AWS Open Source Blog

Celebrating One Year of OCSF: Simplifying Security Telemetry for a Stronger Defense

One year ago, AWS embarked on a mission to revolutionize the way security professionals monitor, detect, respond to, and mitigate security issues. Today, as we celebrate the one-year anniversary of the Open Cybersecurity Schema Framework (OCSF) project, we’re thrilled to announce the release of OCSF v1.0.0 and reflect on the milestones we’ve achieved and the positive impact OCSF has had on the security industry.

When we launched the OCSF project alongside 17 other visionary companies, our goal was clear: to simplify the complex and heterogeneous nature of analyzing security related telemetry at scale. Customer security teams told us that they were struggling to analyze data from multiple tools, technologies, and vendors, which drove up costs and hindered their ability to respond swiftly. We understood the need for a standardized approach that would enable security professionals to focus on what truly matters: identifying and responding to security issues. The OCSF project provides an open and extensible specification for the normalization of security telemetry across a wide range of security products and services, as well as open source tools that support and accelerate the use of the OCSF schema.

Since its launch, the OCSF project has grown exponentially. What started with 18 founding companies has now grown into a vibrant community of over 145 participating organizations across security-focused independent software vendors (ISVs), government agencies, educational institutions, and enterprises. This incredible collaboration and support has been instrumental in shaping the evolution of OCSF into the industry standard it is today.

OSCF v1.0.0 is the culmination of expertise from its team, partners, and contributors. With OCSF v1.0.0, we’ve taken a big leap forward in simplifying the normalization of security telemetry across a wide range of products and services.

OCSF has also gained recognition as the standard for seamless tool communication, enabling interoperability across the security ecosystem. The IDC report Worldwide Cloud Workload Security Forecast, 2023–2027: Complexity and Resiliency Fuel Growth (doc #US50197723, June 2023), emphasized the significance of OCSF in the security landscape: “Normalization of hybrid multicloud security telemetry is needed before any converged data is useful. Institutional learning suggests that if all cloud security protections speak OCSF, there would be no need to normalize or translate data for each connector, enabling faster threat detection and response.”

“Organizations face significant challenges in analyzing data from various tools and vendors due to the complexities of querying different data types, which ultimately consumes security teams’ valuable time and hinders their abilities to respond promptly to cybersecurity risks,” said Ian McShane, VP of Product Strategy at Arctic Wolf. “Through our integration with the OCSF framework, we aim to alleviate the burden of dealing with multiple query languages, enabling teams to prioritize and address security issues more efficiently. By fostering a common framework, we empower the entire cybersecurity community to collaborate effectively, ultimately creating a more secure environment for the industry and our joint customers.”
Ian McShane quote

Throughout the year, many Amazon services have embraced the OCSF schema. In April 2023, we launched AWS Verified Access, which allows customers to establish secure access to their corporate applications without a VPN. Verified Access supports the OCSF format, making it easier to do log analysis using security information and event management (SIEM) and observability providers. In May 2023, we launched Amazon Security Lake, which automatically normalizes and combines security data from AWS and a broad range of enterprise security data sources to OCSF. By doing so, it empowers security teams to effortlessly collect, combine, and analyze security data, streamlining their operations and bolstering their overall security posture. In June 2023, we launched AWS AppFabric, which enhances the connectivity of SaaS applications across organizations—no coding required. AppFabric automatically normalizes SaaS application audit logs into the OCSF format and actively collaborates with the OCSF community to develop new event categories and classes.

AWS actively participates in open source foundations such as OCSF, the Open Source Security Foundation (OpenSSF), and the Internet Security Research Group (ISRG) with a goal of improving open source software supply chain security to benefit our customers and end-user security across the industry. Sustainable open source is important to us, our customers, and the world, and this is why we invest so heavily in it.

As we look ahead, we’re excited to witness and contribute to the continued growth and adoption of OCSF. We envision a future where all security protections use OCSF, eliminating the need for data normalization or translation for each telemetry source. This unified approach will enable security professionals to swiftly detect and respond to threats, enhancing their ability to protect their environments effectively.

On this significant occasion, we extend our gratitude to the dedicated members of the Steering Committee, whose unwavering guidance and expertise have been instrumental in shaping OCSF’s success. Additionally, we extend our thanks to the entire OCSF community—the companies, organizations, and individuals who have contributed their time, expertise, and enthusiasm to make this project a resounding success. Together, we’re reshaping the security landscape and empowering security professionals to focus on what truly matters—identifying and responding to events that enhance their security posture.

Looking ahead, we remain committed to the evolution of the OCSF project. By investing in open source initiatives, we’re helping to ensure that the projects and technologies that we, our customers, and the world depend on remain secure and reliable for the long term. We invite all industry stakeholders to join us on this journey by contributing their expertise and perspective to shape the future of OCSF. To learn more about the OCSF project, visit the OCSF homepage.

Jon Ramsey

Jon Ramsey

Jon has been at Amazon for just under two years. He is responsible for Security Services at AWS, including Amazon GuardDuty, Amazon Inspector, AWS Security Hub, Amazon Security Lake, and other security products. Prior to Amazon, Jon spent 20+ years in leadership as a recognized cybersecurity industry pioneer. Jon earned a B.S. in Computer Science from University of Pittsburgh and a M.S. in Software Engineering and Computer Science from Carnegie Mellon University.

Keith Gilbert

Keith Gilbert

Keith is a Security Engineering Manager across Amazon Detective and Amazon Security Lake and is Co-Chair of the Open Cybersecurity Schema Framework (OCSF). Prior to Amazon, his background focused on incident response and threat intelligence. Outside of Amazon, you’ll probably find Keith participating in any seasonally appropriate motorized sport, working in his garage, or spending time at the lake with his family.