Forum Discussion

Marvin's avatar
Icon for Cirrocumulus rankCirrocumulus
Mar 27, 2023

STIX/TAXII security intelligence sharing

Companies normally use a variety of security products in their infrastructure wether on premise or in the cloud. Now I see a lot of security companies performing integration with STIX/TAXII using API to share their intelligence feeds (with active subscriptions). I cannot find anyhing other then the following discussion with TAG Cyber.

Personally I strongly believe this is the way to move forward to have multiple security intel sources and share these with different products leading to a alligned security posture.

Is there any update on this development?

3 Replies

  • Hi Marvin, that isn't the usual type of question we get here, but it might kick off an interesting discussion. I'm in the process of trying to find you an answer. Not sure if AaronJB might have a response, maybe?

    • AaronJB's avatar
      Icon for SIRT rankSIRT

      I'm afraid not - I'm not aware of any active development toward either consuming or publishing third party feeds - it's possible that there might be BIG-IP NEXT work going on in that regard that I'm not aware of, but certainly not anything I can find in Classic BIG-IP.

      NEXT PM is probably the group to reach out to, if you have any contacts there.


      • Marvin's avatar
        Icon for Cirrocumulus rankCirrocumulus

        Ok, but I see other major leading security vendors (not mentioning names here) already doing this where you can use TAXII server feeds to "import" this shared intelligence and enforce it on your product. I also found vulnerability scanners supporting STIX format as well.

        I think F5 development should also focus on this and see how to embed this feature, for example with F5 AFM / IP intelligence to support the STIX format and read intel. AFM IP intelligence already supports external feeds but not STIX format I believe. It would also be interesting to do the same for ASM file uploads feature to detect malicious malware hash (information which is publicly available). For SWG / SSL Orchestrator URL filtering to detect malicious IP/domains, just to name a few.

        Interesting project that integrates with third party.

        I see this as a very strong standard which allows end users to combine several intelligence feeds/sources and have a similar security posture regardless of the security technology used. 

        This is indeed not an easy question but perhaps something for the F5 security architect to investigate, which I would find interesting in that position (perhaps Heath Parrot could have a look or someone from his team).

        Oppertunities come with great ideas 🙂 NEXT PM not sure what that means but will inform my local F5 contacts about this.