The Black Hat USA cybersecurity conference was on in Las Vegas this week, featuring exciting cybersecurity news and demonstrations. One of the most interesting tidbits to break is a new common data standard for sharing cybersecurity information called the Open Cybersecurity Schema Framework (OCSF). It was developed by 18 major tech and cybersecurity companies, including Amazon, Splunk, and IBM.
So why is something like this necessary? Monitoring the computers systems under their purview is a major challenge for cybersecurity departments. In order to stop hacks—or piece together what happened after one—these departments need to be able to see information about things like the number of recent login attempts, what files have been accessed, and when it’s all happened. To do this, they typically use a lot of different software—most of which uses its own proprietary data structures.
This lack of interoperability between the different security systems data is a big issue. In Amazon’s press release announcing the OCSF framework, Mark Ryland, director of AWS’s office of the CISO, says, “Security teams have to correlate and unify data across multiple products from different vendors in a range of proprietary formats… Instead of focusing primarily on detecting and responding to events, security teams spend time normalizing this data as a prerequisite to understanding and response.”
In other words, cybersecurity teams aren’t solving cybersecurity problems: they’re using spreadsheets to try and get the data they need from one product to line up with the data they need from another.
For example, one bit of software might track logins and login attempts, another tracks what logged-in users do with files on the server, and a third tracks admin access and other high-level requests. Then, assume a hacker breaks into a computer system, installs a bit of malware into a particular folder, and uses that piece of malware to get admin access—all so they can download a load of industry secrets or whatever their target might be.
To follow or recreate this complex (though incredibly simplified, in this example) sequence of events, the cybersecurity team will have to combine data from all three logging tools. The login-tracking app will report how the hacker got in, the file-tracking app will report the malware install and the download of all the important files, while the admin-tracking app will report how and when they did it. Unless all three apps use the same data format (which they presently don’t), that’s going to involve a lot of data manipulation.
What the OCSF does is create an open data format that any product vendor can use. This means that different security, hosting, and other relevant tech products can all work together much more easily. Instead of the login, file, and admin-tracking apps all having their own proprietary way of logging timestamps, they’d all be able to use the same standardized data structure. That way, the cybersecurity team could easily track—and ideally stop—the hacker.
The framework isn’t just wishful thinking. It’s been introduced at one of the most important cybersecurity conferences in the world by some of the biggest names in tech and cyber security. In addition to Amazon, Splunk, and IBM, Broadcom, Salesforce, Rapid7, Tanium, Cloudflare, Palo Alto Networks, DTEX, CrowdStrike, JupiterOne, Zscaler, Sumo Logic, IronNet, Securonix, and Trend Micro were all involved in developing OCSF—and all are working towards including it in their products.
As Ryland says in Amazon’s press release, “Although we as an industry can’t directly control the behavior of threat actors, we can improve our collective defenses by making it easier for security teams to do their jobs more efficiently.” And more efficient cybersecurity teams are better at doing what matters: keeping all of our data safe.