The OCSF: Open Cybersecurity Schema Framework

Cybersecurity professionals are always striving to find ways to better understand and combat threats to their organizations — one such way is the Open Cybersecurity Schema Framework (OCSF).

The OCSF is an innovative approach to organizing and sharing cybersecurity data aims to streamline threat intelligence, enhance collaboration, and improve defenses against sophisticated cybersecurity threats.

What is The Open Cybersecurity Schema Framework (OCSF)?

As the name indicates, the Open Cybersecurity Schema Framework (OCSF) is an open-source project that was created by Splunk, AWS, IBM, and 15 other security and technology companies. (Splunk continues to be actively engaged in new feature development and releases, too.)

The OCSF provides a common language for expressing:

• Threat intelligence
• Incident reports
• Indicators of compromise (IOCs)
• Other pertinent cybersecurity information

The OCSF approach enables seamless communication and interoperability among cybersecurity tools, platforms, and organizations. It also allows organizations to exchange threat intelligence more efficiently, paving the way for faster detection, response, and mitigation of cyber threats.

If you are interested in following OCSF, you can join the Slack workgroup (email info@ocsf.io) and explore the PRs in the GitHub ocsf-schema repository.

(Related reading: Explore the latest features in OCSF release 1.2.)

The problems OCSF aims to solve

In today's complex cybersecurity landscape, organizations face numerous challenges in effectively sharing and leveraging threat intelligence:

• Data silos: Fragmented data hinders the ability to correlate and contextualize threat intelligence across different sources.
• Interoperability issues: Lack of standardized data formats and schemas makes it difficult for organizations to integrate and interoperate with external threat intelligence feeds and platforms.
• Information overload: The volume of cybersecurity data that analysts deal with daily makes it challenging to identify and prioritize threats.
• Inconsistent data quality: Variations in data formats, semantics, and quality standards undermine the reliability and trustworthiness of threat intelligence, leading to false positives and missed detections.

To address these challenges, The OCSF is designed to standardize how security analysts exchange and analyze cybersecurity-related data across different tools, systems, and organizations.

Components of the OCSF

There are three primary components of the OCSF:

• Taxonomy
• Data types
• Attribute dictionary

Let's look briefly at each.

OCSF taxonomy constructs

The foundation of the Open Cybersecurity Schema Framework is its taxonomy. This defines the structure and semantics of cybersecurity data.

The taxonomy consists of a set of standardized constructs. They include:

• Observables: Observable elements of a cyber threat include IP addresses, domain names, file hashes, and URLs. 
• Indicators: Indicators are derived from observables and signify potential indicators of compromise (IOCs).
• Incidents: Incidents provide a standardized framework for documenting and sharing details about security breaches, data breaches, and other cybersecurity incidents.
• Bad actors: Bad actors, or threat actors, are the responsible parties for cyberattacks. They include cybercriminal organizations, hacktivists, and insider threats. 
• TTPs (Tactics, Techniques, and Procedures): TTPs describe the methods used by bad actors in cyberattacks.

In addition to the taxonomy, the data types and attribute dictionary provide a structured way to represent cybersecurity data. Let’s break those down: 

Data types

OCSF defines several standard data types to represent different aspects of cybersecurity information. These data types include:

• String: Used to represent textual data, such as domain names, URLs, file paths, or descriptive text.
• Numeric: Represents numerical values, such as counts, scores, or timestamps. Examples include integer values for counts and floating-point values for scores.
• Boolean: Represents true/false or binary values, indicating the presence or absence of certain characteristics or attributes.
• Enumeration: Represents a predefined set of values, allowing for categorical data representation. For example, enumeration data types might include threat levels (e.g., low, medium, high) or attack types (e.g., malware, phishing, DDoS).
• Array: Represents a collection of values of the same data type. Arrays are used to represent lists or sets of related elements, such as multiple IP addresses, file hashes, or timestamps.
• Dictionary: Represents a collection of key-value pairs, allowing for more complex data structures. Data dictionaries are commonly used to represent structured data with named attributes and their corresponding values.

Attribute dictionary

The attribute dictionary in OCSF provides a standardized set of attributes that can be used to describe cybersecurity data. Each attribute is defined with a specific data type and semantics, enabling consistent representation and interpretation of information across different datasets.

Some common attributes found in the OCSF attribute dictionary include:

• ID: A unique identifier for the cybersecurity data object.
• Type: Indicates the type or category of the cybersecurity data object (e.g., observable, indicator, incident).
• Value: Represents the primary value or content of the cybersecurity data object.
• Description: Provides additional descriptive information or context about the cybersecurity data object.
• Timestamp: Specifies the time or date associated with the cybersecurity data object, indicating when it was observed or recorded.
• Source: Indicates the source or origin of the cybersecurity data object, such as the organization, tool, or platform that generated or reported it.
• Confidence: Represents the level of confidence or certainty associated with the cybersecurity data object, indicating the reliability or trustworthiness of the information.
• Tags: Provides additional metadata or labels to categorize or classify the cybersecurity data object (e.g., threat category, industry sector, geographic region).

Personas in OCSF

There are four personas for OCSF:

1. The author creates or extends the schema, using the OCSF Github. 
2. The producer generates events natively into the schema, or via a translation from another schema. 
3. The mapper translates or creates events from another source to the schema. 
4. The analyst or consumer is the end user who searches the data, writes rules or analytics against the schema, or creates reports from the schema. 

If you are interested in following OCSF, you can join the Slack workgroup (email info@ocsf.io) and explore the PRs in the GitHub ocsf-schema repository.

Getting ahead of threats

Developing the Open Cybersecurity Schema Framework is a huge step forward in pursuing more effective cybersecurity. By standardizing the way cybersecurity professionals collect, exchange, and analyze threat intelligence, OCSF empowers organizations to stay one step ahead of bad actors.