BLACK HAT USA – LAS VEGAS – Amazon Web Services (AWS) and Splunk are leading an industry effort of 18 systems and security vendors to standardize how different monitoring systems share security alerts. The goal is to deliver a simplified and vendor-agnostic taxonomy to help security teams ingest and analyze security data faster.
The companies announced the Open Cybersecurity Schema Framework (OCSF) during the Black Hat USA conference on Wednesday in Las Vegas. The participating companies are Broadcom (Symantec), Cloudflare, CrowdStrike, DTEX, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro, and Zscaler.
Detecting and stopping today's cyberattacks requires coordination across cybersecurity tools, but many of these tools are not interoperable and there are too many different data formats. The OCSF specification will normalize security telemetry across various security products and services, said Mark Ryland, director of the office of the CISO at AWS, in a blog post announcing the project.
"Security teams have to correlate and unify data across multiple products from different vendors in a range of proprietary formats," Ryland wrote. "Instead of focusing primarily on detecting and responding to events, security teams spend time normalizing this data as a prerequisite to understanding and response."
OCSF, which extends the ICD Schema specifications originally developed by Broadcom’s Symantec division, offers a collection of data types, an attribute dictionary, and taxonomy written in JSON, according to an overview of the specification available on GitHub. Contributors can utilize and extend the framework and map the various data ingestion and normalization schemas in a common threat detection language.
"As practitioners, one of the most challenging problems in technology is connecting finding and event information across multiple vendor tools, operating systems, and versions," says Jamie Scott, product manager at Endor Labs. "A standard data format will reduce cost and accelerate incident triage for our industry as a whole,"
An Extensible Framework for Interoperability
As an open source project, OCSF seeks to provide an extensible framework for providing interoperable core security schema not tied to a specific provider, Splunk distinguished engineer Paul Agbabian wrote in a white paper documenting OCSF. Licensed under the Apache License 2.0, OCSF features an agnostic storage format, data collection, and extract, transform, and load (ETL) processes. The schema browser represents categories, event classes, dictionaries, data types, profiles, and extensions.
"Vendors and other data producers can adopt and extend the schema for their specific domains," Agbabian explained in a separate blog post. "Data engineers can map existing schemas to help security teams simplify data ingestion and normalization so that data scientists and analysts can work with a common language for threat detection and investigation."
"Having a common data format for these events to be shared across tooling will make both consumers and producers lives’ easier. Producers can more easily integrate with other solutions and consumers can aggregate and triage incidents," Scott says.
The OCSF shares some similar taxonomy with the widely used MITRE ATT&CK Framework, according to the white paper, though it also noted some stark differences. The most notable is that OCSF is extensible by vendors and customers, while MITRE releases all content for ATT&CK.
An Enterprise Strategy Group and Information Systems Security Association (ISSA) survey found that 77% of cybersecurity professionals want to see the industry forge support for open standards. The same survey found that 85% see integration among products as essential.
"Cybersecurity is ready to move on from silos and into an open, integrated era of inter-operability and cooperation," Aghabian noted.
Normalizing Security Telemetry
The project is open to other providers wishing to participate and contribute, according to Ryland.
"We see value in contributing our engineering efforts and also projects, tools, training, and guidelines to help standardize security telemetry across the industry," he wrote. "Although we as an industry can’t directly control the behavior of threat actors, we can improve our collective defenses by making it easier for security teams to do their jobs more efficiently."
The status of the OCSF and when vendors will begin testing wasn’t immediately apparent. And it remains to be seen to what extent the vendors will ultimately contribute to OCSF and implement it.
"The biggest threat to an early-stage effort like OCSF is the steering committee composition itself. Since the committee is made largely of vendors, representative consumer organizations will need a seat at the table to help drive adoption across vendors," Scott says. "As the OCSF continues to collaborate with the industry, it should ensure that the steering committee has reserved spots for industry practitioners who are willing to make an investment in their mission."
Erkang Zheng, founder and CEO of cyber operations platform provider JupiterOne, is pledging to embrace and participate in extending OCSF.
"Over time, we will continue to contribute to the OCSF initiative by extending the framework to cover both time-series event data and stateful/structural asset data, leveraging JupiterOne’s open-source data model," Zheng wrote. "Our hope in participating in this initiative is to inspire more cross-industry collaboration."
Scott adds: "Solving a problem like this is a journey that will require learnings across the industry. But the destination makes the journey worth it."