STIX and TAXII, standards on security information exchange

Security is becoming increasingly important. Cybercrime is sophisticated and it takes more money, resources and most important, it requires a joined effort of our security solutions. Customers, vendors, commercial and non-commercial organisations should work together in order to defeat or minimise the impact of threats. In light of this two major developments in the area of standardisation has taken place. The development of STIX and TAXII. These standards are the basis of exchanging security information.

Security threats and attacks are coming from any direction and are targeting anything, anywhere what is vulnerable. As a countermeasure we implement many security solutions enabling customers to detect threats and to deal accordingly. But these solutions are too isolated. Bringing all the solutions together by using standards is a big step in threat intelligence.

Threat intelligence is all about centralizing all the security information by retrieving all the stored security events / information from any source and exchanging this with dashboards for immediate action or for further analyses and discovering patterns and incidents automatically.

Coming back to STIX and TAXII, these standards describe the way how security information should be exchanged and are the basis, the pillars, for threat intelligence

STIX: Structured Threat Information Expression (STIX™) is a structured language for describing cyber threat information so it can be shared, stored, and analyzed in a consistent manner.

TAXII: Trusted Advance eXchange of Indicators Information defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries. TAXII defines services, protocols and messages to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats.

The benefits of standardisation are:

  • Speed. Cyber threat information sharing is faster. Defined services and message exchanges enable automation.
  • Security and Privacy. It defines standard mechanisms for protecting the confidentiality, integrity, accurate delivery, and attribution of cyber threat information.
  • More Participation. It reduces the technical hurdles to participating in threat sharing communities.
  • Enhanced Analysis. Standardization and automation permit organizations to redirect analyst time and help on focussing  on threat data analysis.
  • Product Interoperability. Vendor products and services can use TAXII instead of proprietary exchange mechanisms and achieve seamless exchange and interoperability with other TAXII-enabled software.

More reading about these important standards are:


Herman Rensink

Data center Architect / CISSP