STIX Shifter - March 2024

Roseann Guttierrez [00:00:00]:
Our guest today is Azam, and I say awesome Azam because I do think he's awesome. He's a really great guy. He's a software developer at IBM and is a maintainer contributor to STIX shifter, which is also our topic today. Azam, thank you so much for coming on with us. How are you doing today?

Md Saroer-E Azam [00:00:19]:
I'm good. Thank you so much, Roseann, for inviting me. It is my pleasure. Nice intro.

Roseann Guttierrez [00:00:25]:
Well, why don't you you give me a little intro on yourself? How'd you become a developer? How'd you become so awesome?

Md Saroer-E Azam [00:00:32]:
First of all, I usually go by Azam by my last name, so don't feel weird about it. I studied computer science in my bachelor and also in masters. So that's the background of my software development. So I started my career in Canada at IBM 2015. So it's been 8 to 9 years now. So first 3 years, I worked in IBM QRadar SIEM, which is the classic SIEM, we can say, Just implementing different, DSM protocol, sort of like integration of a different, log sources. For IBM, QRadar. Then I moved on to a new project 5, 6 years ago called IBM Cloud Pak for Security, which is now on the market IBM QRadar Suite platform, which is integrated platform.

Md Saroer-E Azam [00:01:24]:
Kind of a similar sort of role, like, integrating different diverse data services and make sure important piece like federated search application works in the platform using, open source library called STIX shifter, which is the topic of our discussion today. As a maintainer, 5, 6 years, I've been the maintainer of this STIX shifter project.

Roseann Guttierrez [00:01:47]:
Time flies?

Md Saroer-E Azam [00:01:49]:
Yeah. Time flies. The project evolved quite a lot since the beginning to now. It was under IBM project, then we open sourced it under OCA. And even before that, some parts of the base were inherited from a OCA STIX translation project that we took over, made the STIX shifter project, where we have this library that enables people to run searches in diverse data services and get the results in STIX cyber observable objects. So that's the main goal of this library. So we have, like, more than 30 different modules. We call them connectors, which connect to different data services.

Md Saroer-E Azam [00:02:32]:
The user can send a STIX pattern query, patterning language, then it translate into the native data source query that the data source understand, then data source send back the result based on the search criteria. Then we translate that results into STIX cyber observable object. Sort of uniforming the way that people see different, observable data.

Roseann Guttierrez [00:02:58]:
As a maintainer, right, of the STIX Shifter project, what are some of the challenges that you have with developing an open source project but still working for a commercial company?

Md Saroer-E Azam [00:03:10]:
So first and foremost, the main challenge that every open source project maintainer face is the community engagement, engaging the community constantly. So building and sustaining an engaged community, the project is, actually, because constant effort, you have to engage constantly.

Roseann Guttierrez [00:03:33]:
For sure.

Md Saroer-E Azam [00:03:34]:
That involves responding to issues, reviewing the contribution, especially the pull requests, and conducting different discussions. Second, I would say the documentation, which is very important because first thing people come to the project, you'll see there what you wrote about the project. Readmes the documentation needs to be up to date always. The project is evolving. The code base is evolving. We are constantly contributing, fixing bugs, adding features, adding connectors. So documentation needs to be update up to date and also comprehensive for the contributor and for the user. We have 2 target audience here, user and contributors.

Md Saroer-E Azam [00:04:16]:
User has to know how to use the library easily or put it in their own project product. And contributor needs to understand how to contribute, how to develop certain feature, connector, or modules. So we created developer documentation. The next one I'd say is quality of the code that the contributors make, even the maintainers. This is important for it's very crucial, I would say, for the long term maintainability of the project. Contributors come and go, maintenance can come and go. But the project stays for a longer period of time. If anyone comes and wants to contribute, they need to have the ability to contribute the project easily.

Md Saroer-E Azam [00:05:05]:
So that maintainability in terms of core quality, like, review. We have to review every contribution thoroughly. Sometimes every line of the code that any contributors contribute. We have to make sure test are there. We have to make sure the coding standard is followed.

Roseann Guttierrez [00:05:23]:
That it's clear.

Md Saroer-E Azam [00:05:23]:
Yeah. You can stop me, Rosann, if I go too long. The last one, it says the compatibility. Making sure that the project is, the library that we publish is compatible with different platform. For example, for Python, like, we have different versions of Python people have been using, Python 8, 9, 10, 11, 12. We support a wide variety of Python version, especially the latest one, which people would be using always.

Roseann Guttierrez [00:05:52]:
So make sure it's, like, backwards compatible as well.

Md Saroer-E Azam [00:05:55]:
Backwards compatible, forward compatible. We need to keep up to date always. And the dependencies that library the project uses, that's that's another important piece because the other libraries that we use in our project, that also evolving. Like, they're also upgrading the version into security issues Right. To feature, fixes, bugs. So

Roseann Guttierrez [00:06:19]:
Yeah. And that could cause a problem. Right? Yeah. Because the dependency changes and you don't know, and then yeah.

Md Saroer-E Azam [00:06:25]:
That's that's always a concern for us, especially if any vulnerable library is used. Any good library can be vulnerable in the next release. So Right. We we had to quickly update the vulnerable library. We keep we have to keep track of the dependency. We have to keep track of the compatibility because the project is growing. Dependency could be growing as well. And lastly, I would say securities is kind of security is the main focus of this library.

Md Saroer-E Azam [00:06:55]:
Right? So

Roseann Guttierrez [00:06:56]:
Right.

Md Saroer-E Azam [00:06:19]:
We need to make sure we follow the secure coding practices when you contribute If you're using any vulnerable libraries, dependencies, or in any malicious way, that's how we need to take care of that.

Roseann Guttierrez [00:07:10]:
Yeah. That makes sense.

Md Saroer-E Azam [00:07:09]:
I said these are the main challenges. These are not unique. Any every open source project faces these kind of challenges, But, I should say I I need I needed to mention that in terms of our project.

Roseann Guttierrez [00:07:24]:
No. That's good. That's a good that's a really good list.

Md Saroer-E Azam [00:07:27]:
Oh, so the first is, like, community engagement Okay. Then documentation updating documentation, maintaining the code quality, maintaining, compatibility or dependency, and the security of the of the of the codes or the project.

Roseann Guttierrez [00:07:23]:
Yeah. And I know that, you know, not just on maintaining the project, but you, obviously, you want people to use the project also. Right? Because you said that was kind of, like, your second set of users. And I know, from experience dealing with different people on this project that I know, for example, Trend Micro has incorporated STIX shifter into their Vision One product. Do you have any other kind of use cases or stories of people utilizing STIX shifter in their projects?

Md Saroer-E Azam [00:08:10]:
Sure. Like, I come from IBM. So IBM is the main user since the beginning. let's say. So they use STIX shifter connectors in their federated search application that gives the user/customer say a Unified Analyst Experience(UAX). They run search federate or search on different application across different diverse data services using the STIX shifter connect and the libraries. So this is a very important use case for us, and it's in the market. Like, people have been using it.

Md Saroer-E Azam [00:08:43]:
Another another important use case I can I could highlight is the threat hunting project of OCA, Kestrel? They have been using it quite a lot, for their threat hunting purpose and different projects.

Roseann Guttierrez [00:08:59]:
So it's kind of the foundation of the Kestrel. Right? Because it runs on top of it.

Md Saroer-E Azam [00:08:57]:
They run yeah. The threat hunting is also about searching different criteria and different data sources. So they use STIX shifter for that purpose as well. So

Roseann Guttierrez [00:09:14]:
Makes sense.

Md Saroer-E Azam [00:09:14]:
These are the 3 real world cybersecurity product

Roseann Guttierrez [00:09:19]:
Use cases. Right?

Md Saroer-E Azam [00:09:20]:
Use cases.

Roseann Guttierrez [00:09:13]:
Well, product integrations. Because as a regular you know, just like an everyday user, I can also run it from the command line on my own, right, and connect to my own data sources and just run it myself without it actually being integrated. So that's another potential use case as well.

Md Saroer-E Azam [00:09:37]:
You don't need a platform or any fancy tools. You can just do it on your own from your own machine. You can run your own searches.

Roseann Guttierrez [00:09:48]:
Right. Where do you see the STIX shifter project going, like, in the next year? I know lots of changes have happened in this past year.

Md Saroer-E Azam [00:09:55]:
Yes. Yes. That's right. So kind of related to what challenges we have faced. So to overcome those challenges mainly. For example, more community engagement, like, we if we can get more contributors, volunteer contributors, sharing the discussion, maybe just give some ideas. Not contributors necessarily, not have to be someone who contribute the code ideas.

Roseann Guttierrez [00:10:22]:
Right. They don't have to be a programmer. Yeah. It could be about, like, strategic thoughts of maybe what should be added to the project or features or or something. Right?

Md Saroer-E Azam [00:10:33]:
Yeah. Yeah. Even some people if someone is very good at documentation, they can just take one piece of the documentation and improve it. This kind of contribution, it would be very sometimes because we have our day to day job in on top of this, maintaining this project for the community.

Roseann Guttierrez [00:10:53]:
Right.

Md Saroer-E Azam [00:10:54]:
Sometimes it's hard to balance all the time.

Roseann Guttierrez [00:10:57]:
Right, right.

Md Saroer-E Azam [00:10:57]:
So if you can get, volunteer contributors, that'll be very good for the improvement of the project.

Roseann Guttierrez [00:11:06]:
Makes sense. Yeah.

Md Saroer-E Azam [00:11:08]:
Yeah. And, also, there's like, we are continuously adding data sources, data source support. So more data sources support, more comprehensive the, library would be.

Roseann Guttierrez [00:11:18]:
Right. So, like, if if if there's a connector that they would like but they don't necessarily have, then trying to start building that type of a of a connector. Right? Yeah.

Md Saroer-E Azam [00:11:28]:
Developer like I mentioned, like, anyone can build their own connector. We have, like, a blank template. There's a quick start guide. People just copy, and they probably have to just write few lines of code. We have, like, bunch of examples, different, types of data sources we support, like, starting from AWS, Azure, Carbon Black, CrowdStrike, and different types of API we use, we connect to. Okay. Some are mature, some are very new, different query language like SQL, KQL, some plain text query string.

Md Saroer-E Azam [00:12:09]:
So there are variety of examples people can get those as an example see those as an example and and may and just I mean, it's an open source project. They can just copy paste.

Roseann Guttierrez [00:12:21]:
For sure. So many different ways that they can contribute.

Md Saroer-E Azam [00:12:24]:
Right. Yeah. There's no just one certain way to do that.

Roseann Guttierrez [00:12:28]:
Is there anything else, that you want to add just in general about STIX shifter?

Md Saroer-E Azam [00:12:34]:
Yeah. We we want people to get interested in the project, get more involvement. People I just suggest people to use it as a library. If you think about contributing first, that might be overwhelming at some times. Because It

Roseann Guttierrez [00:12:50]:
can be, so start looking at it, play with it.

Md Saroer-E Azam [00:12:53]:
If you get the interest, like, wow. This doing this kind of stuff. Like, maybe I could I want this feature. I want the command to work like this. So we can stir up the discussions, create an issue or something in the STIX shift project, then we can obviously our maintainers, me, my myself, and we constantly look at the project. Every day, some work on the STIX shifter. The contribution is constantly growing from our side. If anyone had different ideas, we can help them to implement that feature as well.

Roseann Guttierrez [00:13:30]:
You make a good point because we have the Slack also for OCA. So there's a channel there for a STIX shifter. That's also a place that you could post, like, ideas or questions

Md Saroer-E Azam [00:13:40]:
Yeah, right.

Roseann Guttierrez [00:13:42]:
To kind of start getting involved, right, if you're not really sure where to start.

Md Saroer-E Azam [00:13:46]:
Yeah. And, also, the project is growing. Like, last 5, 6 years, it has grown substantially. It's getting heavier and heavier. So when start a project go even though we distributed it, if we efficiently build the project, building the libraries, but there are always some performance issues with the project. Project is growing, but sometimes we are struggling with the performance of the libraries. So any contribution, even it's an idea related to the performance, would be really helpful.

Roseann Guttierrez [00:14:21]:
Nice. Yeah. That's that's a good point.

Md Saroer-E Azam [00:14:23]:
That's a very short answer to your question.

Roseann Guttierrez [00:14:27]:
It's a complicated question. Well, thanks so much. I I appreciate you taking time with me today, and let me ask you just kind of, like, a wide variety of questions on STIX shifter. I really appreciate you being here with me today.

Md Saroer-E Azam [00:14:40]:
I really appreciate to engage me in this discussion. You wanted to talk about it. So so so that you can get more help from different people, different kind of people is, like,

Roseann Guttierrez [00:14:54]:
Exactly.

Md Saroer-E Azam [00:14:55]:
Even from nonsecurity background.

Roseann Guttierrez [00:14:57]:
Right. Well, yeah, I mean, I I think, having, you know, input from people with other backgrounds, with other experience is always good because not only does it broaden the project, but it may take you in directions that you hadn't necessarily planned to before because you didn't know. Right?

Md Saroer-E Azam [00:15:13]:
Right. You know, for example, like, we use Amazon data sources, Azure, Microsoft Data Sources. They're not all about security. They have different types of data in there. People can use the libraries, modify it, and search different data, not security logs or events.

Roseann Guttierrez [00:15:36]:
Right. So there might be other potential

Md Saroer-E Azam [00:15:40]:
Potentially.

Roseann Guttierrez [00:15:41]:
Types of data that we could be looking at that we're not necessarily looking at now.

Md Saroer-E Azam [00:15:44]:
Right. Yes. Right. Just just an idea of how varied of uses people can have using this project.