Table of Contents
Some of the pervasive challenges within the present cybersecurity setting is an overabundance of tooling distributors, all of which produce telemetry or knowledge, typically in their very own native or nuanced schema or format. As cybersecurity’s visibility has risen in organizations, so has the variety of cybersecurity distributors and instruments that groups must combine, implement and govern. Cybersecurity professionals should spend time getting instruments to work collectively as a cohesive portfolio, which detracts from their efforts to determine and tackle cybersecurity vulnerabilities and threats.
The issue isn’t going unnoticed. Not too long ago Amazon Internet Companies (AWS) together with different leaders resembling Splunk, CrowdStrike, Palo Alto, Rapid7, and JupiterOne introduced the discharge of the Open Cybersecurity Schema Framework (OCSF) challenge. The announcement acknowledges the issue of safety professionals needing to wrestle with proprietary knowledge codecs and outputs moderately than their precise roles of dangers and threats. By standardizing on safety product schemas and codecs, safety practitioners can spend extra time addressing threats that pose dangers to organizations.
Under is an evidence of the OCSF, together with a few of its core elements resembling knowledge sorts, attribute dictionary and taxonomy, all of which is specified by the detailed Understanding the Open Cybersecurity Framework information.
What’s the Open Cybersecurity Schema Framework?
The OCSF holds promise to help a vendor-agnostic method that the business and safety software vendor group can rally round to assist make safety portfolios work collectively extra seamlessly. It does this whereas providing a customizable and succesful schema that may be adopted out of the field by organizations but additionally nonetheless tailor-made to distinctive profiles, necessities and environments.
The schema goals to standardize and normalize the info generated by cybersecurity tooling. It isn’t restricted to the cyber area or its related occasions, although this was the preliminary focus of the challenge. For these , you should utilize the schema browser for OCSF, proven beneath.
OCSF taxonomy
OCSF’s taxonomy rallies round six basic constructs:
- Information sorts
- Attributes and arrays
- Attribute dictionary
- Occasion courses
- Classes
- Profiles and extensions
Information sorts embody frequent kinds resembling strings and integers but additionally scalar knowledge sorts resembling timestamps and IP addresses. Attributes are distinctive identifier names for fields and their corresponding knowledge sorts. The OCSF attribute dictionary covers all of the obtainable attributes with their related sorts because the core of the framework. For instance, occasion courses could be a selected set of attributes. Occasion courses cowl particular classes of actions or metrics, resembling system and community exercise or safety findings.
Profiles, as talked about, align with domains resembling cloud and overlay further attributes onto occasion courses and objects to facilitate higher filtering. That is helpful when making an attempt so as to add new attributes and occasion courses, which makes the schema dynamic and versatile.
OCSF enrichment and categorization help
This helps correlating data collected resembling IP and MAC addresses to particular indicators of compromise (IoC) throughout the processing actions previous to storage.
The OCSF schema helps categorizing occasions for higher group and understanding. Particular classes might embody system, community and audit exercise in addition to findings, or within the case of a profile, cloud actions.
There’s a shut relationship between the OCSF and the favored MITRE ATT&CK framework. Profiles resembling malware add MITRE ATT&CK data onto system exercise courses. There are different similarities with MITRE ATT&CK – for instance, correlations with phrases resembling classes in OCSF and techniques in ATT&CK or for occasion courses and ATT&CK methods. Variations embody ATT&CK’s help for sub-techniques and the truth that ATT&CK is proprietary and managed by MITRE whereas OCSF is open and extensible among the many vendor and broader safety group.
OCSF participation open to all
Whereas the preliminary group of challenge contributors embody a number of the most notable names within the cybersecurity vendor house, the OCSF helps contributions by others and presents an related OCSF Contribution Information.
The dynamic menace panorama has led to software sprawl for a lot of organizations. Rallying round an business customary schema and knowledge normalization can assist make SIEMs and SOCs more practical and maximize the chance for practitioners to determine and reply to related threats.