Splunk Announces Participation in the Open Cybersecurity Schema Framework (OCSF) Project

There’s a myth from antiquity known as the Tower of Babel, where people were working together to build a tower to the heavens, only to lose the ability to communicate with one another via divine intervention. Essentially, the groups began speaking their own languages and were unable to complete the tower. So, why are we talking about myths in a cybersecurity blog? It happens to serve as an accurate analogy to a long-held challenge in security operations: data normalization across multiple security tools.

It’s well understood that data is the lifeblood of security operations centers, but oftentimes, that data needs to be manipulated and normalized to be in a form that can be used by the teams and tools the SOC relies upon. Depending on the number of tools, formats and support infrastructure, this task can get expensive in terms of people, budget and resources.

There’s a lot of industry sentiment in support of simplifying data normalization. As a matter of fact, ESG released a report in July 2022 titled “Technology Perspectives from Cybersecurity Professionals” that illuminates this desire. In the report, Jon Oltsik, Senior Principal Analyst and ESG Fellow calls out two key findings:

• “77% of respondents would like to see more industry and technology cooperation in the form of open standards support”
• “85% of respondents believe that a product’s integration capabilities are important”

Cybersecurity is ready to move on from silos and into an open, integrated era of inter-operability and cooperation.

This is why we are excited to announce our participation in the Open Cybersecurity Schema Framework (OCSF) project. I’ve personally been involved with work on this problem in one form or another for 20+ years, both from a data producer perspective as well as a data consumer and analyst perspective, and feel this is the best effort to date to solve that Tower of Babel dilemma. OCSF is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. Vendors and other data producers can adopt and extend the schema for their specific domains, data engineers can map existing schemas to help security teams simplify data ingestion and normalization, so that data scientists and analysts can work with a common language for threat detection and investigation. While the framework itself is not tied to the cybersecurity domain the core schema and dictionary is focused on security events. The goal is to provide an open standard, adopted in any environment, application, or solution, while complementing existing security standards and processes.

The OCSF project was conceived and initiated by AWS and Splunk, building upon the ICD Schema work done at Symantec, a division of Broadcom. Through collaboration with joint customers and an analysis of the needs of the security operations market, the core group grew to include a total of 18 initial technology and security organizations, all contributing to the public release.

The initial coalition of organizations are AWS, Broadcom, Cloudflare, CrowdStrike, DTEX, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Splunk, Sumo Logic, Tanium, Trend Micro, and Zscaler.

The creation and adoption of an open source security data schema standard by both the producers and consumers of security-relevant data removes a long standing obstacle faced by security teams world-wide. Teams today spend significant time and resources unifying data from the different tools and vendors they rely upon before being able to effectively use that data to detect and investigate security threats.

With the Open Cybersecurity Schema Framework, the industry works together to unburden security teams of the work required to collect and normalize data and focus on analyzing it. Similar to STIX/TAXII for threat intelligence and the MITRE ATT&CK framework for tactic classification, OCSF simplifies the task of threat detection and investigation for security teams everywhere. We believe now is the time and OCSF is the vehicle to drive unification of security event data for the benefit of all cybersecurity teams and organizations.

To learn more about the public release of OCSF, check out the press release announcement at Black Hat 2022. For information on how to be a part of the OCSF project, head over to https://github.com/ocsf/.