The Announcement of OCSF: Open Cybersecurity Schema Framework

For years, customers have asked the industry to come up with a way to make data more interoperable and to make it easier for tools to communicate with each other. Now we’ve finally done it.

Announcing OCSF

At BlackHat 2022 several leading technology companies came together to announce a new open data standard for sharing cybersecurity information, called the Open Cybersecurity Schema Framework (OCSF). Essentially, OCSF gives customers a common way to share data from different security tools, and it is quite a big deal. The OCSF project was initiated by a partnership between Splunk and AWS, which built on the ICD Schema developed at Symantec—now part of Broadcom Software.

Adoption of OCSF

Until now, enterprise SOCs have had to invest great effort trying to make things work together, which was valuable time better off spent looking for threats. Think about this: the average SOC has been found to use around 45 different security tools. That leads to ongoing management headaches considering how tools store their telemetry in different ways. 

When SOCs were first coming into their own, all of the large security software vendors touted their platforms as the solution. This “single vendor” solution did not work.  Enterprises continue to rely on multiple vendors and the result was incompatible data sets of security telemetry. Large enterprises ended up having to invest in integrating all of their security tools on their own in order to have any data query abilities. At most large companies, I see SOC teams that employ a full team of engineers who do nothing but convert data and update programs to handle new types of data.  

It's not just the burden of having to do a lot of busywork on integration. Accuracy is another big problem. Since products store their data in many different ways, during conversion there’s a higher chance of error and exposure for the business.  

This integration and conversion work gets tiring – fast – especially as enterprises add or upgrade their security infrastructure. No surprise that in more recent years, SOCs have become more outspoken and more demanding, telling vendors that they wanted products that were easier to integrate, not exist as standalone castles.

The Power of OCSF

OCSF is removing that hassle by facilitating a common way to store telemetry, making it far easier to integrate tools. Information can be passed from one tool to the next. The schema is consistent, and data flows seamlessly into the data lakes and analytics tools that the SOC relies on.

This project is particularly near and dear to my heart, as OCSF’s roots can be traced back to a Symantec Enterprise initiative to enable all of our products to correlate data. That initiative quickly uncovered the key challenges. It may seem simple, but getting multiple products to store data and treat machines, files, and events the same way is not easy. This standardization effort within Symantec grew into our Integrated Cyber Defense (ICD) platform. Fast forward to today, and the same schema and approach is now the foundation of the open-source project that resulted in OCSF.

The Future of OCSF

OCSF was designed by security engineers. It is meant to make things easier for the people who are involved in cybersecurity every day, and who face an increasingly complex landscape.  We need more vendors to adopt the OCSF format to make it universal. Oftentimes, standards proposals get put forward that work to the benefit of particular companies. That’s not the case here. There’s no proprietary advantage for anyone who adopts OCSF. As an industry, we all benefit by doing the right thing for customers. Rallying behind a common standard just makes good sense.