OCSF Celebrates First Anniversary with the Launch of a New Open Data Schema
August 2023 by Marc Jacob
The Open Cybersecurity Schema Framework (OCSF), an open-source project established to remove security data silos and standardize event formats across vendors and applications, announced today the general availability of its vendor-agnostic security schema. OCSF delivers an open and extensible framework that organizations can integrate into any environment, application or solution to complement existing security standards and processes. Security solutions that utilize the OCSF schema produce data in the same consistent format, so security teams can save time and effort on normalizing the data and get to analyzing it sooner, accelerating time-to-detection.
A year ago, Splunk, Amazon Web Services (AWS), IBM and 15 other cybersecurity firms launched the OCSF at Black Hat USA 2022. The open source project has expanded to include more than 145 organizations and 435 individual contributors — a more than eight-fold increase. Additionally, a growing number of Fortune 500 enterprises and public sector agencies have adopted the OCSF schema for internal use.
"The OCSF open framework removes a long-standing obstacle to data exchange that has plagued the security industry for years," said Paul Agbabian, vice-president of security technology leadership at Splunk. "OCSF enables security teams to readily and holistically analyze data coming from multiple security tools without having to pay the data normalization ‘tax’ — assigning a team to devote significant time and energy to create and maintain ambiguous and disparate ‘translators.’ OCSF relieves security teams and analytics vendors of that burden and captures the full semantics of security information, so teams can focus on threat detection and investigation to prevent cyber-caused disruptions and help make their organizations more resilient."
“Organizations are participating in OCSF to address an immediate need among their customers across all industries for greater visibility into potential security threats,” said Jon Ramsey, VP, Security Services, AWS. “Without a common language, organizations have to analyze security-relevant telemetry and log data using multiple tools, technologies, and vendors. The OCSF schema makes it easier for security teams to more quickly analyze and protect their environment when the need arises, offering full visibility, greater detection accuracy, and making it easier for security teams to do their jobs more efficiently.”
The OCSF schema benefits from the hundreds of contributors who are continually refining and expanding it to fit various security and IT use cases, embodying the principles of open-source software: transparency, participation and collaboration.
“We need speed and agility to keep pace with the evolving threat landscape and growing IT complexity. Cross-industry collaboration on open security technologies and standards is essential to this equation," said Sridhar Muppidi, Chief Technology Officer, IBM Security. "Using a standard security data schema like OCSF will help defenders to respond faster through the sharing of detection data across tools, bringing broader visibility, and quickly adapting to evolving threats with community-led innovation."
“The OCSF is the first vendor-agnostic, open-source initiative of its kind,” said Bala Sathiamurthy, Chief Information Security Officer, Atlassian. “At Atlassian, we know that detecting and stopping cyberattacks is impossible alone, but with more companies adopting the OCSF we’re confident that we’ll grow stronger together. We’re proud to contribute to the OCSF and collaborate with members to exchange solutions so that we can all begin speaking the same data language.”
"We saw a lot of cybersecurity data chaos and we wanted to organize it. We went looking for a schema that we could use for GRC data, organization data and incidents so that we could easily answer questions from our data lake,” said Matthew Tharp, Head of DataBee Field Architecture, Comcast Technology Solutions. “OCSF really helped us get there faster with a great community."
"To detect and respond to advanced threats, security teams must analyze security data holistically, which requires normalizing it first. OCSF has created an open and extensible data framework to rid security teams of the time, effort and cost required to normalize disparate data across numerous security tools,” said Michelle Abraham, Research Director, Security and Trust, IDC. “Coming up on its first anniversary, the open-source project has not only experienced an exponential growth in the number of contributors, but also delivered a production version of the schema that vendors can standardize on to help customers readily and efficiently leverage security data to protect themselves from cyber threats.”
“Today, data is the running power of every high-performing security team but it also poses serious challenges as data sources, tools, and sprawling attack surfaces contribute to never-seen-before volume and complexity,” said Ian McShane, VP, Product Strategy, Arctic Wolf. “Arctic Wolf specializes in alleviating the burden of complexity and data overload for our customers so security teams can focus on the most important tasks ahead. The common framework created by OCSF enables the security community to standardize and collaborate effectively, ultimately benefiting the end user.”
“We are excited and proud of the OCSF’s expansion and adoption over the past year. As one of the key creators and early adopters of the OCSF schema, we believe in making it easy for security practitioners to integrate and analyze telemetry,” said Adam Bromwich, CTO and Head of Engineering, Symantec Enterprise Division, Broadcom . “The more consistent the industry is, the more attacks we will discover and stop together. Broadcom’s Symantec products support OCSF, and we look forward to continuing to contribute to the OCSF."
“Today’s security landscape often comprises dozens of tools, each with its own unique format. This not only creates headaches for already overworked security professionals, but these disparate and incompatible datasets handcuff their ability to effectively do their jobs and secure their businesses,” said Ledion Bitincka, Co-Founder and CTO of Cribl. “We believe interoperability is good for customers, period. The OCSF schema advances that mission in a material way, and we’re proud to be part of it to help ensure customers are able to focus on threat hunting and incident response, as opposed to fighting with data."
"These days, successful cyber security operations require products that integrate with each other to provide additional value beyond a single feature or technology. While this is possible with open APIs and mapping data structures, development and processing resources are not infinite," said Mohan Koo, President and Co-Founder, DTEX Systems. "We’re excited about the launch of the OCSF initiative to eliminate inefficiencies and achieve frictionless integration through standardized data—for faster time to detection, response, and resolution at a lower total cost."
“At SentinelOne, we are dedicated to fostering a collaborative environment to strengthen the collective shield of cybersecurity and as such, have embraced the Open Cybersecurity Schema Framework (OCSF) to empower a unified defense against attacks,” said Jane Wong, SVP of Products and Strategy, SentinelOne. “Traditional threat hunting and investigations can be challenging and time consuming for organizations because the data they need to consider is from different sources, in different formats and siloed in different tools. In natively using the OCSF as our XDR schema, we make it easy to ingest, query, and analyze normalized telemetry directly in SentinelOne’s Security Data Lake, allowing for more efficient investigations across a single data source.”
“Digital transformation has resulted in an explosion of endpoints and the subsequent growth of organizations’ attack surfaces, regardless of sector or size. Open standards provide organizations with shared security data that is critical when every moment of response time counts in reducing risk and mitigating today’s increasingly sophisticated cyber attacks,” said Rob Jenks, SVP, Strategy and Business Development, Tanium. “We look forward to our continued work with the OCSF to provide security teams the necessary tools to more quickly and efficiently identify, detect, and defend mission critical data through effective industry collaboration with cybersecurity and technology leaders.”
"Through our partnership with Amazon Web Services, SOC Prime is driving the global adoption of OCSF to provide centralized accessibility of log and event data within the cloud and on-premises," said Andrii Bezverkhyi, inventor of Uncoder.IO, CEO and Founder, SOC Prime. "By fusing the benefits of open-source Sigma rules standard and OCSF, we empower organizations with bi-directional query translations for multiple SIEM, EDR, XDR, and Data Lake formats. SOC Prime’s innovative tools backed by AWS expertise further enhance threat detection coverage, visibility, and operational efficiency, ultimately maximizing the value of security investments and freeing up valuable time for SecOps teams."
The OCSF framework is impressive in how it delivers a unified format for security alerts and events, fostering the interoperability and integration across myriad security solutions to drive increased efficiency,” said Leonid Belkind, Chief Technology Officer and Co-Founder, Torq. “We’re particularly excited by how the ability for organizations to adopt security hyperautomation is enhanced by this unification and the standardization it provides. OCSF is an innovative example of how companies can come together to advance technology and establish forward momentum for evolving standards that better protect everyone against the perpetually-increasing sophistication and cunning of threat actors.”
“Trellix is proud to be a contributing member of the open source OCSF community that has built a framework promoting interoperability and data normalization between security products,” said Harold Rivas, Chief Information Security Officer, Trellix. “Joining OCSF supports collaboration with other industry organizations, further benefiting customers and the broader cybersecurity community.”
“Cybercriminals are our true competition, and the OCSF has made strong steps to unify the security community to be stronger together,” said Mike Gibson, SVP, Global Services, Trend Micro. “In just one year since the launch, many of our customers around the world have requested OCSF support for their product evaluations. Our hope is that this will become standard practice for adoption of all security products. We’re proud of our involvement in this effort and plan to continue enabling security teams to focus more on intelligence and spend less time worrying about formats."
“At Wiz, we believe in a ‘together’ approach towards security,” said Ami Luttwak, Chief Technology Officer and Co-Founder, Wiz. “Nothing is more powerful than vendors joining forces to tackle industry-wide challenges for the ultimate benefit of practitioners. OCSF is a prime example of that credo in action: it is driving towards more openness and collaboration in the world of cybersecurity, and we are proud to be a contributor.”
Additional OCSF members include Akamai, CrowdStrike, Kyndryl, Netskope (a full list of members can be found here). For more information on joining the OCSF project or contributing, visit https://github.com/ocsf/.