be pushed to the spoke’s Inbox Service | 27 | Step 1b: Spokes Implement TAXII Services

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited:  Spoke X pushes new alert to Hub’s Inbox Service  Hub re-sends alert to all spokes that requested push notification  Hub archives alert so spokes can poll for the alert at a later time | 28 | Step 2: Share Hub X X

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.