AWS Open Source Blog

From Data Chaos to Cohesion: How OCSF is Optimizing Cyber Threat Detection

With the release of version 1.3.0, the Open Cybersecurity Schema Framework (OCSF) introduces several enhancements designed to further standardize and help streamline cybersecurity data management. OCSF is a collaborative, open source effort by AWS and leading partners in the cybersecurity industry, which provides a standard schema for common security events, defines versioning criteria to facilitate schema evolution, and includes a self-governance process for security log producers and consumers. The latest update includes a new category for remediation events, new event classes, a new profile for threat intelligence datasets, and other enhancements. These changes aim to bolster an organization’s proficiency in threat detection, security analytics, and incident response.

OCSF addresses a core challenge in threat detection and security analytics: the absence of consistent formats and data models for logs and alerts across different vendors. This diversity complicates cybersecurity operations, requiring manual efforts to normalize data and integrate insights from disparate sources. Without the OCSF, security teams need to invest considerable time and effort in aggregating and harmonizing information from disparate sources. As a result, organizations struggle to efficiently analyze and respond to security threats, hindering their ability to protect against evolving cyber risks.

For an in-depth understanding of the problem OCSF aims to address, along with its fundamental concepts and taxonomy, review the project documentation. In this post, we’ll go into more depth on the new version’s features, provide an overview of the OCSF’s progress since its inception in 2022, and share insights from organizations participating in the project and adopting OCSF.

Customer Benefits

The advancements in OCSF Version 1.3.0 provide many benefits for organizations leveraging the framework:

  • Greater Data Normalization: The latest iteration broadens OCSF’s scope further, allowing the standardization of more diverse datasets from more security tools and platforms. This helps eliminate inconsistencies, redundancies, and structural differences in the collected datasets.
  • Improved Security Analytics: Data normalization leads to more streamlined processing and analysis of the collected security data. This empowers security analysts to gain a more comprehensive understanding of potential threats, and the indicators of compromise (IOCs) in their environment.
  • Enhanced Threat Detection: Improved security analytics capabilities enable better correlation and pattern recognition across different data sources, allowing organizations to uncover trends and anomalies that basic data models may miss. This, in turn, leads to more effective threat detection.

By integrating these enhancements, OCSF continues to support organizations in achieving robust and agile cybersecurity defenses.

Developments in OCSF Version 1.3.0

With version 1.3.0, seven new Event Classes were incorporated into the framework. These event classes span three Categories in OCSF: System Activity, Discovery, and the newly introduced Remediation category. The introduction of these new event classes stems from the proactive identification of unmet needs by community members and the subsequent collaboration among the community to bridge those gaps. These additions help improve the scope and applicability of the framework, allowing more diverse datasets to be normalized, and simplifying data management and subsequent analysis.

A few notable additions in 1.3.0 include,

  • A Software Inventory Info event class that allows normalization of events that report collection of software assets on a device in your environment.
  • The Network Remediation Activity, Process Remediation Activity, and File Remediation Activity event classes that enable normalization of events that report domain specific remediation attempts across your environment.
  • A new Profile – OSINT (Open Source Intelligence) – that helps facilitate enrichment of OCSF events via cyber threat intelligence, open source intelligence, and associated information. This profile is available across all event classes within OCSF, reflecting its cross domain applicability.
  • Version 1.3.0 also expands the framework with new Observable types and Attributes, further improving the existing event classes and their ability to represent and convey relevant cybersecurity information. Notable examples of new attributes added to the framework include ja4_fingerprint (to represent JA4+ network fingerprinting information), d3fend (to represent Tactics, Techniques associated to countermeasures in the MITRE D3FEND Matrix), and whois (to represent WHOIS record information for a given domain).

Note: OCSF adheres to the semver (Semantic Versioning) standard, ensuring backwards compatibility while introducing new features and improvements. For complete overview of changes introduced in version 1.3.0 review the schema’s changelog, which provides detailed insights for both users and contributors.

Advancing Cybersecurity Data Standardization

OCSF has seen significant progress since its debut. Officially launched in September 2023, OCSF version 1.0.0 marked the beginning of standardized security data management. Building on that foundation, OCSF version 1.1.0 was released in January 2024, incorporating valuable community feedback and planned improvements. The subsequent version 1.2.0, released in April 2024, further expanded the framework’s capabilities. The latest iteration, version 1.3.0 released on August 1st 2024, reflects the framework’s rapid evolution and the ongoing contributions from its community.

The OCSF community, too, has grown rapidly from a collaborative initiative involving 17 companies into a thriving ecosystem with over 200 participating organizations and 800 contributors since its inception in August 2022. This growth underscores the framework’s importance and its role in shaping industry standards. As OCSF continues to evolve, it remains dedicated to improving how security telemetry data is normalized across diverse tools and platforms, ultimately helping organizations in mitigating cyber risks.

Industry Recognition and Impact

OCSF has gained recognition and support from industry analysts, further underscoring its importance in the cybersecurity landscape. The IDC report “Impact of OCSF on the Choice of Cybersecurity Tooling” (doc # US52002524, April 2024) highlights the increasing awareness of OCSF and its important role in guiding customer decisions towards cybersecurity products capable of seamless data ingestion and output of data using the OCSF schema. The Omdia report “Fundamentals of Open XDR 2.0: Enabling the Integrated TDIR Ecosystem” highlights OCSF’s significant contributions to standardizing data normalization. This not only enhances the efficiency and effectiveness of threat detection, investigation, and response (TDIR) frameworks, but also unlocks new opportunities for distributed data utilization and sharing that was previously unattainable.

What We Want You To Take Away

Leaders from AWS, Interpublic Group, and Comcast Technology Solutions have praised OCSF for its role in fostering innovation and collaboration within the cybersecurity industry. OCSF simplifies data normalization, improves operational efficiency, and allows security teams to focus more on proactive measures for data management. Organizations also gain efficiency and effectiveness from standardizing data using OCSF, which enhances threat detection and response capabilities. Finally, OCSF addresses the challenge of disparate data formats, enabling a more comprehensive and actionable view of security data.

Collectively, the quotes below reflect a consensus on the transformative impact of OCSF. They demonstrate that OCSF not only streamlines cybersecurity operations but also significantly helps strengthen an organization’s security posture, making it an invaluable tool in the fight against evolving cyber threats.

“Over the past two years, we have seen tremendous growth and collaboration within the OCSF community,” said Gee Rittenhouse, Vice President for Security Services at AWS. “OCSF’s success is a testament to the power of open source innovation and the shared vision and dedication of the community in creating a unified framework that enhances threat detection and response across diverse environments.”

“Managing disparate data formats across security solutions often demands extensive resources and time from security teams, hindering the ability to quickly detect and respond to cyber threats,” said Troy Wilkinson, Global CISO at Interpublic Group. “By leveraging the OCSF schema, we streamline data normalization, ensuring consistent and comprehensive security telemetry. This not only optimizes our operational efficiency but also enhances our capability to safeguard against evolving cybersecurity challenges, fostering a more secure environment for our organization.”

“Big data presents a significant challenge due to its sheer volume and the siloed nature of data across different formats. Security teams are using dozens, if not hundreds, of tools in disparate formats, making it difficult to aggregate security data effectively,” said Paul Kivikink, Vice President of Product Management and Technology Partnerships at DataBee, from Comcast Technology Solutions. “OCSF is a schema that DataBee has standardized on to enhance the usability of data across multiple personas and use cases. Adopting OCSF helps our customers not only bolster their ability to detect and respond to threats, but also strengthens their security posture by ensuring comprehensive capture and utilization of all relevant security data.”

Looking Forward with OCSF

OCSF continues to evolve, demonstrating the potential to significantly improve cyber threat detection, response, and analysis. With its increasing adoption, OCSF is set to become integral to the future of cybersecurity. The OCSF stands at the forefront of innovation in cybersecurity data normalization. By fostering collaboration and standardizing data practices, OCSF empowers organizations to strengthen their defenses against evolving cyber threats effectively. Embrace the future of cybersecurity with OCSF and unlock new possibilities for unified, efficient threat detection and response.

Join our community today to stay updated on future developments by sending an email request to info@ocsf.io, collaborate on GitHub, or attend our upcoming OCSF Reception at Black Hat on August 6, 2024. Don’t miss out—register now as space is limited!

Mark Terenzoni

Mark Terenzoni

Mark is a Director at AWS, leading customer-facing security services. He joined AWS through the 2018 acquisition of Sqrrl. Previously, he was President and CEO of Sqrrl, growing it into a cyber threat hunting leader. Earlier, Mark was SVP and GM at F5 Networks, overseeing global service provider operations.

Rajas Panat

Rajas Panat

Rajas is a Security Engineer at Amazon, primarily working on Amazon Security Lake and Open Cybersecurity Schema Framework (OCSF) initiatives. He is a key contributor and maintainer of OCSF. Previously, he focused on incident response and threat detection for AWS Security. Away from work, you'll find him on adventurous trips, spending time with family and friends, or indulging his passions for video games, movies, and music.