Twenty major security providers announced the Open Cybersecurity Schema Framework (OCSF). The framework provides a common language for security data. The goal is to help security teams integrate multiple security tools.

The Open Cybersecurity Schema Framework (OCSF) was initiated by Splunk and AWS. The partners want to involve as many security providers as possible. Providers that support the framework in their software allow end users to more quickly integrate data into the software of other providers that support the framework.

Splunk and AWS announced OCSF at the Black Hat USA 2022 conference. The project currently has eighteen members. The framework is supported by Cloudflare, CrowdStrike, DTEX, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro and Zscaler.

Open Cybersecurity Schema Framework (OCSF)

OCSF is beneficial for security teams that use the software of two or more providers. Security vendors typically use proprietary schemas and formats for storing threat intelligence. OCSF makes it possible to store threat intelligence in a common language.

As a result, the data of security provider A is more comprehensible for security provider B. Data engineers spend less work time on integrating security tools. OCSF breaks down so-called data silos. Aside from applications, data and security professionals benefit as well. Mastering a single framework is sufficient to understand the data of multiple tools.

“The OCSF is an open standard that can be adopted in any environment, application, or solution provider”, the initiators described. “As cybersecurity solution providers incorporate OCSF standards into their products, security data normalization will become simpler and less burdensome for security teams.”

The more, the better

The initiators invite every security provider to support OCSF. The more providers incorporate the framework, the greater the value to end users. “Security leaders are wrestling with integration gaps across an expanding set of application, service and infrastructure providers”, said Patrick Coughlin, Group Vice President, Security Market at Splunk. “This is a problem that the industry needed to come together to solve.”

Splunk and AWS envision OCSF as the definitive framework for threat intelligence data storage. The initiators published the documentation on GitHub.