owned this note
owned this note
Published
Linked with GitHub
1. # OCA new project application
## Base Information
### Project Name
OXA - Open XDR architecture
### Project Use Case
OXA is a project that aims to define all of the interactions between security products, using open standards and APIs, in order to enable a composable security architecture.
### Project Description
XDR is a direction given for security industry but without standardized guidelines.
X stands for eXtended, meaning that data interpretation and ability to share data should be possible at the industry level, not for a single product only
D stands for Detection and detection is mostly applied in central areas or specific components using a licenced based threat-intel repository. Sharing efficiently threat intelligence between components could be a game changer to accelerate the response stage
R stands for Response and today it's not possible to ask orders to multiple security components without having to translate actions into their proprietary langage. An open "dictionnary" used to map generic/proprietary actions would help to have Response at scale everywhere.
Combining these topics into an architecture that would have them all working together (kind of IACD) would define a milestone that everyone could implement to reach the XDR direction
Placing the deliverable of this project into Open source repositories would accelerate market adoption and industry implementation.
### Project contribution to OCA goals and [mission](https://opencybersecurityalliance.org/about/)
_See also: [OCA Charter](https://github.com/opencybersecurityalliance/oasis-open-project/blob/main/CHARTER.md)_
OXA aims at providing a set of open repositories, filled with dictionaries and Open API specifications. These resources exist to accelerate the communication between security components for specific XDR use cases, and will leverage both existing OASIS standards such as STIX, TAXII, CACAO or OpenC2 and open source contributions.
### Why, in your opinion, is the OCA the most appropriate host for this project?
Because most of associated security principles involved have been created by OASIS and OCA would be the perfect place to leverage them into open source code that could be used by the community.
### What support are you looking for from OCA members and the OCA community?
Architecture collaboration should be something associated as a deliverable from working group. In the same way, we expect OCA community to contribute on their perimeter/product to extend the mapping in in/out dictionnaries.
### Is this an existing project? If so, link to web page / repo
Not know as far as we know.
The closest initiative could be OCSF (launched at BlackHat US this year on https://schema.ocsf.io/)
### Does this project integrate with any existing OCA or OASIS projects or deliverables?
Yes for STIX/TAXII, OpenC2, CACAO and possibly STIX shifter.
## Project Implementation Details
### Existing / Proposed Open Source License
_Please see [list of applicable licenses](https://www.oasis-open.org/policies-guidelines/open-projects-process/#repository-specification-licenses)_
Not known yet
### Implementation Language(s)
_Python, Go, Rust, JSON, YAML...._
Most of repository content would be JSON files.
Some files could be written in Python
### Dependency Technologies
None or eventually OCSF/ECS formats
## Project Management & Governance
### Primary Project Sponsor(s)
SEKOIA
IBM Security will also participate and support this work.
### How will this project be resourced on an ongoing basis?
> Can this be updated? [name=Jason Keirstead]
SEKOIA should have a commitment plan early 2023 to invest time for this project. Therefore, 100% of this time will create contributions to this OCA WG
### List the current project maintainers, and their Github user IDs
Don't know yet, some SEKOIA contributors could be the maintainers.
## Optional Supporting Documentation
### Screenshots
Not applicable
### Demonstration videos
Not applicable
### Architectural diagrams
Should be made in the early stages on the WG
### Whitepapers
Could be a WG deliverable in a later work