Fostering Collaboration for Standardized Threat Investigation & Response

Working together can bring much-needed trust to the industry and help safeguard people, organizations, and government — now and in the future.

+1
Paul Agbabian, Mark Terenzoniand 1 more

February 23, 2024

5 Min Read
Person touching multicolored gearsSource: ronstick via Alamy Stock Photo

Data is the lifeblood of any organization's security strategy. Data from dozens of security and IT tools spread out across an enterprise's expansive multicloud infrastructure provides organizations with critical visibility into today's threat landscape. However, the inability to stitch this sprawl of data together and put it in the proper context has created inefficiencies that make it difficult to identify potential threats promptly.

Security data streams using incompatible formats force security teams to invest time and resources into bringing disparate data to a common denominator. This makes it challenging to analyze cyber incidents in a greater context, potentially shielding complex attack patterns that cover multiple attack vectors.

To solve this problem, industry leaders have joined forces to build a new vendor-agnostic networking and cybersecurity standard, which has more than 660 individual contributors across 197 enterprise organizations to help institutions get a grip on their security data to better detect and investigate threats. Launched in August 2022, the Open Cybersecurity Schema Framework (OCSF) has been gaining traction across the industry from customers, researchers, and vendors, who are now finding themselves collaborating with their counterparts to solve this data normalization issue.

However, work still needs to be done to ensure the standard is adopted industrywide so it can contribute to a more robust security strategy for today's enterprises.

Addressing the Security Gaps in Enterprise Networks

In the past, the responsibility for resolving the data interoperability issue in the security space has fallen on security information and event management (SIEM) vendors and end users who use application programming interfaces (APIs) and other connectors to collect data across various tools. However, as attack surfaces expand, the time and effort to normalize, clean, and align data structures across a diverse set of tools has become unsustainable. Standardizing data collection across disparate systems can make it easier and faster to identify and investigate threats.

An Opportunity for Cross-Industry Collaboration

The OCSF schema eliminates data security silos and standardizes the way security data is collected and managed across different cybersecurity tools. This effectively creates a common language for security telemetry, making it an open standard available to any vendor. OCSF can be adopted in any environment, application, or solution, complementing existing security standards and processes.

OCSF delivers an extensible framework for vendors to develop their own schema. Vendors and other data producers can adopt and extend the schema for their specific domains, allowing engineers to map different schemas that help simplify the ingestion and management of data between security tools for faster and more accurate threat detection and investigation.

However, for standardization to be effective, the entire industry needs to come together. This requires collaborators across networking and security industries to set aside their differences and adopt a common language, schema, and standards. This is in the best interest of customers, but improved customer experiences through vendor cooperation will also promote industrywide growth and prosperity.

Here are five things that need to happen to grow the adoption of OCSF and help organizations respond to threats quicker and reduce data normalization costs:

1. Engage with customers.

Ultimately, customers will drive adoption, and vendors must highlight the technical and business benefits of moving to an open and extensible security schema. The first step is to recognize the pain points that data engineers, security operations teams, and other stakeholders deal with daily when managing and securing modern networks spread across various cloud and data center infrastructures.

Eliminating the need to normalize data coming in from distributed sources would allow security teams to focus on what really matters — threat detection and investigation.

2. Convince more vendors to collaborate.

Success also depends on industrywide standard adoption, but collaboration among counterparts is critical. Many still believe that standards make it easier for their customers to migrate off their platform, but this is a dangerous line of thinking. Vendor lock-in ultimately hampers the entire industry and makes it harder to grow the market.

In reality, standards such as OCSF can enhance the adoption of vendors' solutions by making it easier to integrate their products into the full security and networking stack — working as a single, integrated ecosystem rather than a siloed, stand-alone product simplifies security operations for the customer.

3. Enlist help from the feds.

The federal government has always supported innovation through funding, research and development, and standardization. Mandating compliance with OCSF and other frameworks in all Requests for Comments (RFCs) by the Cybersecurity and Infrastructure Security Agency (CISA) would significantly advance the adoption of this new schema. In addition, the federal government could make expertise or compliance with OCSF a requirement for vendors and contractors who want to work with federal agencies.

4. Promote open communication.

Getting any project off the ground — much less an industrywide standardization effort — takes constant communication from all stakeholders. OCSF is encouraging vendors, researchers, and customers to participate in the process by contributing to the core schema. The group's Slack channel has more than 660 members — up from just over 100 several months ago.

5. Encourage enterprise use cases.

Several large enterprises have already adopted the OCSF standard in their internal networks — developing a system that pools diverse threat detection and investigation data in a single management dashboard that they have developed internally.

Walking in Lockstep Toward a Safer Tomorrow

Security teams are forced to spend an inordinate amount of time normalizing and cleaning up telemetry data from dozens of sources across an increasingly complex security stack. The new OCSF schema aims to standardize security data across tools — allowing security teams to spend more time proactively addressing and preventing threats.

Others in the industry need to rally behind the vendor-agnostic initiative through buy-in and better collaboration from customers, vendors, and the federal government. This entails promoting participation and showcasing specific enterprise use cases.

We now have an opportunity to take a giant step forward in turning the tide against today's increasingly sophisticated threats. Banding together will bring much-needed trust to the industry — helping us continue to safeguard people, organizations, and government — today and in the future.

About the Authors

Paul Agbabian

Vice President & Distinguished Engineer, Splunk

Paul Agbabian is responsible for technology strategy and architecture for the Security business unit at Splunk. Prior to joining Splunk, Paul was a Broadcom Fellow and the Global CTO and Chief Architect of the Symantec Enterprise Security Business Unit.

Mark Terenzoni

Director of Risk Management, AWS

Mark Terenzoni is a Director/General Manager of several customer-facing security services at AWS. Mark is also part of the AWS security leadership team that sets strategic direction and prioritization for customer-facing security services. Mark joined AWS through the acquisition of Sqrrl in 2018. Prior to AWS, Mark was President and CEO of Sqrrl, where he led the company from a small team of engineers to the recognized market leader in cyber threat hunting. Earlier in his career, Mark was an SVP and General Manager at F5 Networks, where he ran worldwide operations for a service provider business unit.

Sridhar Muppidi

Vice President & Chief Technology Officer, IBM Security

Dr. Sridhar Muppidi is an IBM Fellow and CTO for IBM Security. He is responsible for driving the technical strategy, architecture & research for IBM Security's portfolio of products & services to help clients manage defenses against threats and protect digital assets. He is a results-oriented technical thought leader with 25 years of experience in building security products, delivering solution architecture for clients, driving open standards, and leading technical teams. In the last ten years, he has been instrumental in building the IBM Security business unit into one of the largest security companies in the world. He is an IBM Master Inventor with 50+ patents, several technical articles, and passionate about open security initiatives.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights