AWS Leads Open Cybersecurity Schema Framework (OCSF) Consortium
Amazon Web Services (AWS) and Broadcom are among more than a dozen companies collaborating on an open source initiative, the Open Cybersecurity Schema Framework (OCSF) project, which hopes to better integrate security tools and break down data silos.
Conceived and initiated by AWS and unified observability and security provider Splunk, the OCSF builds on the ICD Schema work done at Broadcom’s Symantec division.Â
The framework is based on an open standard that allows it to be adopted in any environment, application or solution provider. It is also designed to fit within existing security standards and processes and aims at delivering a simplified and vendor-agnostic taxonomy to help security teams.
OCSF: Vendor-Agnostic for Improved Cybersecurity Integration
By adopting OCSF’s vendor-agnostic schema, solutions can standardize on the same language for threat detection and investigation, making it easier for data to be shared across tools and allowing vendors to integrate with other solutions more easily.
Erkang Zheng is founder and CEO at JupiterOne, one of the initial members. Zheng said the speed of development has brought to market a wide range of offerings that enable security teams to protect their organizations, all with their own unique workflows for data ingestion, normalization and management.
“The average organization’s security stack consists of more than 75 tools, making custom data ingestion requirements extremely onerous, and taking valuable time away from already burdened security resources,” he explained.
He says using a common framework for data ingestion and normalization greatly reduces the time it takes to complete these tasks and serves as a common “language” for data to be shared across tools.
This, in turn, allows security teams to focus on higher priorities while also breaking down data silos created by tools that leverage different database structures.
“We see significant value for adopters of the OCSF, both security teams and the makers of the products they use,” he said. “Everybody wins when security professionals can use a tool more efficiently—let alone several of them—and reallocate the time savings toward detecting and investigating security threats.”
Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, pointed out that data sharing is a key element when working to combat cybersecurity threats.
“Tool proliferation is something that end users feel on an almost daily basis as IT organizations seek ways to combat the ever-changing threat landscape,” he says. “One of the biggest problems of tool proliferation is a requirement for each tool to individually inspect the same data using its threat detection capabilities.”
The net result, he added, is reduced end-user productivity, as each tool independently performs its operations.
“By adopting a data sharing and interchange model, duplication of efforts could be avoided with a “scan once” model that then passes data to each tool for inspection,” Mackey said.Â
The Shared Responsibility Model
Sammy Migues, principal scientist at Synopsys Software Integrity Group, said cybersecurity, and app security in particular, has always been a shared responsibility model.
“Much of the problem is that some folks took more responsibility than they had the people or technical capacity to deliver,” he says. “Fixing that shared responsibility model today means building bridges between humans and building lots of bots.”
He called it “a huge culture shift” in how security teams improve, deeming it “way harder” for organizations than just writing a policy and rolling out some tools.
“All the data silos are impeding security teams,” he adds. “Every time someone has to make a phone call, send an email or wait for a spreadsheet, they’re not moving at the speed of attackers or developers.”
Zheng noted that, as more organizations adopt the cloud to centralize their operations, new challenges arise.
New users, endpoints, applications, code, data and even whole new environments can be added and spun up faster than security teams can keep track of them.
“This lack of visibility becomes a major pain point and can result in data leaving the organization unbeknownst to the security teams that are meant to protect it,” he warned.Â
Mackey explained that most new technologies have an inflection point where the industry moves from a siloed competitive landscape to an interoperable paradigm.
For example, the ability to connect network gear from any vendor and achieve a functioning network is the result of both a standards-based approach to product development, but also one that recognizes the need for technology ecosystems.
“Without the investments network gear providers made in interoperability, the connected world we have today wouldn’t be as reliable as it is,” he said. “The same paradigm applies to the OCSF effort—it holds the promise of more accurate identification of cybersecurity threats in a more timely manner.”
