Black Hat AWS and Splunk are leading an initiative aimed at creating an open standard for ingesting and analyzing data, enabling enterprise security teams to more quickly respond to cyberthreats.
Seventeen security and tech companies at the Black Hat USA 2022 show this week unveiled the Open Cybersecurity Schema Framework (OCSF) project, which will use the ICD Schema developed by Symantec as the foundation for the vendor-agnostic standard.
The creation of the OCSF, licensed under the Apache License 2.0, comes as organizations are seeing their attack surfaces rapidly expand as their IT environments become increasingly decentralized, stretching from core datacenters out to the cloud and the edge. Parallel with this, the number and complexity of the cyberthreats they face is growing quickly.
“Today’s security leaders face an agile, determined and diverse set of threat actors,” officials with cybersecurity vendor Trend Micro, one of the initial members of OCSF, wrote in a blog post. “From emboldened nation state hackers to ransomware-as-a-service (RaaS) affiliates, adversaries are sharing tactics, techniques and procedures (TTPs) on an unprecedented scale – and it shows.”
Trend Micro blocked more than 94 billion threats in 2021, a 42 percent year-on-year increase, and 43 percent of organizations responding to a survey from the vendor said their digital attack surface is getting out of control.
Cybersecurity vendors have responded by creating platforms that combine attack surface management, threat prevention, and detection and response to make it easier and faster for enterprises to counter attacks. They streamline processes, close security gaps, and reduce costs, but they’re still based on vendor-specific products and point offerings.
Vendors may use different data formats in their products, which means moving datasets from one vendor’s product to that of another often requires the time-consuming task of changing the format of the data.
“Unfortunately, normalizing and unifying data from across these disparate tools takes time and money,” Trend Micro said. “It slows down threat response and ties up analysts who should be working on higher value tasks. Yet up until now it has simply become an accepted cost of cybersecurity. Imagine how much extra value could be created if we found an industry-wide way to release teams from this operational burden?”
Dan Schofield, program manager for technology partnerships at IBM Security, another OCSF member, wrote that the lack of open industry standards for logging and event purposes creates challenges when it comes to detection engineering, threat hunting, and analytics, and until now, there has been no critical mass of vendors willing to address the issue.
Mark Ryland, director of the Office of the CISO at AWS, wrote in a blog post that organizations have said that interoperability and data normalization between security products is difficult, forcing security teams to correlate and unify data across multiple products from different vendors in proprietary format.
The OCSF schema will “make it easier for security teams to ingest and correlate security log data from different sources, allowing for greater detection accuracy and faster response to security events,” Ryland wrote. “Although we as an industry can’t directly control the behavior of threat actors, we can improve our collective defenses by making it easier for security teams to do their jobs more efficiently.”
AWS has worked with other project members to create the specs and tools that are available to cybersecurity vendors and partners as well as enterprises and other organizations. The public cloud giant also is contributing engineering, training, and guideline support to the standardization effort.
The Integrated Cyber Defense Exchange (ICDx) from Symantec, a division of Broadcom, is used to normalize incoming event data for the company’s ICD Schema, which organizes attributes and objects into event types that are put into various categories.
Trend Micro compared the OCSF initiative to other security-based frameworks, like MITRE ATT&CK for tactic classification and STIX/TAXII for threat intelligence.
Vendors over the years have collaborated with each other, enterprises, and governments in areas including sharing intelligence to address cybersecurity threats, however, more needs to be done.
Analyst firm ESG said in a cybersecurity report published last month that 77 percent of survey respondents want to see more cooperation among vendors in developing open standards and 85 percent said the ability of a product to integrate with others was important.
“It’s well understood that data is the lifeblood of security operations centers, but oftentimes, that data needs to be manipulated and normalized to be in a form that can be used by the teams and tools the SOC relies upon,” wrote Paul Agbabian, distinguished engineer and vice president for technology strategy for Splunk’s security business unit. “There’s a lot of industry sentiment in support of simplifying data normalization.”
Other OCSF members are Cloudflare, CrowdStrike, DTEX, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, and Zscaler. ®