Leading technology and security companies are banding together to share tools and products to better guard against cyberattacks, saying their security teams are spending more time correlating a blitz of unintegrated data than detecting and responding to threats.
The Open Cybersecurity Schema Framework (OCSF) project, revealed Wednesday at the Black Hat USA cybersecurity conference in Las Vegas, will provide “an open specification for the normalization of security telemetry across a wide range of security products and services” and the open-source tools to support it, said Amazon Web Services (AWS), which co-founded the initiative with Splunk.
“Our customers have told us that interoperability and data normalization between security products is a challenge for them. Security teams have to correlate and unify data across multiple products from different vendors in a range of proprietary formats,” Amazon said.
“…Instead of focusing primarily on detecting and responding to events, security teams spend time normalizing this data as a prerequisite to understanding and response,” the company said. “We believe that use of the OCSF schema will make it easier for security teams to ingest and correlate security log data from different sources, allowing for greater detection accuracy and faster response to security events.”
In a blog post announcing its participation, Splunk said the project built on work done by Symantec and grew to 18 founding technology and security organizations through “an analysis of the needs of the security operations market.”
“With the Open Cybersecurity Schema Framework, the industry works together to unburden security teams of the work required to collect and normalize data and focus on analyzing it,” wrote Paul Agbabian of Splunk’s Security business unit. “Cybersecurity is ready to move on from silos and into an open, integrated era of inter-operability and cooperation.”
In addition to Amazon and Splunk, the initiative brings together these partners: Broadcom, Salesforce, Rapid7, Tanium, Cloudflare, Palo Alto Networks, DTEX, CrowdStrike, IBM Security, JupiterOne, Zscaler, Sumo Logic, IronNet, Securonix, and Trend Micro.
The widespread collaboration is unusual for an industry traditionally slow to cooperate on cybersecurity matters, with one participant, JupiterOne founder and CEO Erkang Zheng, calling it “truly unprecedented.”
Yet the joint endeavor reflects a recent move toward cooperation in the face of growing cyber threats, much of it through the Cybersecurity and Infrastructure Security Agency (CISA). Although CISA’s official stamp is not on the OCSF project, several participating companies – including AWS – have partnered with the agency on its new Cybersecurity Advisory Committee or Joint Cyber Defense Collaborative.
Both are efforts to better work with the private sector on cyber matters. Such public-private partnerships are considered vital to national cyber defense by the overwhelming majority of Federal and private sector security experts surveyed in recent MeriTalk research.
The research also found that only about one-third of respondents believe those kinds of partnerships are currently “very effective,” citing problems in identifying risk, coordinating incident response, and protecting critical infrastructure.
The leaders of OCSF vowed to get around such obstacles by working together to “improve our collective defenses by making it easier for security teams to do their jobs more efficiently,” Amazon said. “…In today’s fast-changing security environment, security professionals must continuously monitor, detect, respond to, and mitigate new and existing security issues. To do so, security teams must be able to analyze security-relevant telemetry and log data by using multiple tools, technologies, and vendors. The complex and heterogeneous nature of this task drives up costs and may slow down detection and response times.”
Participants described the project as open-source and “made up of a set of data types, an attribute dictionary, and the taxonomy.” It is expected to deliver “an extensible framework for developing schemas, along with a vendor-agnostic core security schema.”
The OCSF partners released a white paper with further technical details.
Although OCSF is not restricted to cybersecurity, the initial focus is on cybersecurity events, participants said.
In its announcement, Splunk emphasized the growing sentiment in the cybersecurity industry toward cooperation among companies to better simplify “data normalization.” The Splunk post pointed to a report released in July by ESG Research on “Technology Perspectives from Cybersecurity Professionals.”
A key finding: “77% of respondents would like to see more industry and technology cooperation in the form of open standards support.”