OCSF Promises to Advance Cybersecurity Data Sharing

An Open Cybersecurity Schema Framework (OCSF) launched this week at the Black Hat USA 2022 conference promises to finally address longstanding data sharing issues that conspire to limit the effectiveness of cybersecurity teams and increase overall costs.

Led by Amazon Web Services (AWS), Splunk and IBM, the OCSF is the latest industry effort that attempts to address interoperability. Similar previous standardization efforts, however, were met with limited success, noted Mike Rothman, general manager for Techstrong Research, an arm of Security Boulevard’s parent company. “It’s good news,” said Rothman. “It’s just the devil is, as always, in the details.”

Cybersecurity vendors including CrowdStrike, Rapid7, Palo Alto Networks, Cloudflare, DTEX Systems, IronNet Inc., JupiterOne, Okta, Salesforce, Securonix, Sumo Logic, Tanium, Zscaler Inc. and Trend Micro pledged to support the OCSF initiative.

Of course, more critical mass is needed in terms of support from other cybersecurity vendors before OCSF can become an actual standard, de facto or otherwise. It’s also likely to be a while before cybersecurity teams see any tangible benefits in terms of actual implementations of the framework.

A recent survey of 280 cybersecurity professionals conducted by the research firm Enterprise Strategy Group (ESG) on behalf of the Information Systems Security Association (ISSA) found more than three-quarters of respondents (77%) would like to see more industry cooperation and support for open standards to promote interoperability.

A full 83% also said future technology interoperability depends upon establishing industry standards, and 84% also noted that integration capabilities are important. A total of 86% said it’s either critical or important that best-of-breed products have built-in integration with other products. After cost (46%), product integration capabilities (37%) are the most important security product consideration, the survey found.

The root of the problem is that every cybersecurity tool or platform generates data in a proprietary format. Security operations teams need to normalize all that data before they can interrogate it to uncover illicit activity and potential threats. The amount of time, money and effort cybersecurity teams devote to such efforts is often substantial. However, when that task is left undone it becomes harder to correlate activity across a layered approach to cybersecurity involving multiple tools and platforms. In fact, many organizations are attempting to consolidate the number of security tools and platforms they use, in part to make it easier to correlate cybersecurity data.

Of course, the hope is one day soon machine learning algorithms will be able to correlate insights across a pool of data without requiring a lot of manual work on the part of a security operations team. Achieving that goal becomes easier if there is a common data format through which the data needed to build artificial intelligence (AI) model is normalized.

One way or another, it’s now just a matter of time before the data interoperability issues that have plagued cybersecurity operations are finally addressed. The issue is that most cybersecurity teams need this capability as soon as possible; waiting on vendors to make good on OCSF or an equivalent standard can’t happen soon enough.

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 747 posts and counting.See all posts by mike-vizard