AWS, Splunk and other tech firms launch open-source cybersecurity data framework

Amazon Web Services Inc., Splunk Inc. and more than a dozen other tech firms have launched an open-source project designed to help companies respond to cyberattacks more effectively.

The project, known as the Open Cybersecurity Schema Framework, or OCSF, made its debut today. The development of the framework was initiated by AWS and Splunk. They based OCSF on an existing open-source technology known as the ICD Schema, which was in turn created by Broadcom Inc.’s Symantec cybersecurity unit.

Salesforce.com Inc., IBM Corp. and Cloudflare Inc. are backing the OCSF project as well. They are joined by more than 10 other tech companies, including publicly traded cybersecurity providers CrowdStrike Holdings Inc. and Palo Alto Networks Inc., as well as multiple startups.

OCSF seeks to help organizations respond to cyberattacks more effectively by simplifying one of the most complicated aspects of the task: data management. In particular, the project is designed to streamline the process of processing data about cyberattacks.

Organizations typically use not one but multiple cybersecurity tools to detect malicious activity in their networks. It’s often beneficial to share data between those tools. For example, if a cybersecurity team uses two separate applications to investigate hacking attempts, it may wish to share technical information about malicious network activity between those two applications.

Currently, moving data from one cybersecurity tool to another often requires a significant amount of manual work. The reason is that different tools frequently store data in different formats. As a result, when a dataset is moved between cybersecurity tools, administrators must manually change the format of the dataset.

OCSF aims to simplify the task. According to the project’s backers, it’s designed to provide a common open-source standard for organizing cybersecurity information. If two cybersecurity tools store data in the same format, then administrators can move data between them without having to manually modify it first, which saves time.

Changing the format of a dataset often requires specialized software tools. Because the process can involve a significant amount of manual work, there’s also a risk of human error.

“Security leaders are wrestling with integration gaps across an expanding set of application, service and infrastructure providers, and they need clean, normalized and prioritized data to detect and respond to threats at scale,” said Patrick Coughlin, Splunk’s group vice president of the security market. “This is a problem that the industry needed to come together to solve.”

OCSF provides a standardized way of describing a hacking attempt. It specifies what data points a cybersecurity tool should provide about a hacking attempt, as well as how those data points should be formatted. Organizations can optionally customize OCSF if their requirements extend beyond the framework’s core feature set.

“The OCSF community will streamline Security Operations for the many thousands of organizations that rely on telemetry from a wide range of sources to power their cybersecurity investigations,” said Rob Greer, the general manager of Broadcom’s Symantec Enterprise Division.

The OCSF project’s backers have released the code for the framework on GitHub under an open-source license.

Image: Pixabay