IT security professionals rely heavily on telemetry and data logs to identify, tackle and prevent cyber attacks. But the challenge is that there isn’t a simple way for security teams to make sense of large datasets.
Typically, they would use a plethora of technologies and software to collect and analyse data. However, this approach is often inefficient and expensive, and makes it difficult for organisations to detect and respond to cyber attacks.
Amazon Web Services, Splunk and many other organisations believe that the only way to solve these challenges is by openly sharing security data and information – and that is exactly what they hope to achieve through the creation of the Open Cybersecurity Schema Framework (OCSF) project.
Launched in August 2022, the OCSF essentially sets out a range of open specifications for cyber security products, services and tools. The idea is that cyber security professionals and teams spend less time and money on implementing these tools, and more time on analysing data and mitigating cyber attacks.
The open source, collaborative nature of the OCSF will enable companies to form connections with lots of security experts and teams to shore up their cyber defences, according to ESET global security adviser Jake Moore.
“The aim is to speed up the detection of attacks and prevent them from evolving and therefore keeping data more secure,” he says. “Time is of the essence in an attack, and in the past, we have seen mistakes that could have been patched with faster detection and better mitigation techniques.”
Working in cyber security can be incredibly stressful because the need for organisations to monitor and mitigate cyber risks never stops. What is more, the attack surface is constantly expanding. But this framework should hopefully make life easier for cyber security professionals.
“Responding to threats can be a major headache for CISOs, but working together can be effective in other departments and cyber security needn’t be any different,” says Moore.
“We have spent years remaining quiet about so many sensitive areas of infosec, but a collaboration is a far stronger mix to withstand the same problems everyone is facing.”
Of course, the OCSF is a relatively new concept for the industry, and not everyone may be convinced by it. But Moore believes that, with a little bit of time and maturity, the framework will be highly beneficial for the cyber security suite. He says: “It may take time finding its feet, but I think that once established, OCSF may be an industry standard in a short space of time.”
A common language for cyber security pros
Allie Mellen, a senior security and risk analyst at Forrester, describes the OCSF as a common language for detecting and investigating cyber security risks. This has been challenging for cyber security companies and departments in the past, she says.
“Interoperability of security tools and data normalisation are a huge challenge for security teams, to the point where security pros will purchase products or services to handle it for them,” Mellen tells Computer Weekly. “The goal of OCSF is to standardise around a common taxonomy to simplify data ingestion and analysis.”
But encouraging security suppliers to adopt the OCSF and support it on a continuing basis is likely to be a challenge. In the light of this, Mellen says the industry must work hard to ensure adoption of the framework throughout the industry. “Without that, the framework will exist in its own corners and not become a true standard,” she adds.
Mellen recommends that organisations ask their cyber security suppliers if they are an OCSF member and how they plan to support the framework. Log management and detection engineering teams should also think about adopting the framework and making it a strategic priority. “If so, push your vendors to support the framework,” she says.
Breaking down barriers
Cyber security departments should avoid working in silos and instead adopt an open, collaborative approach that puts interoperability first, according to Paul Agbabian, vice-president of security technology leadership at Splunk.
But this can only be achieved if the entire industry comes together, and Agbabian believes the OCSF’s wide membership base will help in this regard. Besides Splunk, its founders include AWS, Broadcom, Cloudflare, CrowdStrike, DTEX, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro, and Zscaler.
“In technical terms, OCSF delivers an extensible framework for developing schemas, paired with a vendor-agnostic core security schema,” says Agbabian. “Vendors, data producers and engineers can then map existing schemas to help security teams simplify data ingestion and normalisation.
“By successfully adopting the new framework, organisations can not only strengthen their security systems, but drive unification of security event data to work in a common language for threat detection and investigation”
Paul Agbabian, Splunk
“This means better, faster data ingestion and analysis with less time-consuming normalisation tasks. By successfully adopting the new framework, organisations can not only strengthen their security systems, but drive unification of security event data to work in a common language for threat detection and investigation.”
For IT security leaders interested in adopting the OCSF at their organisation, the first step is to get the security operations team to familiarise itself with the current framework. In particular, Agbabian advises CISOs and their employees to learn OCSF’s definitions of different security events. This will allow them to “quickly operationalise OCSF data to support security investigations and threat-hunting activities”.
The OCSF could also be a useful resource for IT teams creating B2B applications because it offers “a well understood way of logging events and emitting telemetry”, says Agbabian. “Additionally, CISOs should have conversations with their trusted security partners and ask them about their roadmap to support OCSF,” he adds. “This will provide a timeline on when their teams can start to utilise OCSF data as part of their security operations processes.”
Following the lead of other industries
Carolyn Duby, field CTO and cyber security lead at Cloudera, is another big supporter of the OCSF. She says the cyber security industry has always needed such a framework because it depends on a large range of devices with differing schemas.
Duby points out that data-heavy industries like healthcare have their own frameworks, such as the Fast Healthcare Interoperability Resources (FHIR) standard, and that cyber security should be no different. She hopes the OCSF will provide similar benefits.
“Here, OCSF is very useful for cyber security as there are so many different devices being used on a day-to-day basis and each one looks at the schema a little bit differently,” says Duby. “This means that when you try to put all the data together, it can be hard to correlate because you don’t have that commonality. The standard resolves this issue and is helpful for data-processing tools.”
She says it is currently challenging for cyber security teams to analyse datasets because they come in many different formats and often produce error messages. But what is great about the OCSF is that it has been designed to improve the accessibility of data for the entire cyber security industry.
Duby adds: “The core components of the OCSF are that it is machine readable, provides commonality so all the same elements of the schema are called by the same names, and it is an interoperability standard that will provide consistency across the industry. At least, that’s the vision. Essentially, for any company running vast volumes of data, it will cut down data preparation time and eliminate having to complete repetitive tasks.”
Barriers to success
However, for the OCSF to achieve its goals, industry-wide adoption is paramount. That could be difficult because similar frameworks have failed in the past, says Duby. “The framework will be hugely beneficial for the whole industry,” she says. “However, its widespread adoption will rely on it being mandated as the appropriate standard by the industry’s legislative and regulatory bodies, such as the National Cyber Security Centre.
“We saw this happen with FHIR once the [US] Centre for Medicaid and Medicare Office adopted it as standard, it took it to the next level, and a whole industry group and community were built around it.”
Duby’s advice to CISOs is to take note of the standard, and monitor how it evolves and impacts different tools over time. They should then encourage their peers to adopt interoperability formats. “However, this will only happen if the standard is made to be a requirement, as it takes a lot of time, effort and resources to re-engineer products to support these formats, the interfaces and the way they collect data,” she says.
Organisations looking to adopt the OCSF will also need to educate their staff about the framework – particularly what it does, how it works and complying with it. Duby adds: “So, there’s a lot of work that vendors will have to do to make this happen. And it’s only going to happen if the industry requires it to happen.”
“SOC teams will be overwhelmed with the wider and deeper detection data they receive with no associated threat intelligence. Think whack-a-mole on steroids – more moles popping up, even faster, from more holes – but your hammer is still the same”
Steve Benton, Anomali
Steve Benton, vice-president of threat research at Anomali, agrees that the OCSF is a step in the right direction for the cyber security industry – but he is concerned that it could overwhelm the vast majority of security teams and become difficult to manage.
“SOC teams will be overwhelmed with the wider and deeper detection data they receive with no associated threat intelligence,” he says. “Think whack-a-mole on steroids – more moles popping up, even faster, from more holes – but your hammer is still the same. And now you’ll have more false positives to resolve and risk sliding down rabbit holes.”
Something else that could hinder the success of the framework is the lack of Mitre ATT&CK integration. Benton says security teams rely on Mitre ATT&CK to understand and prevent cyber security vulnerabilities and attacks.
“Any strong security team will have ATT&CK embedded into how they operate and will certainly raise more than an eyebrow at its current absence from the standard,” he says. “The standard, when adopted into products, will unify detection, but organisations will still have to rely on moving from screen to screen to view different data and information to determine and execute their response across their infrastructure – versus ‘one screen’, which is the ideal.”
Data collection and analysis form an integral part of successful cyber security teams. And to date, the secluded and distributed nature of data and telemetry security tools has held CISOs and their teams back in combating cyber crime. The OCSF will certainly make it easier for cyber security professionals and teams to understand security data – but adoption challenges remain.
