And here in my studies I have come across the very famous security reports, as well as their reports. A must for a cyber operator.
In addition, it was gathered that I was reviewing one of those hundreds of articles that one puts off to read carefully later.
Well the day has arrived. In my new agenda I am with "Detection and analysis", leaving detection (IDS) aside, we are going to focus on the entire topic of analysis and see big problems, in my opinion, which also come together with the news of the request for implementation of SBOM by the US.
As analysis and reporting tools, I have studied OpenIOC, Stix, Yara and Sigma.
I think many of you will already know these tools. Basically they serve to analyze the possible techniques or tactics discovered and share them in a certain format through certain servers, such as Stix through TAXII.
The problem lies in 5 important points.
- Code format is used, and although it is still XML, JSON or Yaml, it is another subject to learn.
- They do not share servers. So what is published in one, is not seen in the others
- It lacks a graphical environment, making the production environment less friendly.
- They do not share a language format
- They do not share expression format.
And although in general, they are easy to learn. I think it is one more difficulty for cyber operators and one more workload, which must be; or automate, simplify or schematize even further.
You cannot waste so much time generating this type of information, which is key on the other hand, and not dedicating more time to studying new threats and/or possible mitigations, which I personally consider more important.
Well, here is when I see the following article about SBOM's, which is to create a national and standardized inventory. And in which problems very similar to those that I mentioned that happen with the analysis tools are narrated.
The article in question (English):
https://www.securityweek.com/sboms-software-supply-chain-securitys-future-or-fantasy/
We have too many open source tools that do not share the same standard, with all that that entails. If we already generate reports, analyze possible attacks, we add to the loss of time generating inventory in different formats. We are losing valuable time that could be dedicated to hardening or raising awareness in our respective companies.
It is something that, in part, discourages me because we unintentionally give advantages to the bad guys for wanting to improve our techniques.
As the article says, either by law or by the ENS, a mandatory and centralized standard must be created in which it is common to all cybersecurity actors, in this way they can exert force and pay attention to operations instead of the bureaucracy. Even though it is vital to be able to do our work.
I don't know if SIEM tools can work with several of these tools, thus simplifying the work. But, reading logs, reports, deducing the correct information from this. It is not easy and it does not take much time.
Anyway, I will comment more about my learning.
All the best.
English 
Spanish