AWS, Splunk Lead New Open Source Cybersecurity Schema Project

A group of tech companies led by AWS and Splunk have come together in an open source effort to combat cybersecurity attacks.

The Open Cybersecurity Schema Framework (OCSF) project is meant to help break down data silos in order to help organizations more quickly and effectively detect, investigate and stop cyberattacks.

"The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema," the project's GitHub site states. "Vendors and other data producers can adopt and extend the schema for their specific domains. Data engineers can map differing schemas to help security teams simplify data ingestion and normalization, so that data scientists and analysts can work with a common language for threat detection and investigation. The goal is to provide an open standard, adopted in any environment, application, or solution, while complementing existing security standards and processes."

While the project was originated by Amazon Web Services (AWS) and Splunk, it builds upon the Integrated Cyber Defense (ICD) Schema work done at Symantec, a division of Broadcom. Those three companies and 15 others make up the initial project member list.

Open Cybersecurity Schema Framework
[Click on image for larger view.] Open Cybersecurity Schema Framework (source: Splunk).

In a blog post, Splunk said there's a lot of industry sentiment in support of simplifying data normalization, quoting two findings from a recent study as evidence:

  • "77 percent of respondents would like to see more industry and technology cooperation in the form of open standards support"
  • "85 percent of respondents believe that a product's integration capabilities are important"

"Cybersecurity is ready to move on from silos and into an open, integrated era of inter-operability and cooperation," Splunk said.

The framework itself comprises a set of data types, an attribute dictionary and a taxonomy. While not restricted to the cybersecurity domain nor to events, the initial focus of the framework is to develop a schema for cybersecurity events.

"Detecting and stopping today's cyberattacks requires coordination across cybersecurity tools, but unfortunately normalizing data from multiple sources requires significant time and resources," the group said in an Aug. 10 news release distributed by Splunk. "The OCSF is an open-source effort aimed at delivering a simplified and vendor-agnostic taxonomy to help all security teams realize better, faster data ingestion and analysis without the time-consuming, up-front normalization tasks."

The full list of members is AWS, Broadcom, Cloudflare, CrowdStrike, DTEX, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Splunk, Sumo Logic, Tanium, Trend Micro and Zscaler.

About the Author

David Ramel is an editor and writer for Converge360.


  • What's New in VMware vSphere Foundation 5.2

  • What's New in vSAN 8 U3

  • Copilot in Azure

Subscribe on YouTube