IBM TechXchange Security Technology Alliance Program User Group

Introducing OCSF or “Open Cybersecurity Schema Framework By Jason Keirstead

What Problems does OCSF solve for? 

One of the primary challenges of cybersecurity analytics is that there is no common and agreed-upon format and data model for logs and alerts As a result, pretty much everyone in the space creates and uses their own format and data model (IE sets of fields).  There are *many* such models that exist, including some open ones like STIX, OSSEM, and the Sigma taxonomy. The challenge to date is that none of these have become widely adopted by products for logging and event purposes, and thus they require a lot of manual work to get value from. I have written and spoken about this problem set extensively in the past, and it causes many issues when it comes to detection engineering, threat hunting, and analytics development, not to mention AI – as Rob Thomas said, “There is no AI without IA”. Despite the issues this causes in the industry, there has been no significant progress on the problem space, because until now there has been lack of a “critical mass” of major players willing to tackle the problem head-on, and with efforts like this, timing is everything. With OCSF, we are now at a moment where we have that critical mass as well as a real willingness to tackle these challenges.

A Truly Open Approach

IBM Security has been passionate supporters of open security for a long time, as illustrated in our strong participation as well as financial sponsorship of efforts in OASIS, the FIDO alliance, the Open Cybersecurity Alliance, the Cloud Security Alliance, the MITRE Center for Threat Informed Defense, and more. As such, we do consider ourselves “subject matter experts” in open security, and we understand what makes such efforts successful. What makes me optimistic about OCSF and its potential for success, is the momentum and level of support we have seen from the participants involved, where an honest, open, and collaborative effort that is really trying to “move the needle” on this problem area. OCSF has decided from the outset to tackle the question of open governance – a critical success factor for any open-source project – by being purposeful about the question, and launching with Github’s Minimal Viable Governance model as the adopted approach. While I have raised some minor concerns with MVG in the past, it is still a very viable approach to true open governance, and is therefore definitely something that a community can be built around – as such I am very excited about the possibilities for this project.

The future & how to be involved

OCSF is just getting started. While there has been a lot of work put into the effort already, there is still ample opportunity for other vendors, users, and thought leaders to jump in and help make it more robust. The community has purposefully decided against tagging of any notion of a release number, because we very much want that feedback to happen now that this effort is public. As I mentioned previously, OCSF is under Minimal Viable Governance, which means that there is a truly open and well-defined way for anyone to get involved in this community. You can read more about how you can contribute and participate at https://github.com/ocsf/ and I encourage you to do so and come help us shift the balance of power back toward the defender.