Data is the lifeblood of any organization’s security strategy. Data from dozens of IT and security tools spread across a company’s vast multicloud infrastructure provides organizations with critical visibility into today’s threat landscape. However, the inability to piece together this expanse of data and place it in the appropriate context has created inefficiencies that make it difficult to identify potential threats in a timely manner.
Security data streams that use incompatible formats force security teams to invest time and resources to bring disparate data to a common denominator. This makes it difficult to analyze cyber incidents in a broader context, potentially protecting complex attack patterns that cover multiple attack vectors.
To solve this problem, industry leaders have joined forces to create a new vendor-neutral networking and cybersecurity standard, which has more than 660 individual collaborators in 197 corporate organizations to help institutions audit their security data to better detect and investigate threats. Launching in August 2022, the Open the cybersecurity schema framework (OCSF) has gained traction across the industry as customers, researchers and vendors now find themselves working with their counterparts to solve this data normalization problem.
However, there is still much to be done to ensure that the standard is adopted industry-wide so that it can contribute to a more robust security strategy for today’s businesses.
Address security gaps in corporate networks
In the past, the responsibility for solving the problem of data interoperability in the security space fell on Security Information and Event Management (SIEM) vendors and end users who use application programming interfaces (APIs) and other connectors to collect data across various tools. However, as attack surfaces expand, the time and effort to normalize, cleanse, and align data structures across a diverse set of tools has become unsustainable. Standardizing data collection across different systems can make threat identification and analysis faster and easier.
An opportunity for cross-sector collaboration
The OCSF scheme eliminates data security silos and standardizes how security data is collected and managed across different cybersecurity tools. This effectively creates a common language for security telemetry, making it an open standard available to any vendor. OCSF can be adopted into any environment, application or solution, integrating existing security standards and processes.
OCSF provides an extensible framework for vendors to develop their own schema. Vendors and other data producers can adopt and extend the schema for their specific domains, allowing engineers to map different schemas that help simplify data capture and management across security tools for effective detection and investigation. threats faster and more accurately.
However, for standardization to be effective, the entire industry needs to come together. This requires collaborators in the networking and security industries to put aside their differences and adopt a common language, framework and standards. This is in the best interests of customers, but improved customer experience through cooperation with suppliers will also promote industry-wide growth and prosperity.
Here are five things that need to happen to increase OCSF adoption and help organizations respond to threats faster and reduce data normalization costs:
1. Interact with customers.
Ultimately, customers will drive adoption, and vendors will need to highlight the technical and business benefits of moving to an open and extensible security scheme. The first step is to recognize the pain points that data engineers, security operations teams, and other stakeholders face every day when managing and securing modern networks spread across various cloud infrastructures and data centers.
Eliminating the need to normalize data from distributed sources would allow security teams to focus on what really matters: threat detection and investigation.
2. Get more suppliers to collaborate.
Success also depends on the adoption of industry-wide standards, but collaboration between counterparties is key. Many still believe that standards make it easier for their customers to migrate from their platform, but this is a dangerous line of thinking. Supplier lock-in ultimately hinders the entire industry and makes it more difficult for the market to grow.
In fact, standards like OCSF can improve adoption of vendor solutions by simplifying the integration of their products into the entire security and networking stack: working as a single integrated ecosystem rather than a standalone, isolated product simplifies security operations for the customer.
3. Ask the feds for help.
The federal government has always supported innovation through funding, research and development, and standardization. Mandatory compliance with OCSF and other regulatory frameworks in all requests for comments (RFCs) from the Cybersecurity and Infrastructure Security Agency (CISA) would significantly favor the adoption of this new scheme. Additionally, the federal government may make OCSF proficiency or compliance a requirement for vendors and contractors who wish to work with federal agencies.
4. Promote open communication.
Getting any project off the ground, much less an industry-wide standardization effort, requires constant communication from all stakeholders. OCSF encourages providers, researchers and customers to participate in the process by contributing to the master scheme. The group’s Slack channel has more than 660 members, up from just over 100 several months ago.
5. Encourage business use cases.
Several large companies have already adopted the OCSF standard in their internal networks, developing a system that brings together diverse threat detection and investigation data into a single, internally developed management dashboard.
Walking at a brisk pace towards a safer tomorrow
Security teams are forced to spend an inordinate amount of time normalizing and cleansing telemetry data from dozens of sources across an increasingly complex security stack. The new OCSF schema aims to standardize security data across tools, allowing security teams to spend more time proactively addressing and preventing threats.
Others in the industry must rally in support of the “vendor-agnostic” initiative through consensus and improved collaboration from customers, suppliers and the federal government. This entails promote participation and showcase specific business use cases.
We now have the opportunity to take a giant leap forward in turning the tide against today’s increasingly sophisticated threats. Coming together will bring much-needed confidence to the sector, helping us to continue to safeguard people, organizations and government, today and into the future.