The Open CyberSecurity Schema Framework (OCSF) is an open-source project that provides a framework for developing security schemas.
In order to detect and stop cyberattacks, there must be coordination across several different tools, but that currently requires a lot of time and resources because there is no standard, vendor-agnostic schema these tools follow, OCSF explained.
The goal of OCSF is to provide that schema and enable security teams to ingest data faster without needing to normalize it first.
The OCSF project includes a set of data types, an attribute dictionary, and taxonomy. It can be adopted by vendors for any domain. It is also agnostic to storage format, data collection, and ETL processes, and the core schema is intended to be agnostic to the implementations too.
The project builds on the work of the ICD Schema developed by Symantec, which is a division of Broadcom. It was initiated by AWS and Splunk, though it now includes contributions from 15 more members, including Cloudflare, CrowdStrike, DTEX, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro, and Zscaler.
“Security leaders are wrestling with integration gaps across an expanding set of application, service and infrastructure providers, and they need clean, normalized and prioritized data to detect and respond to threats at scale,” said Patrick Coughlin, group vice president of the security market at Splunk. “This is a problem that the industry needed to come together to solve. That’s why Splunk is a proud member of the OCSF community — security is a data problem and we want to help create open standard solutions for all producers and consumers of security data.”