By Shared Signals Framework WG Contributor, Apoorva Deshpande, Okta

In the realm of cybersecurity, there are two critical sets of frameworks that serve distinct yet vital roles in how organizations share and act upon security information - the Shared Signals Framework (SSF), with its Continuous Access Evaluation Protocol (CAEP), and the Trusted Automated eXchange of Indicator Information (TAXII) protocol built to transport Structured Threat Information eXpression (STIX). While both aim to bolster security postures, their fundamental designs dictate their suitability for different operational needs: SSF/CAEP excels in the fast-paced world of continuous authentication and real-time response, whereas STIX/TAXII is the standard for comprehensive threat intelligence sharing and in-depth investigations.

The core difference lies in their intended purpose and underlying architecture. The SSF, with its CAEP, is designed for the real-time communication of security events to enable continuous, dynamic access decisions. STIX, built to transport over the TAXII protocol, provides a rich, detailed language for describing the broad landscape of cyber threats for in-depth analysis and investigations.

Think of these standards in the emergency room analogy:

• SSF/CAEP is like a real-time heart signal from the patient. It sends immediate, specific notifications like “heart rate is low”, which requires an immediate response of alarm sound, code blue, and use of a defibrillator.
• STIX/TAXII is like a detailed medical chart of the patient and a research library. It provides a rich, historical, and predictive understanding of who the patient is, their labs, and genetic history (indicators and vulnerabilities). The library (campaigns and TTPs) contains research on the disease and underlying medical conditions. Doctors use this information to diagnose the root cause and develop treatment plans.

SSF/CAEP: The Sentinel of the Active Session

At its heart, SSF/CAEP operates on a real-time, event-driven, publish-subscribe model using a generic webhook to transmit standardized security events. SSF defines how a transmitter and receiver can exchange data in the form of CAEP events. It allows data exchange via Push, as well as poll mechanisms to the receiver. This means that when a significant event occurs, a transmitter (e.g., an identity provider, a mobile device management system…etc.) can immediately publish a signal to a receiver (e.g., an application, a VPN gateway…etc.) that has subscribed to receive such updates. This helps bridge the security silos between various systems/vendors in the customer environment using open standards for true interoperability. Security event sharing systems help secure the identities of customers from risks and threats detected by one of the systems. 

SSF and CAEP are separate specifications housed in the OpenID Foundation’s Shared Signals Working Group and are actively being developed. 

How it Fuels Continuous Authentication Decisions:

This event-driven nature makes SSF/CAEP exceptionally useful for continuous authentication and access control. Instead of a one-time authentication check at the beginning of a session, SSF/CAEP allows for ongoing, dynamic risk assessment. It enables a Zero trust principle of “never trust, always verify” by allowing continuous evaluation of access, even after initial authentication. Here's how it works in practice:

• Session Revocation: If, for example, a user's credentials are leaked and detected by a threat intelligence system, that system can immediately issue a session-revoked event. Any application the user is logged into will receive this signal and can terminate the session in near real-time, preventing further unauthorized access.
• Credential Change: When a user changes their password or multi-factor authentication (MFA) method, a credential-change event can be transmitted. Sensitive applications can then prompt the user for re-authentication or reduce available functionality before allowing critical actions.
• Device Compliance Change: If a user's device suddenly becomes non-compliant with security/compliance policies (e.g., malware is detected, security settings are disabled…etc.), a CAEP event can be triggered to limit or block access from that device until the issue is remediated.
• Risk and Assurance Level Changes: A sudden change in a user's risk profile, such as logging in from a new and unusual location, can trigger an event that dynamically adjusts their access privileges. For instance, they might be moved to a lower-trust tier, restricting access to highly sensitive data.

Putting SSF/CAEP to Work: Powering Real-Time Enforcement

SSF/CAEP events are not meant for leisurely analysis in a log file. They are high-priority, perishable signals designed to trigger immediate, automated action. When ingested, these events become the real-time fuel for your identity and access infrastructure.

• Directly into Access Control Engines: CAEP events can be streamed directly to the systems that grant or deny access, such as your Identity Providers (IdP), Zero Trust Network Access (ZTNA) solution, APIs, and business-critical applications. This allows a session-revoked event to instantly terminate a user's session network-wide. 
• Into Risk Calculation Infrastructure: These signals can be funneled into your risk engines to dynamically adjust a user's trust score. For example, a device-compliance-change event could instantly raise an identity's risk profile, automatically restricting their access to sensitive data until the issue is resolved.

STIX/TAXII: The Archivist for Threat Investigation

In contrast to the immediate, session-focused nature of SSF/CAEP, STIX/TAXII serves as a robust framework for sharing comprehensive threat intelligence, with a model of STIX “Domain”, “Cyber” and “Relationship” object types that create inter-relationships between the objects. TAXII is the transport mechanism, defining how threat data is exchanged, while STIX is the language used to structure that data.

STIX and TAXII are separate but complementary standards governed by the OASIS Cyber Threat Intelligence Technical Committee (CTI TC). This nonprofit consortium drives the development, convergence, and adoption of open standards for the global information society.

How it Powers Investigation:

STIX provides a rich and detailed vocabulary to describe the "who, what, when, where, and how" of a cyberattack. This includes:

• • Threat Actors: Detailed profiles of adversary groups, including their motivations, capabilities, and typical targets.
  • Campaigns: Information about coordinated malicious activities over time.
  • Indicators of Compromise (IoCs): Specific artifacts like malicious IP addresses, file hashes, and domain names that can identify a breach.
  • Tactics, Techniques, and Procedures (TTPs): Descriptions of the methods used by attackers. (Often mapped to frameworks like MITRE ATT&CK).
  • Malware: Detailed analysis of malicious software.
  • Vulnerabilities: Information about software weaknesses exploited by attackers.

• Relationship: The object that links everything together (e.g., Threat Actor APT29 uses Malware SUNBURST in Campaign SolarWinds).

STIX also has a concept of “extensions” to accommodate more information from other standards and custom events. Indicators of Behavior (IoB) and Collaborative Automated Course of Action and Operations (CACAO) use the extensions to fit within the STIX bundle to embed action playbooks, remediation actions as a base64 string, and more information about associated intrusions or campaigns.

This intelligence-centric model makes STIX/TAXII invaluable for security operations centers (SOCs), threat hunters, and incident responders. TAXII defines how clients and servers talk to each other to exchange STIX data. It supports various sharing models, including a hub-and-spoke model (one central repo) and a peer-to-peer model (multiple groups sharing with each other):

• Post-Breach Forensics: After a security incident, investigators can use STIX-formatted intelligence to understand the full scope of the attack, identify the attacker's TTPs, and determine what other systems may be at risk.
• Threat Hunting: Security analysts can proactively search their networks for the IoCs and TTPs described in STIX reports to uncover hidden threats.
• Enriching Security Alerts: When a security tool generates an alert, it can be enriched with STIX data to provide analysts with a more complete picture of the potential threat, enabling a more informed response.
• Strategic Threat Intelligence: By analyzing long-term trends in threat intelligence structured with STIX data, organizations can better understand the threat landscape and make more strategic decisions about their security investments and defenses.

Operationalizing STIX/TAXII: Supercharging Your Security Analytics

While CAEP events trigger immediate enforcement, TAXII/STIX feeds provide the deep context that supercharges your security analytics and threat detection capabilities. 

• Into Your SIEM Platform: SIEM systems can leverage TAXII to pull in threat intelligence feeds, enriching the security log with context from external sources. It allows the SIEM to correlate a seemingly minor internal alert with the TTPs of a known global threat actor, instantly escalating a low-level event into a high-priority incident.
• Into SOAR and Threat Intelligence Platforms (TIPs): When ingested by Security Orchestration, Automation, and Response (SOAR) platforms, STIX indicators can automatically trigger playbooks—for instance, taking a new malicious IP address and adding it to firewall blocklists across the enterprise without human intervention.

In essence, SSF/CAEP and STIX/TAXII are not competitors, but rather complementary technologies. An ideal security architecture would leverage both: SSF/CAEP to make rapid, tactical decisions to protect active sessions, and STIX/TAXII to provide the deep, strategic intelligence needed to understand and defend against the ever-evolving threat landscape.

Call to Action

The Shared Signals Working Group looks forward to working with STIX and TAXII implementers to realize the potential of bridging these standards. The OpenID Foundation looks forward to working with peers at OASIS, FS-ISAC, and other partners to support our shared communities in realizing the benefits of bridging our approaches. Together, we can facilitate the adoption of a more secure identity and security fabric that interoperates across organizations and silos.

Realizing this vision involves exploring practical ways to interoperate these complementary standards. For instance, a STIX message could ride on the SSF infrastructure to provide immediate context to a security event. Conversely, CAEP events could be available on TAXII, providing identity actions for additional analysis. This interoperability will provide added security value by fusing immediate enforcement with analytical context. This will help an alert from one ecosystem to inform an action in another, breaking down the walls, leading to a responsive security ecosystem.

Additional Resources:

• OIDF Specs and overviews 
  • Shared Signal WG Home Page: https://openid.net/wg/sharedsignals/ 
  • Resource guide to SS: https://sharedsignals.guide/
  • Blog series: https://openid.net/shared-signals-framework-the-blueprint-for-modern-iam-part-1-of-4/

https://openid.net/juggling-with-fire-made-easier-provisioning-with-scim/

• STIX & TAXII materials
  • https://oasis-open.github.io/cti-documentation/
  • https://www.cloudflare.com/learning/security/what-is-stix-and-taxii/

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, the Financial Grade API has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling “networks of networks” to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.