IT teams soon won’t have to struggle as much to correlate telemetry from their security devices if a new industry initiative takes hold.
A coalition of cybersecurity and technology companies led by Amazon, security data analytics platform Splunk and Symantec has created an Open Cybersecurity Schema Framework (OCSF) so tools — including security information and event management (SIEM) systems — can share a wide array of data without vendors or IT departments having to write custom import bridges.
“Providing a standard schema — meaning kind of a database structure — and having different tools and products normalize their internal data structures to that … is going to make the things that are accomplished today in less efficient ways be done much more efficiently,” Mark Ryland, director of the CISO’s office at Amazon Web services, said in an interview.
“Today a security analyst might look at streams of three different tools trying to figure out what’s happening and whether there is some correlation in the data from the different tools. Whereas if the tools can send data to one another or to a common database, that correlation becomes easier and automation becomes easier.”
CISOs are telling him they were tired of “data wrangling — getting data into the right format and getting products to talk to each other,” he said. Sometimes they had to ask vendors to write custom adapters and code to get one system working with another, sometimes their staff had to do it. “The challenge is lots of time the processes are manual — cut and paste — just trying to understand the same event.”
For all the benefits, it will still be a few months before OCSF-compatible products will be on the market.
“The next phase of this launch will be product and services announcements over the next three to six months,” Ryland said, “where you’ll see vendors that agree this makes sense will be able to emit or consume security data in this format. So you’ll be able to export from their tool — for example, you could export your CloudFlare logs in OCSF format and it could go to natively a SIEM that aggregates data.”
In addition to the three main backers, the OCSF includes contributions from 15 other firms including Cloudflare, CrowdStrike, DTEX, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro, and Zscaler.
Rryland isn’t worried that other big names such as Microsoft, HP, and Cisco Systems are missing. Other vendors can either join later, he said, or just make their products OCSF compatible.
The Open Cybersecurity Schema Framework is an extensible framework for developing schemas, along with a vendor-agnostic core security schema. Vendors and other data producers can adopt and extend the schema for their specific domains. Data engineers can map differing schemas to help security teams simplify data ingestion so data scientists and analysts can work with a common language for threat detection and investigation.
The framework is made up of a set of data types, an attribute dictionary and a taxonomy. While it isn’t restricted to the cybersecurity domain or to events, the initial focus of the framework is a schema for cybersecurity events.
OCSF is agnostic to storage format, data collection and extract/transform/load (ETL) processes. The core schema for cybersecurity events is also intended to be agnostic to implementations. The schema framework definition files and the resulting normative schema are written as JSON.
AWS has a number of data sources that will take advantage of the framework, Ryland said, including network flow logs, logs from its web application firewall service and the AWS Security Hub service.
Other partners in the effort explained their support.
“The OCSF community will streamline security operations for the many thousands of organizations that rely on telemetry from a wide range of sources to power their cybersecurity investigations,” said Rob Greer, general manager of, the Symantec Enterprise Division at Broadcom.
“We believe strongly in the concept of a shared data schema,” said Michael Sentonas, CrowdStrike’s chief technology officer, “which enables organizations to understand and digest all data, streamline their security operations and lower risk.”
“Modern cybersecurity operations is a team sport, and products must integrate with each other to provide value beyond what a single product can,” said Mohan Koo, co-founder and CTO with DTEX Systems. “Sure, it’s possible to make that happen with open APIs and mapping data structures, but development and processing resources are not infinite. The OCSF initiative is about eliminating the inefficiencies and making it possible to achieve frictionless integration through standardized data, meaning faster time to detection, response and resolution at a lower total cost.”