STIX and TAXII: a key tool for accelerating security automation

What are the use cases of STIX and TAXII? Among the most often cited is the sharing of information between different solutions such as firewalls, proxies, secure SMTP relays, intrusion detection solutions, sandboxes, etc. The information shared can be, for example, an IP address, a malicious URL, or an infected file, which you want to block at all stages of the company’s protection chain to protect yourself from a threat or its propagation. 

For example, let’s imagine that the sandbox of your secure mail relay detects malware hidden in a harmless file. If the relay supports STIX and TAXII, you will configure it so that the hash of the file is transmitted or retrieved by other security devices (proxies, firewalls, probes, etc.) likely to encounter this same file. Knowing that the file has been identified as malicious by a trusted source, the other devices in the chain will also consider it as malicious and proactively block it without having to analyze it.  

Another use case is the detection of a malicious URL. Again, spreading the URL throughout the security chain will save time and provide completeness to other devices in threat analysis. This information sharing will ensure that a threat detected at one point in the security chain will be detected throughout your security ecosystem. And that’s if all elements implement STIX and TAXII.   

Of course, it is often possible to manually distribute this information throughout a security chain. But STIX and TAXII present exciting opportunities in the automation of security ecosystems and offer time and efficiency savings to share information about cyber threats. Both protocols promote a globalized approach to Threat Intelligence.

To date, there are already many products using the STIX and TAXII standards. Here is an indicative list. This list is not exhaustive; you may use compatible products without knowing it. However, check carefully the version of STIX that is supported by your tools. Indeed, many solutions available on the market only offer compatibility with version 1 (1.0 and 1.1) and not yet with version 2, which has been validated in 2017 and version 2.1 approved in January 2020. The same is true for some information sources such as this one, even if some threats reports can be found in the 2.1 version. 

As a result, this discontinuity between the two versions is, for me, what slows down the adoption of STIX & TAXII today. Indeed, beyond the fact that the concept is still not well known by companies, we need to ensure the entire security architecture’s compatibility to benefit from sharing compromise indicators fully. If we add to this the fact that the creation of these indicators is still very manual, today, the use of STIX & TAXII is still a matter for specialists.

The use of products that fully support these protocols is still minimal, and the programming of compromise indicators is still very manual. In recent months, many vendors have been adding them to their development roadmaps and promoting them, leading customers to take an interest in them.  

We can therefore hope that more and more new versions of security products will implement these standards during the coming year and that the examples of use will gradually spread within the security departments of companies or their service providers. More than ever, STIX & TAXII are to be watched closely!

An analysis by Philippe Macia, Customer Service Director at Orange Business Services.
Analysis carried out thanks to the collaboration and expertise of Vincent Hinderer, Project Manager at Orange Cyberdefense.