Open Cybersecurity Schema Framework (OCSF) Takes Flight with v1.0 Schema Release

It is not very often that we see cybersecurity vendors put aside competitive differences and ambitions to work towards a common goal that benefits the entire cybersecurity community. The Open Cybersecurity Schema Framework (OCSF) has shown to be an example of a productive industry-wide collaboration to facilitate a more secure environment for businesses, governments and individuals all over the globe. 

In just a year since its founding, OCSF has experienced more than an eightfold increase in the number of contributing organizations, released the production version of its core security schema and witnessed the rise of OCSF-native products, such as Amazon Security Lake and AWS AppFabric. 

An open-source project created by Splunk, AWS, IBM and 15 other security and technology companies, OCSF helps remove security data silos and standardize data formats across security tools to help defenders eliminate the data normalization “tax” and more rapidly and holistically detect and neutralize cyber threats. OCSF achieves this goal by delivering an extensible framework for developing data schemas, along with a vendor-agnostic core security schema. 

Security vendors and other data producers adopt and extend the OCSF schema for their specific domains and map their existing schemas to OCSF in order to help security teams simplify the ingestion and exchange of data between security tools for faster and more accurate threat detection and investigation. Organizations that leverage OCSF for their internal data lake projects have a well understood, standardized target for their own analytics use cases.

OCSF benefits from hundreds of participants — that now include not only vendors, but also enterprises, educational institutions and individual contributors — who are continually refining and expanding the schema to fit various security and IT use cases. OCSF embodies the principles of open-source software: transparency, participation and collaboration. 

The Value of OCSF

A large enterprise can have more than a hundred security solutions in its arsenal. To be able to accurately pinpoint advanced threats, security teams must analyze data from their security toolstack holistically. 

Since different security solutions use disparate data formats, security and detection engineering teams end up spending time and resources on normalizing the data prior to being able to perform the analyses and investigations necessary to identify and respond to cyber attacks. Even if the organization has the capacity to build and maintain automatic "translators" that help security tools exchange data, a schema is required, and if it isn’t comprehensive and extensible, lots of security-relevant information gets lost or distorted in translation.

OCSF helps organizations solve the security data disparity problem. Security solutions that utilize the OCSF schema produce data in the same consistent format, while unambiguously capturing the full semantics of security information. Consequently, defenders can save time, effort and cost on normalizing disparate security data and start analyzing it sooner.

The OCSF Schema

As I have discussed in previous blogs, OCSF schema is built on the OCSF framework. The schema is developed as a set of categories, event classes, profiles, dictionary and validatable data types. Since the RC2 schema release candidate, a few improvements have been made to the framework, most notably platform extensions introduced with the RC3 release candidate. The first platform extension was developed for Linux, soon followed by the refactoring of Windows specific schema into a Windows platform extension.

These extensions are identical in structure to any other schema extensions, for example, vendor or organization extensions, however, the platform extensions to the core are considered part of the standardized OCSF 1.0 schema.

There are quite a number of additions, changes, and improvements between RC2 and RC3 core schemas, too many to discuss here. The intention of RC3 announced last May was for it to be the final candidate for the 1.0 GA, announced today. Only the most important change requests, agreed upon by a plurality of contributors, were considered and accepted for 1.0. The majority of these changes turned out to be improved descriptions and usage examples, but there were a very few things that upon attempted implementation stood out as required changes. If you have implemented against RC3, you are most likely good to go for 1.0.

If your implementation was based on RC2, I encourage you to explore the OCSF schema browser and compare the RC2 and 1.0 schemata to fully investigate the changes, as 1.0 contains many improvements over RC2.

Onward, Upward

As an OCSF co-founder and Steering Committee member alongside AWS and IBM, Splunk is excited to see how the involvement of over 145 organizations and 435 individual participants has propelled OCSF into an industry-wide initiative that solves a critical customer problem. Today, security teams that use solutions based on the OSCF schema can extract greater value from data faster, helping make their organizations better protected and more resilient. 

The 1.0 release is clearly an important milestone, but there is much more to come. We invite you to participate in the upcoming 1.1 work that is currently in flight.

Any member of the cybersecurity community can benefit from and contribute to OCSF. We encourage defenders to learn more about the OCSF project and how to join on the OCSF GitHub site.

Onward and upward for the common good!

Paul Agbabian
Posted by

Paul Agbabian

Paul is responsible for technology strategy and architecture for the Security business unit at Splunk. Prior to joining Splunk, Paul was a Broadcom Fellow and the Global CTO and Chief Architect of the Symantec Enterprise Security Business Unit.