This week marks the first anniversary of the Open Cybersecurity Schema Framework (OCSF), an essential open-source initiative dedicated to the standardization of event formats across security data. This landmark achievement in cybersecurity establishes a common foundation that will reshape how organizations combat ever-evolving cyber threats. Let’s look at the traction and momentum of OCSF so far, and what its future holds.
Changing the Cybersecurity Game
Launched at Black Hat USA 2022 by Splunk, Amazon Web Services (AWS), IBM, and 15 other leading cybersecurity firms, OCSF aims to eliminate security data silos and unify the way data is handled across different vendors and applications.
This open-source project rapidly expanded to include over 145 organizations and 435 individual contributors, witnessing an astounding eight-fold increase in participation. Moreover, Fortune 500 enterprises and public sector agencies have increasingly adopted the OCSF schema, emphasizing its relevance and effectiveness.
“It’s a huge step in the right direction because, undoubtedly the lion’s share of investigation time is spent on trying to normalize, clean, and align contexts from across these different data sources throughout the ecosystem,” explained Patrick Coughlin, VP of Technical GTM for Splunk. “Everybody’s got a different structure, a different format, a different ontology. I think the adoption that we’ve had in the last 12 months—going from a dozen or so companies and a handful of participants to 145 official companies, and hundreds of participants in the project—demonstrates not only the demand for this but also the willingness of the community to put aside competitive differences that often get in the way of making real progress on these kinds of standards in the end.”
The Core Principles of OCSF
OCSF’s vendor-agnostic security schema revolutionizes how security solutions operate. It offers a consistent data format, enabling security teams to sidestep time-consuming data normalization. This accelerates the time-to-detection and allows teams to focus on what truly matters – identifying and investigating threats.
OCSF is instrumental for addressing obstacles to data exchange. By relieving teams from the burden of disparate data translation, OCSF captures the essence of security information, facilitating a streamlined threat detection process.
Establishing a common language to analyze and protect environments also improves accuracy of detection. With a common language, it is easier to connect the dots and recognize patterns that may otherwise slip through the cracks unnoticed.
The schema continually evolves, thanks to hundreds of contributors refining and adapting it to fit various security and IT use cases. This epitomizes the core principles of open-source software: transparency, participation, and collaboration.
Endorsements and Real-World Impact
Several industry leaders have expressed strong support for OCSF. Sridhar Muppidi, CTO of IBM Security, highlighted the importance of cross-industry collaboration in adapting to the evolving threat landscape. “This helps us at least get the journey started. I’m hoping that in the future we will see the maturity for sharing data like IOCs and IOBs and other things as well.”
Real-world applications of OCSF were also shared. Comcast Technology Solutions’ Head of DataBee Field Architecture, Matthew Tharp, credited OCSF with organizing cybersecurity data chaos, while Michelle Abraham, Research Director at IDC, praised the framework’s exponential growth and delivery of a production version of the schema.
OCSF’s First Anniversary: Reflecting on Achievements
As OCSF celebrates its first year, it’s crucial to acknowledge the transformative impact it has had on the cybersecurity industry. By providing an open and extensible framework, OCSF has empowered organizations to integrate a unified schema into various environments and applications, enhancing their ability to fend off cyber threats.
The collaborative spirit of OCSF, combined with its practical benefits, signifies a monumental shift in how the industry perceives and handles cybersecurity challenges. The framework’s growth and the endorsement from industry giants demonstrate its crucial role in shaping a more resilient and agile cybersecurity landscape.
Collaborating for a More Secure Future
The Open Cybersecurity Schema Framework stands as a beacon of innovation and collaboration in an industry where agility and efficiency are paramount. By fostering a community-driven approach and providing a standardized, vendor-agnostic schema, OCSF marks a significant milestone in the ongoing battle against cyber threats.
I asked Mark Ryland, Director for the Office of the CISO at AWS, if he believes the momentum of OCSF will make it a differentiator among vendors, or something that customers will seek out when choosing products and services. “It should, but I also think that it won’t end up being that differentiating just because of the breadth of adoption—it’s more like an exclusion factor rather than a bonus factor. I think the same thing will happen in procurements or RFPs—whether government or private sector. They’ll just write that into the procurement and say, ‘You’ve got to support this.’”
Ryland summed up, “The value of the standard will continue to create additional momentum and so it will just become very commonplace.”
The first anniversary of OCSF is not just a reflection of past success but a beacon for the future, promising continued growth, adaptation, and innovation in cybersecurity.
Follow me on LinkedIn. Check out my website.