STIX Patterning is perhaps the most innovative addition to STIX 2.0, yet it is poorly understood. STIX Patterning is the language in which IOCs are conveyed in STIX 2.0 Indicators. But STIX Patterning targets much more than IOCs.

From the beginning, when STIX Patterning was just an inkling in the minds of a few techies working in the CTI TC, the ultimate vision was to create an open interchange format for analytics, such as SIEM correlation rules. The presenters approached the challenge with strong backgrounds in SIEM technology, but from different angles: Jason eats and breathes QRadar whereas Trey groks Splunk. They share a common vision for how giving information-sharing communities the ability to share analytics at a level beyond mere IOCs will be a powerful catalyst for improving the security posture of organizations large and small. While there is still work needed to fully realize this vision, the foundations laid in STIX 2.0 will hopefully enable a future where searches, rules, and analytics are not locked into a single evaluating platform.

In this talk Jason and Trey will give an overview of STIX Patterning as currently defined in STIX 2.0. Audience members will receive a quick-reference card as a handout. Jason and Trey will show how to define network indicators (à la Snort) and host-based indicators (à la YARA), then progress to demonstrate how to define more sophisticated indicators correlating potentially malicious behavior across both network sensors and endpoints.

They will show where the language is ultimately heading as powerful new capabilities are added in forthcoming STIX releases, including a sneak peek into the work being done to enable an even more ambitious goal - the sharing of advanced analytics across organizations and platforms.

The audience takeaways will be two-fold:

1) a better understanding of the power of STIX Patterning, and

2) a vision for why they should be demanding adoption by their tool vendors.