Unlocking the Power of the SOC through OCSF Standardization
- Jun 12, 2024
- By Ada Filipek
- 7 minutes to read
Hunters announced its full adoption of the Open Cybersecurity Schema Framework (OCSF) and introduced OCSF-Native Search as a step forward in the ongoing mission to innovate and automate cybersecurity analytics and operations.
Futurist and former Gartner Analyst, Oliver Rochford, Field CISO at Snowflake, Jake Berkowsky, and Hunters CTO, Yuval Itzchakov, combined forces to discuss the benefits of adopting OCSF, and outlined the challenges and opportunities. Here’s what you should know about OCSF and its role in transforming the security operations center (SOC).
Evolution of Standardized Data Language
Early cybersecurity tools relied on the single intrusion detection system, but as more of these tools were introduced, integrating the different systems using a standard data format became crucial. Due to a lack of industry-wide standards, vendors created their own solutions to develop parsers for security analysis and correlation. This led to high costs and inefficiencies as each vendor needed custom solutions to interpret and analyze data.
Common Event Format (CEF) introduced by ArcSight marked a significant shift by standardizing data parsing, which facilitated easier data exchange across different systems and reduced the need for custom parsers.
In more recent updates, the Open Cybersecurity Schema Framework (OCSF), driven by AWS, is highlighted as an effort to further modernize cybersecurity data exchange. Its adoption by major competitors in the industry signals its significance and potential for broad industry impact.
AWS Security Engineering Manager and Co-Chair of the Open Cybersecurity Schema Framework, Keith Gilbert wrote, “We understood the need for a standardized approach that would enable security professionals to focus on what truly matters: identifying and responding to security issues. The OCSF project provides an open and extensible specification for the normalization of security telemetry across a wide range of security products and services, as well as open source tools that support and accelerate the use of the OCSF schema.”
Watch the full OCSF Decoded session on Demand
What are the Benefits of Adopting OCSF?
OCSF provides a structured way to describe cybersecurity data, ensuring that all parties use and understand it consistently. This standardization is critical for effective data integration and usability across different platforms and tools.
But the benefits don't stop there:
Enhanced Data Compatibility: Organizations are not constrained by proprietary data formats from specific vendors. "If you understand OCSF, you're going to be able to do detection engineering, you're going to be able to search, you're going to have an understanding of how the data is structured,” says Itzchakov. SOC analysts will no longer have to relearn the different schemas in different security products. Now they only have to understand one schema, as opposed to learning the schema for each security tool.
Scalability and Efficiency: Itzchakov shares, "If we reduce the amount of compute that we're using, we can also give better cost benefits to our customers who are using their SIEM products." Organizations will achieve greater efficiency with data processing, which will unlock cost savings, particularly in terms of reduced computational needs and simplified data ingestion processes.
Accelerating Gen-AI in Security: The integration of large language models (LLMs) to automate tasks like writing views and normalizing data based on well-documented standards like OCSF facilitates easier and more effective querying and data analysis.
Berkowsky explains, “Have the LLM write those views, have it write those tasks to normalize my data, and of course that's going to work the other way around as well, right? Once that data is normalized, an LLM is going to have a lot easier time querying it.”
Hidden Benefits of OCSF for MSSPs
Interoperability and Standardization
In MSSP operations, standardizing on a single schema with OCSF fosters interoperability and reduces the need to learn different schemas. This enables MSSPs to operate faster on their data and deliver consistent SLAs for their customers due to the reduced overhead. Additionally, by treating customers collectively, it enhances economies of scale and synergies.
Rochford adds, “You can't treat these customers in isolation. You have to look at them as an aggregate whole. You see something in one customer. You can then search for it in someone else's, right? OCSF makes that much, much easier.”
Reduced Development Effort and Increased Portability
By providing a standardized approach to data handling and analysis, OCSF reduces the development effort required for analytics and machine learning models. This standardization also enhances the portability of models across different environments. Developers can create models using OCSF-compliant data standards, making them easily transferable and usable across different platforms or by other MSSPs.
What are the Challenges Associated with OCSF Adoption?
Vendor Adoption Variability
The reality is that there is significant variability in vendor buy-in and the speed at which vendors adopt OCSF. Berkowsky comments, “If you're operating a security data lake, you're going to have a lot of different types of data. Some is going to be in OCSF format, some is going to be security data in another format, but that's going to be useful for your investigations and for your enrichments”.
Even minimal use of the standard, such as adopting its top-level categories for data sorting and table structuring, can significantly improve data organization and usability. OCSF is a community-driven initiative that unites security experts worldwide to create a robust cybersecurity schema.
However, for OCSF to fully realize its potential, vendors need to become active contributors by transitioning from proprietary schema models to OCSF. This shift will reduce the overhead for users by eliminating the need to recreate mappings and transformations.
As the community grows and vendors adopt OCSF, customers will have the luxury of bypassing vendor lock-in. Forrest points out that “as vendors start supporting it, more and more customers will ask for it, and it'll create this feedback loop.”
Ongoing Maintenance and Updates (Evolving schema and detections)
As more vendors get involved and contribute to the framework, there are challenges associated with keeping up with evolving schema versions and keeping your detections in sync with the latest versions.
The Key to SOC Transformation Lies in OCSF Adoption
The adoption of the Open Cybersecurity Schema Framework represents a significant leap forward in the quest to innovate and streamline cybersecurity analytics and operations. OCSF not only addresses the historical challenges of disparate data formats and vendor-specific solutions but also unlocks numerous benefits for organizations and MSSPs alike. Despite challenges such as variability in vendor adoption and ongoing maintenance, the growing community support and industry momentum behind OCSF signal its potential for widespread adoption and long-term impact in transforming the SOC landscape.
To unlock the full potential of OCSF, the greater cybersecurity community needs to embrace the movement. Snowflake Principal Cybersecurity Architect & Field CTO, Berkowsky advises “The main thing that this scheme is going to need is adoption. We need more people asking for it. If the vendors do it, customers are going to get used to it and they're going to ask more vendors to implement it.”