Modern applications today are developed and deployed on distributed hybrid infrastructures. That makes them hard to monitor. Specifically, businesses find they are swamped with vast amounts of security-relevant telemetry and log data gathered by using multiple tools and technologies from different vendors. A new industry effort, dubbed the Open Cybersecurity Schema Framework (OCSF) project, aims to address this problem.
The project includes an open specification for the normalization of security telemetry across a wide range of security products and services, as well as open-source tools that support and accelerate the use of the OCSF schema. AWS, as a co-founder of the OCSF effort, helped create the specifications and tools that are available to all industry vendors, partners, customers, and practitioners.
Splunk is also a co-founder of the effort. And there are many other project participants, including Broadcom, Salesforce, Rapid7, Tanium, Cloudflare, Palo Alto Networks, DTEX, CrowdStrike, IBM Security, JupiterOne, Zscaler, Sumo Logic, IronNet, Securonix, and Trend Micro. The project is an open industry initiative. Anyone can participate in the evolution of the specification and tooling at https://github.com/ocsf.
OCSF extends the ICD Schema specifications originally developed by Broadcom’s Symantec division. It covers numerous data types, an attribute dictionary, and a taxonomy written in JSON. An overview of the specification can be found on GitHub.
The project aims to provide an extensible framework for providing interoperable core security schema not tied to a specific provider. According to a GitHub white paper written by Splunk distinguished engineer Paul Agbabian, “OCSF features an agnostic storage format, data collection, and extract, transform, and load (ETL) processes. The schema browser represents categories, event classes, dictionaries, data types, profiles, and extensions.”
Why is the Open Cybersecurity Schema Framework needed?
Monitoring has become the Achilles’ heel of modern applications. Businesses are often overwhelmed with alerts, traces, and log data. Much of the data is hard to assimilate, making it hard to analyze the information and spot security problems in the making and underway.
Security teams have to correlate and unify data across multiple products from different vendors, many of which use proprietary formats. That work has a growing cost associated with it. And worse, instead of focusing primarily on detecting and responding to events, security teams spend time normalizing this data as a prerequisite to understanding and responding to threats and incidents.
When the OCSF project was announced in an AWS blog, the blog authors noted: “We believe that use of the OCSF schema will make it easier for security teams to ingest and correlate security log data from different sources, allowing for greater detection accuracy and faster response to security events. We see value in contributing our engineering efforts and also projects, tools, training, and guidelines to help standardize security telemetry across the industry. These efforts benefit our customers and the broader cybersecurity community.”
See also: What is OpenTelemetry?
Building on previous efforts
The industry has long recognized the monitoring problem and has undertaken other work with similar goals to that of the OCSF project. For example, earlier this year saw the birth of OpenTelemetry, a framework that merged OpenCensus and OpenTracing.
OpenCensus was operated by Google with contributions from Microsoft and others, while the Cloud Native Computing Foundation (CNCF) managed OpenTracing. The goal of bringing these two efforts together is to be an all-in-one solution for all telemetry needs. OpenTelemetry exists as an incubating project managed by the CNCF, which also manages the Kubernetes framework, alongside a few other open-source container technology frameworks.
One of OpenTelemetry’s key marketing points is the standardization of the collection and transmission of telemetry data to cloud-native platforms. Tracing, metrics, and logs, considered the “three pillars of observability,” are unified. This improves the portability of the data, especially as OpenTelemetry is supported by a wide range of cloud providers and vendors through its backward compatibility.
A final word
Putting the importance of the project into perspective, Aghabian was quoted as saying: “Cybersecurity is ready to move on from silos and into an open, integrated era of inter-operability and cooperation.”
Salvatore Salamone is a physicist by training who has been writing about science and information technology for more than 30 years. During that time, he has been a senior or executive editor at many industry-leading publications including High Technology, Network World, Byte Magazine, Data Communications, LAN Times, InternetWeek, Bio-IT World, and Lightwave, The Journal of Fiber Optics. He also is the author of three business technology books.