It’s Time to Normalize Cyberattack Data
Here an attack, there an attack, everywhere an attack. Just tracking security issues today is misery. Making matters worse, there’s little rhyme or reason to coordinating attack data. A coalition of cybersecurity and technology groups wants to fix that with an open source effort to break down data security silos: The Open Cybersecurity Schema Framework (OCSF).
Today, security groups don’t have a common lingua franca to discuss the threats they face. We’ve known this has been a problem for ages. There have been efforts to fix it before, such as the MITRE Att&ck Framework, but more needs to be done.
Launched at Black Hat
So at Black Hat USA 2022, Amazon Web Services (AWS) and Splunk, building on Broadcom/Symantec’s ICD Schema work, created a schema to help organizations detect, investigate and stop cyberattacks faster and more effectively. They’re not the only ones behind OCSF. Fifteen other companies — Cloudflare, CrowdStrike, DTEX, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro, and Zscaler — are also backing the project.
Why does it have so much support? Simple. As Sam Adams, Rapid7’s Vice President of Detection and Response, explained in a blog post, “The key to efficiently detecting and rapidly responding to today’s threats and attacks is data and how you use that data.”
But, that’s easier said than done. That’s because Mark Ryland, AWS’s Director of the Office of the CISO, wrote, “Interoperability and data normalization between security products is a challenge. Security teams have to correlate and unify data across multiple products from different vendors in a range of proprietary formats; that work has a growing cost associated with it. Instead of focusing primarily on detecting and responding to events, security teams spend time normalizing this data as a prerequisite to understanding and response.”
So, Ryland continued, “We believe that use of the OCSF schema will make it easier for security teams to ingest and correlate security log data from different sources, allowing for greater detection accuracy and faster response to security events.”
The Framework
To make this happen, the OCSF is an open source effort to create an open standard. Its purpose is to deliver a simplified and vendor-agnostic taxonomy to help all security teams realize better, faster data ingestion and analysis without the time-consuming, up-front normalization tasks.
To do this, OCSF is made up of a set of data types, an attribute dictionary, and a taxonomy. While not restricted to cybersecurity, its initial focus has been to establish a schema for cybersecurity events. The framework is agnostic to storage format, data collection, and Extract, Transform, Load (ETL) processes. The core schema for cybersecurity events will be implementation agnostic The schema framework definition files, and its normative schema is written as JSON. For more on OCSF’s technical details, see Understanding the OCSF.
Incorporating the Standard
The hope is that as an open standard, it will be adopted and used with existing security standards and processes. Then, as developers and users incorporate OCSF into their products and processes, security data normalization will become simpler and less burdensome. This, in turn, will enable security teams to do better at analyzing attack data, identifying threats, and defending their organizations from cyberattacks.
Ultimately, John Graham-Cumming, Cloudflare’s CTO, said in a statement, “Every business deserves a simple, straightforward way to analyze and understand the security landscape — and that starts with their data. By participating in the OCSF, we hope to help the entire security industry focus on doing the work that matters instead of wasting countless hours and resources on formatting data.”
I hope this is true. I hate wasting time. And time is one thing we never have enough of when we’re dealing with a security problem. If OSCF can succeed in its aims, it will be a major step forward in dealing with large-scale security problems.
