At a restaurant where the waiters, chefs and cooks speak the same language but use different words for what’s on the menu, you might order lobster bisque and wind up with steak frites. A similar Tower of Babel issue exists in cybersecurity, especially given increasing threats in 2023 — different security vendors don’t often use the same JavaScript strings to define events or even such parameters as dates and endpoints.
A consortium led by Splunk and AWS are hoping to fix this by standardizing how events are noted in logs, reducing the burden on security teams to decipher alerts they receive from multiple tools and vendors.
Jump to:
Open Cybersecurity Schema Framework is generally available
Last week at Black Hat, security vendor Splunk announced the general availability of the Open Cybersecurity Schema Framework. It is an open-sourced project hosted on GitHub that is designed to remove security data silos and standardize event formats across vendors and applications.
SEE: What happens at Black Hat … More from the 2023 conference (TechRepublic)
When OCSF was first announced at Black Hat 2022, 18 organizations were on board. Now, OCSF comprises 145 security companies including AWS and IBM and 435 individual contributors. Splunk describes OCSF as an open and extensible framework that organizations can integrate into any environment, application or solution to complement existing security standards and processes.
A rose by any other name, except in JSON
At its heart, OCSF is a JavaScript object notation schema. In JavaScript, data is represented with a series of code strings with quotes and brackets. While there is an open standard notation for JavaScript logs called JSON, JSON names for different events are not standardized — this is the issue OCSF is meant to address.
Mark Ryland, director, Office of the CISO at AWS, said, “A great example is Greenwich mean time, GMT. Every tool might encode it, but not in the same way, so if I’m trying to do a date comparison, I may be seeing many representations of a given GMT date. Every tool is describing the reality it sees with a slightly different variation based on how it is sharing that information.”
He said that, because of this, analysts end up looking at multiple screens and in effect cutting and pasting to present data in a denormalized way.
“Working with Splunk and other vendors, we realized if we could decrease the amount of time spent on data cleansing, munging and transformation, we could increase productivity of security teams, because the problem would be solved in common formats across all telemetry,” he said.
SEE: ‘Munging’ AI at Black Hat: bane or boon for cybersecurity? (TechRepublic)
Patrick Coughlin, general vice president of security markets at Splunk, noted that security teams at organizations often use up to 100 tools, each with different structures, formats and ways of showing alerts.
“It’s a massive problem when we talk about alert fatigue,” he said. “If I have to talk to different systems that talk about alerts in different ways, it’s that much worse. OCSF brings it all together in a way that makes it far easier to understand, but also to automate.”
Ryan Kovar, distinguished security strategist at Splunk and director of the firm’s SURGe threat intelligence and analysis unit, said that if, for example, a ransomware attacker encrypts a file system, the way this ransomware encryption event is recognized in an event log by one vendor may be very different from how it is recognized by another.
“If there are several proprietary taxonomies for alerts — one for each of your security vendors — you can no longer tell if they are alerting for the same event or not. By contrast, the security solutions that utilize the OCSF schema produce data in the same consistent format, so security teams can save time and effort on normalizing the data and get to analyzing it sooner, accelerating time-to-detection.”
How OCSF builds on prior schemas
Building upon the ICD Schema work done at Symantec, OCSF includes contributions from 15 additional initial members including: Cloudflare, CrowdStrike, DTEX, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro and Zscaler.
Couphlin explained that, while there have been several standards and initiatives around data and cyber over the course of the past decade including STIX (Structured threat Information eXpressioin, a standardized XML programming language for cyber threats) and TAXII (for Trusted Automated eXchange of Indicator Information, a transport protocol for sharing of threat info across organizations), he is surprised by the uptake rate for OCSF.
“We have seen a significant acceleration of adoption of OCSF,” he said. “If you had asked me 12 months ago when we were here, I would have said it is going to be a slow, long road to traction because standards are tough and companies are territorial. I just learned that Barracuda, for example, has already launched its first product that natively integrates with OCSF, so it has grown by orders of magnitude in the past year. The big fundamental difference over the past 12 months is we can now point to products and capabilities in the market that are OCSF compliant, which we did not have last year.”
Breaking through the babble to find the right cyber solution
The proliferation of security solutions can leave buyers stymied. To learn more about criteria for choosing a cybersecurity solution that can block cyberattacks and protect allowed traffic from threats, download this definitive guide. It will show you how to effectively evaluate cybersecurity solutions through the request for proposal process.