IBM TechXchange Security Technology Alliance Program User Group

 View Only

OCSF the Open Cybersecurity Schema Framework By Jason Keirstead

By Dan Schofield posted Wed August 10, 2022 05:47 AM


Introducing OCSF or “Open Cybersecurity Schema Framework By Jason Keirstead

IBM Security is participating in a new open security space project and and I’m very excited to share the news. OCSF - or Open Cybersecurity Schema Framework - is an open-source effort to create a common schema for security events across the cybersecurity ecosystem. IBM Security has been working with 18 vendors, including AWS, Splunk, Crowdstrike, SumoLogic on OCSF for the past few months working to a community release, and today that release is now public. You can read the press release here – but I wanted to take an opportunity to go into further details on why this effort is important and how you can get involved.

What Problems does OCSF solve for? 

One of the primary challenges of cybersecurity analytics is that there is no common and agreed-upon format and data model for logs and alerts As a result, pretty much everyone in the space creates and uses their own format and data model (IE sets of fields).  There are *many* such models that exist, including some open ones like STIX, OSSEM, and the Sigma taxonomy. The challenge to date is that none of these have become widely adopted by products for logging and event purposes, and thus they require a lot of manual work to get value from. I have written and spoken about this problem set extensively in the past, and it causes many issues when it comes to detection engineering, threat hunting, and analytics development, not to mention AI – as Rob Thomas said, “There is no AI without IA”. Despite the issues this causes in the industry, there has been no significant progress on the problem space, because until now there has been lack of a “critical mass” of major players willing to tackle the problem head-on, and with efforts like this, timing is everything. With OCSF, we are now at a moment where we have that critical mass as well as a real willingness to tackle these challenges.

A Truly Open Approach

IBM Security has been passionate supporters of open security for a long time, as illustrated in our strong participation as well as financial sponsorship of efforts in OASIS, the FIDO alliance, the Open Cybersecurity Alliance, the Cloud Security Alliance, the MITRE Center for Threat Informed Defense, and more. As such, we do consider ourselves “subject matter experts” in open security, and we understand what makes such efforts successful. What makes me optimistic about OCSF and its potential for success, is the momentum and level of support we have seen from the participants involved, where an honest, open, and collaborative effort that is really trying to “move the needle” on this problem area. OCSF has decided from the outset to tackle the question of open governance – a critical success factor for any open-source project – by being purposeful about the question, and launching with Github’s Minimal Viable Governance model as the adopted approach. While I have raised some minor concerns with MVG in the past, it is still a very viable approach to true open governance, and is therefore definitely something that a community can be built around – as such I am very excited about the possibilities for this project.

The future & how to be involved

OCSF is just getting started. While there has been a lot of work put into the effort already, there is still ample opportunity for other vendors, users, and thought leaders to jump in and help make it more robust. The community has purposefully decided against tagging of any notion of a release number, because we very much want that feedback to happen now that this effort is public. As I mentioned previously, OCSF is under Minimal Viable Governance, which means that there is a truly open and well-defined way for anyone to get involved in this community. You can read more about how you can contribute and participate at and I encourage you to do so and come help us shift the balance of power back toward the defender.

About the author:
Jason Keirstead is an IBM Distinguished Engineer and CTO of Threat Management in IBM Security. His role includes the complete threat life cycle, from Threat Insight, through Prevention, Detection, Response and Recovery, and is a frequent speaker on cybersecurity issues. Jason works extensively in the “Open Security” space, sitting on the OASIS Board of Directors and serving as a co-chair of the Open Cybersecurity Alliance project governing board.