On the death of Soltra Edge
So it happened. FS-ISAC and DTCC’s STIX-based baby died.
Soltra edge, a flashy front-end to a TAXII server, was the first commercial threat sharing platform to use STIX as the primary method of storing Threat Intelligence data – I’ve made my opinions of STIX known before, and I doubt that opinion will change with whatever rises to fill the void left behind by soltra.
The main question that’s being asked is “what now?”. Where do we go now with the potentially promising STIX standard and all the data that’s stored in Soltra systems across the globe?
I believe the answer is to diversify our sharing platforms. It’s all well and good having a STIX-based solution, or a flavour-of-the-day solution, but if the product you use suddenly becomes defunct, you’re left without solid ground.
That is why I’ve been working on a way to migrate directly from STIX based solutions to MISP. I believe the best way to ensure that the valuable threat intelligence we have gathered as an industry remains in use is to use as keep as many forms of it as possible. As the old 3-2-1 rule goes, 3 backups, 2 different formats, and 1 off-site.
I foresee MISP and whatever replaces soltra (my bet is on EclecticIQ) needing to work together to ensure data integrity, this also allows any intelligence consumers to happily use the data without having to worry whether they’re using some obscure STIX-based platform, or whatever happens to be the most popular format at the time.
I’ve made a start on this grand plan, but I alone won’t be able to connect the world of threat sharing, no matter how I try. I suppose this is my call to arms, for connectors, adaptors and whatever it takes to ensure the death of a platform will never again cause an issue, no matter how ubiquitous the system was.
RIP in Pips, Soltra Edge.
Hopefully I never have to use it again ;)