STIX (Structured Threat Information eXpression™) and TAXII (Trusted Automated Exchange of Intelligence Information™) have become the de facto standards for the exchange of Cyber Threat Intelligence between Threat Intelligence Platforms. Developed since 2015 under the sponsorship of the US Department of Homeland Security, STIX and TAXII have become so influential due to their extensibility and the user base’s ability to modify code to suit their needs.
If you are new to STIX and TAXII then think of them as two sides of the same coin. With STIX being the protocol that allows the creation of the funky nodal graphs like the one shown below, and TAXII being the protocol that facilitates the transfer of such information between different systems and parties.
As Anomali elegantly states, “STIX states the “what” of threat intelligence, while TAXII defines [the] “how””. STIX is often the poster boy for the STIX/TAXII pair, as its output is the most visible. However, the TAXII protocol is the bedrock on which STIX struts its stuff.
Why has Elemendar implemented a TAXII server?
Within our latest product roll out we have implemented a custom TAXII interface that is embedded directly inside the READ. platform.
This differs from the standard approach that typically locates the TAXII server remote from the STIX instance. The standard approach has a number of significant limitations within the usability and security aspects of a system, with a remote TAXII server architecture. These included having to duplicate data across both your TAXII server and your Threat Intelligence Platform and the administrative and security challenges of managing yet another server.
Given that some of our core customers are managing extremely sensitive data sets; as well as a complex technical infrastructure, a simplified TAXII configuration is an obvious addition to the Elemendar offering.
Benefits of an embedded TAXII server within the READ. platform
The most immediate benefit to the READ. user of an integrated TAXII server is that it allows our customers to create their own custom document collections within our READ. Rising above the technical details what this practically allows is a single annotated document can be part of many document collections.
This is an important feature as it allows documents to be segregated according to factors such as security classifications i.e., for example the Traffic Light Protocol security scheme already implemented within the READ. platform. Additionally, segregation could be based on users or factors such as defined Intelligence Requirements. Outlining this concept is the case study below:
Within the example above, User A would have access to all 3 documents in Collection A, but would be able to retrieve every document in Collection A including the one that corresponds to their intelligence requirements – Doc1: “Russian APT.” In contrast User B, although having nearly the same Intelligence Requirements as User A would only be able to retrieve Doc2:“Insider Threat” from the Collection A due to User A’s security clearance level and the protective marking that have been applied to the documents.
Security is not the only benefit that the integrated TAXII server brings, especially as our approach is fully compatible with the standard approach; making it easy for users to query document collections using the standard TAXII interface, or off-the-shelf TAXII client libraries. All these features combine to make it easier than ever to get high quality STIX into your downstream tools and TIPs using the READ. solution.