Open Cybersecurity Schema Framework or better known by its acronym «OCSF» is a new project that is born from the hand of AWS and Splunk. This new frame is in a technology existing open source software known as ICD Schema, which in turn was created by Broadcom's Symantec cybersecurity unit.
The OCSF Project was presented at Black Hat USA 2022 and its main objective is to help organizations detect, investigate and stop cyber attacks faster and more effectively.
OCSF includes contributions from 15 initial members including Cloudflare, CrowdStrike, DTEX, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro, and Zscaler. All members of the cybersecurity community are invited to use and contribute to the OCSF.
In today's ever-changing security environment, security professionals must continually monitor, detect, respond to, and mitigate existing and new security issues. To do so, security teams must be able to analyze security-relevant log and telemetry data using multiple tools, technologies, and vendors. The complex and heterogeneous nature of this task increases costs and can slow detection and response times. Our mission is to innovate on behalf of our customers so they can more quickly analyze and protect their environment when the need arises.
With that goal in mind, together with several partner organizations, we are pleased to announce the launch of the Open Cybersecurity Schema Framework (OCSF) project, which includes an open specification for the standardization of security telemetry across a wide range of security products and services. security, as well as open source tools that support and accelerate the use of the OCSF scheme.
About OCSF
OCSF is an open standard that can be adopted in any environment, application or provider of solutions and conforms to existing security standards and processes. As cybersecurity solution providers embed OCSF standards into their products, standardizing security data will become simpler and less burdensome for security teams.
Adopting OCSF will enable security teams to increase focus on data analysis, threat identification, and defending their organizations from cyberattacks.
OCSF seeks to help organizations respond to cyber attacks more effectively by simplifying one of the most complicated aspects of the task: data management. In particular, the project is designed to streamline the process of processing data on cyber attacks.
Organizations often use not one, but several cybersecurity tools to detect malicious activity on their networks. It is often beneficial to share data between those tools. For example, if a cybersecurity team uses two separate applications to investigate hacking attempts, they may want to share technical information about malicious network activity between those two applications.
Currently moving data from one cybersecurity tool to another often requires a significant amount of manual labor. The reason is that different tools frequently store data in different formats. As a result, when a dataset is moved between cybersecurity tools, administrators must manually change the format of the dataset.
OCSF aims to simplify the task. According to the project sponsors, is designed to provide a common open source standard to organize cybersecurity information. If two cybersecurity tools store data in the same format, administrators can move data between them without having to manually modify it first, saving time.
Changing the format of a data set often requires specialized software tools. Because the process can involve a significant amount of manual work, there is also a risk of human error.
OCSF provides a standardized way to describe a hack attempt, as it specifies what data points a cybersecurity tool should provide about a hack attempt, as well as how those data points should be formatted. Organizations can optionally customize OCSF if their requirements extend beyond the core feature set of the framework.
Finally if you are interested in knowing more about it, you should know that the OCSF project sponsors have released the framework code on GitHub under an open source license.