AWS, Splunk and more launch cybersecurity analytics standard

AWS and other IT vendors will start building connectors based on a new standard schema meant to streamline data sharing between cybersecurity tools.

A consortium of IT vendors launched a new collaboration this week on an open source schema for cybersecurity analytics data, potentially eliminating some of what AWS calls "undifferentiated heavy lifting" for SecOps pros.

AWS and Splunk founded the project earlier this year, based on the ICD Schema developed at Symantec, now owned by Broadcom. This week they were joined by Cloudflare, CrowdStrike, DTEX, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro and Zscaler in unveiling the Open Cybersecurity Schema Framework (OCSF) during the Black Hat conference in Las Vegas.

Although the project is only months old, the spec is ready for vendors to begin using to create connectors into their products. AWS plans to add OCSF connectors into several SecOps services, including GuardDuty, Security Hub and Inspector.

"Lots of customers that we talk to are using lots of different security tools, and no one expects that will ever stop -- there will never be the one tool to rule them all," said Mark Ryland, director of the office of the CISO at AWS. "But at the same time, that creates data management problems because the tools don't easily speak to one another ... and [customers] want to spend more time on security outcomes and less time on data wrangling."

[Customers] want to spend more time on security outcomes and less time on data wrangling.
Mark RylandDirector of the office of the CISO, AWS

OCSF specifies standard data management elements such as event classes, data types, categories and attributes that cybersecurity analytics vendors can use to normalize data as it's ingested. Database normalization is the process of organizing data into tables for efficient and unambiguous use by relational database systems.

Enterprise IT teams are increasingly dealing with SecOps tool sprawl, particularly as companies grow through acquisition and subsidiaries bring in their own tools that may be redundant to what the parent company already uses, according to one analyst.

"Depending on the size of the organization, it can be more than 20 tools," said Michelle Abraham, an analyst at IDC. "You hear stories of as many as 100."

Michelle Abraham, IDCMichelle Abraham

IT systems at companies such as Zoom are becoming larger and more complex, too, leading to an increased reliance on AI-driven automation. This also makes the flow of data into cybersecurity analytics systems a more critical aspect of security operations, Abraham said.

"If you want to automate, you need things to be flowing in, and it's also not just when you get things set up," she said. "Technology moves quickly -- if one of your systems changes something that changes the data flow, that can change everything connected to it. If there's a standard, then those changes ideally ... wouldn't have as much impact on downstream systems."

Next steps: adoption and overlap

OCSF is reminiscent of, if technically different from, OpenTelemetry, a similar effort within the Cloud Native Computing Foundation (CNCF) to standardize telemetry data collection methods among distributed tracing tools. OpenTelemetry's success also inspired the CDEvents project within the Continuous Delivery Foundation this year.

Technically, OCSF doesn't have to be limited to cybersecurity events data, but that is its initial focus and there are no plans to branch into the broader telemetry space at this time, Ryland said.

However, other frameworks for cybersecurity analytics data sharing already have their own data normalization formats -- and multi-vendor interoperability alliances based on them. For example, Micro Focus security subsidiary ArcSight has an event format called CEF that's also extensible; the MITRE ATT&CK framework is another format widely used among cybersecurity tools. Both frameworks are extensible by third parties, but neither is available under an open source license. OCSF is available under an Apache v2 license.

"There are not only lots of products, but a lot of homegrown tools out there for dealing with security data," Ryland said. "We think this can reduce friction and provide some common experiences and skills -- even a security engineer who is used to this format can use it broadly."

Still, while seal of approval from several well-known IT vendors on OCSF may drive more people to use it, not every cybersecurity analytics vendor or user will be interested in replacing what they already use to normalize security event data.

"They do have a hefty list of contributors," said Carlos Casanova, an analyst at Forrester Research. "We'll have to see how it develops and where it lands in terms of becoming 'yet another' open standard, an actual standard, or no standard at all."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on IT systems management and monitoring