Braintrust
Presented by
Protocol's experts on the biggest questions in tech.

What would success for the OCSF look like one year from now?

What would success for the OCSF look like one year from now?
Featuring

Further growth of group membership, more ease of use around querying and a commitment to transparency would be good measures of success, experts say.

Good afternoon! In today's Braintrust, we asked cybersecurity experts from companies both involved and on the outside of the Open Cybersecurity Schema Framework about what kinds of information will show that the effort is successful in a year's time. Questions or comments? Send us a note at braintrust@protocol.com

Mark Ryland

Director, office of the CISO, AWS Security at AWS

Over the next 12 months we look forward to having a broad cross-section of security companies and practitioners joining OCSF and contributing at all levels of the organization. We’d like to get into a way of working and a cadence which results in regular releases of the schema, especially as it’s still early in lifespan. Membership should increase steadily through the year.

In addition, beginning in late 2022 and in to 2023, we’ll expect to see announcements of product support across the security industry, ranging from sources of security logs, to analytics platforms which consume and enrich them. It may become a core part of some XDR initiatives as the core data interchange will become much simpler between platforms. Adoption will increase across the industry as products and services gain support.

As CISO teams evolve their security architectures, we’ll see some leading practitioners adopt OCSF as the core schema for it. They will look for all sources of security signal, whether from internal apps or SaaS applications, to speak OCSF to further broaden the analytics-ready data they need to consume to protect their enterprises, as well as decreasing the manual work in related systems such as ticketing, HCM, etc. We’ll probably see non-security companies that produce or consume security-relevant data begin to join and use OCSF, such as HCM, CRM, ERP, Procurement etc. software platforms.

Towards the end of the first year, security practitioners who have enabled the OCSF portions of the products they use should begin to see that there is no longer a need for additional data manipulation and that their analytics become better trusted and simpler, leading to more rapid outcomes.

Ian McShane

Vice president of strategy at Arctic Wolf

One indicator of success would be that each of those participating vendors adopt this framework and show that their participation is led by example. The second indicator would be the framework actually working — i.e., will 12 months be enough to implement and allow an end user to query all these vendors data at scale, over API and get results from multiple vendors that do not require normalization or translation? Conceptually, I’d like to see this alliance move toward making data querying easier by eliminating the need for different types of query languages for each product with different queries, and instead push a security-driven method to query large data sets, something that Endgame/Elastic EQL (event query language) was hoping to do.

James Robinson

Deputy CISO at Netskope

First off, I think this is great for the industry and I applaud the effort. We have seen initiatives like this succeed in the past. The most notable that comes to mind is STIX/TAXII, and standardization done by the Oasis group. While the formation of the group is a major milestone, the workings and execution of this effort over the next year will be telling if it will succeed. Success, in my opinion, has to be driven along with or attached to an executive order or other regulation. The reason is simple: While OCSF might be great for the industry, most will start by ingesting the schema but not sending information using the schema, and to do so for most will require investment in the modification of their core data models, which is not easy. To support the effort and update the data models, they need to have revenue behind it. A year from now, I would expect to see an executive order or other work being proposed. I would like to see ingest by some major players and also see export by some major players. It would be great if there could be some converters and other SDKs that would be available to help companies support the schema while not having to overhaul their solutions just yet. And last but not least is the adoption of this schema by an open standards committee or body like Oasis to ensure the goal, mission and interoperability is governed and maintained.

Paul Agbabian

VP, distinguished engineer, security at Splunk

The OCSF project team is looking at success along two axes: implementation of OCSF-compliant schemas in security products and increased engagement within the cybersecurity community. Within the next year, the OCSF steering committee members are encouraging all initial member organizations to implement OCSF standards within their solutions while working together to provide the improvements to integration that cybersecurity teams are asking for. Additionally, the steering committee would like to see OCSF contributions across an additional five new security categories so that OCSF can contain the breadth of coverage needed by today's modern security operations teams. By both expanding the coverage of security technology categories and delivering real-world implementations, the OCSF project can establish itself as the open-source standard for cybersecurity collaboration.

Carey O'Connor Kolaja

CEO at AU10TIX

The way cybercriminals behave is not siloed; it's networked and we must take a unified approach to addressing the threat. Businesses must be adaptive and collaborative to compete. Fraud is not a problem that any one organization, industry or government can tackle independently, The formation of the OSFC is a steppingstone in delivering an extensible framework for developing a vendor-agnostic core security schemes. Data vendors can adopt and extend the schema for specific domains still allowing a common language for threat detection and investigation. As consumers become more careful about sharing data, and regulators step up privacy requirements, businesses need to consolidate and normalize data signals that can be combined to defend fraudsters, requiring an attribution framework which OSFC provides. Data is clearly transforming business, and for the OSFC to be successful companies will need to take effective actions to consolidate and normalize the data they collect.

Mike Gibson

VP of customer success and security research at Trend Micro

The OCSF represents a great direction for the security industry. We are coming together to fight our shared competitor: cybercriminals. Success for OCSF is threefold: growth for the project, growth for Trend Micro and, most importantly, growth for business users. Adding three new maintainers and 10 active contributors from non-vendor organizations would reflect healthy partnership and collaboration between industry and customers in driving the OCSF Project. At Trend Micro, we’d like to see half of RFPs reference support for OCSF as a requirement to demonstrate adoption. However, while these areas do reflect success, true efficacy of OCSF is reflected in the benefit to business security teams. This could look like enabling customers to consolidate data lakes or SIEMs into a single data lake, a customer with the majority of their security data stored using OCSF or, most impactfully, a customer whose resources are better spent lowering risk and adding security protection for their business since data normalization is no longer consuming their time.

Corey Thomas

Chairman and CEO at Rapid7

The OCSF is addressing one of the biggest challenges faced by security professionals today - the complexity of actually leveraging all the data teams are receiving from an increasing number of disparate tools. By providing an open source framework that can be adopted in any environment, OCSF is normalizing data across the industry, alleviating a heavy burden placed upon security teams and allowing them to focus on defending their organizations from increased threats.

But in order for security teams of all sizes to benefit from broader data normalization, we need more of the cybersecurity industry to embrace OCSF. Success in this industry, and for OCSF, depends on broader sharing, alignment, and adoption in support of the greater good. A year from now, if we saw more widespread adoption and incorporation of the Framework into tools across the industry we’d be well on our way to success.

Dr. Robert Blumofe

EVP and chief technology officer at Akamai


Cybersecurity begins with visibility, and that means data — lots of it. Not surprising, then, that distribution and scale yields more data, and therefore more visibility and better security outcomes. It’s also no surprise that the interexchange of data enables better security outcomes. We are hopeful that OCSF will facilitate this interexchange, and we applaud the embrace of open source for this effort.

Of course, it’s easy to measure the adoption of this schema, but that alone is not a measure of success. We need key performance indicators (KPIs) on visibility and security outcomes. They’re hard to measure, but such KPIs are essential. If this initiative allows us to see and stop threats that we otherwise would not see or stop, then I’d call that a success.

Chris Niggel

Regional CSO of the Americas at Okta

The cybersecurity landscape is broad and fairly fragmented when it comes to data standards today. Short-term success will be significant progress on establishing how data should be structured. While the long-term goal is around standards adoption, it’s important to begin with getting data organized the right way on all of our platforms. That's a first major step toward interoperability.

Rob Greer

GM, Symantec Enterprise Division at Broadcom Software

Symantec and Broadcom Software are proud to have contributed our ICD schema as the foundation for the OCSF project. Success for OCSF in the near term is to see security vendors broadly adopt this standard and build simple integrations between event generators and the analytics and forensic tools that consume those events. Longer term, we hope that the security industry builds on OCSF and continues to embrace common data models so that every organization can utilize their tools of choice to achieve better security outcomes with minimal integration effort. OCSF will help more and more security tools "speak the same language” so they become force multipliers in our shared mission to make the world a safer place.

Shishir Singh

Chief technology officer and EVP at Blackberry

One of XDR’s promises is its ability to address an increase in complex attack surfaces while simultaneously ingesting different alerts and events that cause data fatigue and burnout, making it almost impossible for customers to focus on the threats that actually matter. The lack of standard formats adds tremendous complexity for those looking to accurately analyze data in a timely fashion: a perilous predicament that is compounded by the dearth of security talent out there and the quite often scarce resources they have to hunt, understand and respond, and something that will not go away any time soon.

Am I resilient to an attack? Am I ready, should the unthinkable — nay, inevitable — occur? These are the questions that keep CISOs up at night. Adding to the challenge, the demands of privacy and regulations can become barriers to success. If I cannot collect or analyze certain data, then threat actors will look to take advantage of that knowledge gap.

Having multiple solutions and products in any organization adds more complexity, and we need a vendor-agnostic approach where the entire industry can collectively adopt and express any threat telemetry in a common language for quicker and more accurate interpretation, making SOC analysts and data scientists' lives a whole lot easier when it comes to threat detection, investigation and response. The adoption of the Open Cybersecurity Schema Framework is key to success in getting ahead of the curve and understanding the attack life cycle, which is getting more and more complex and sophisticated every day.

Peter McKay

CEO at Snyk


Much like the premise behind the OCSF project, Snyk’s mission is to bridge organizational gaps and cut down security barriers within the organization to give them a holistic “single pane of glass” view of their vulnerabilities and enable more collaboration across different teams. The backbone of open-source software is transparency, participation and collaboration, which we believe is the center of any security solution. Today, securing software from the ground up is our only saving grace in the new digital world — which is why our security industry is coming together now more than ever to form new standards and integrations and evolve our best practices to combat the accelerating threat landscape. One year from now, success of the OCSF would include widespread adoption by both developers and security teams to utilize data proactively to improve an organization’s security posture, while at the same time driving innovation.

See who's who in the Protocol Braintrust and browse every previous edition by category here (Updated Aug. 16, 2022).

More from Braintrust
Latest Stories