What is the Open Cybersecurity Schema Framework (OCSF)?

Definition Open Cybersecurity Schema Framework | OCSF
What is the Open Cybersecurity Schema Framework (OCSF)?

The Open Cybersecurity Schema Framework is an open source project from currently 18 companies active in the IT security environment. The project aims to provide more cyber security with the help of open standards and a simplified, manufacturer-independent taxonomy. Among other things, a uniform scheme for security events is to be created that reduces the normalization effort for data and breaks down data silos.

OCSF is the acronym for Open Cybersecurity Schema Framework. It is still a fairly young open source project, publicly announced in August 2022, by currently 18 companies active in the IT security environment. These companies include AWS, Splunk, Broadcom (Symantec), Cloudflare, IBM, Palo Alto Networks, Salesforce, Trend Micro and a few more. The aim of the project is to ensure more cyber security through a simplified, manufacturer-independent taxonomy and open standards. Among other things, a uniform scheme for security events is to be created that reduces the normalization effort when consolidating data from different security solutions and breaks down data silos. Cyber ​​attacks and other threats to IT security can be detected, analyzed and warded off more quickly and effectively. The Open Cybersecurity Schema Framework can be implemented by manufacturers in their solutions and products and is compatible with existing security standards and processes. OCSF is licensed under Apache License 2.0. It is freely available via GitHub.

Background to the creation of the Open Cybersecurity Schema Framework

Different vendors’ cybersecurity solutions use different data models and schemas. There is no uniform format for logging data and security events that is accepted by all companies. Detecting, analyzing and defending against cyberattacks usually requires coordinating multiple security tools and consolidating their data. Merging data from different sources requires a lot of time and resources to normalize the data in advance of the actual data analysis. Security teams and security professionals waste time on normalization tasks that could be better spent investigating security events and defending against cyberattacks. With open standards and a simplified, manufacturer-independent taxonomy, the Open Cybersecurity Schema Framework is intended to reduce the normalization effort and give security teams more time for their actual tasks.

Contents of the Open Cybersecurity Schema Framework

The OCSF project deals with several topics and subtasks. The content of the Open Cybersecurity Schema Framework to be developed by the project includes:

• open standards for telemetry of security solutions and services

• Opens source tools to support the framework and to apply the OCSF schema faster and easier

The work of the open source project initially focuses on defining a uniform, manufacturer-independent scheme for cybersecurity events. In principle, the framework is not limited to cyber security and schemes for events, but creates a general, manufacturer-independent taxonomy. Definition files and normative schemas of the framework are based on JSON (JavaScript Object Notation). A schema browser enables easy navigation within a schema and browsing of attributes, objects and event classes.

The OCSF Goals

The aim of the OCSF project is to facilitate data exchange between different security solutions and services through open standards. With less effort required to normalize data, security professionals and security teams have more time to detect, analyze, and defend against cyberattacks. Data silos of different security tools are broken up by the simplified, manufacturer-independent taxonomy and cyber attacks can be fought faster and more effectively.

(ID:48983201)