Paving the Way for Unified Cybersecurity: OCSF Joins the Linux Foundation with Splunk’s Support

I am super excited to discuss two big announcements in this edition of my blog. The first is that OCSF is joining the Linux Foundation, and the second is Splunk’s built-in platform support for OCSF schema acceleration and federated search for data stored in Amazon Security Lake.

As most of you already know, for the past few years, a number of security engineers and practitioners have been working on the OCSF framework and core schema for modeling security data, a longstanding problem in our industry that eats up a lot of time and money preparing data for security analytics.

A little over two years ago, a select number of companies publicly announced the launch of OCSF at Black Hat 2022. At the same event in 2023, we launched the 1.0 release of the framework and schema, and this year, we’ve hosted two other events at the RSA Conference and Black Hat 2024. Today, we’re excited to share a milestone in the journey toward standardized cybersecurity data: the Open Cybersecurity Schema Framework (OCSF) is now under the Linux Foundation’s stewardship. As a founding contributor to OCSF, Splunk has been at the forefront of this initiative, working with partners such as AWS and IBM to make seamless security data management a reality. Splunk is now a Cisco company, and I’m thrilled to say that the Cisco product teams are adopting OCSF for their own products. Cisco was one of our launch partners in 2022 and a Gold member of the Linux Foundation.

OCSF began in 2022 with a bold vision: to create a common language for security data across platforms, unifying fragmented data and enabling organizations to focus on threat detection and response rather than data formatting. The initial framework laid the foundation for data normalization across security platforms, addressing one of the industry’s most pressing challenges.

Since its inception, OCSF has continuously expanded its capabilities to meet evolving industry needs. Early improvements broadened the schema to cover diverse security events, allowing organizations to handle a wider variety of incidents with standardized data. Subsequent updates added flexibility, introducing more complex data structures and classifications, supporting more granular analysis, and enabling a deeper understanding of security events.

In recent releases, OCSF has taken a significant step forward by incorporating support for software inventory tracking, remediation activities, and OSINT profiles to enrich threat intelligence. These additions enable organizations to capture a holistic view of their cybersecurity environment, including data types beyond traditional security events. Enhanced observable types and attributes further improved the schema’s adaptability, making it comprehensive enough to handle a broad spectrum of cybersecurity information. Currently we are hard at work on the 1.4 release. Take a look at what is in work at schema.ocsf.io/1.4.0-dev/ or browse the repositories in GitHub.

Looking ahead, OCSF is set to introduce new work in encodings and mappings, along with supporting tools to help map raw, non-OCSF events and share mapping definitions across data sources.  These advancements will improve support for artificial intelligence (AI) Large Language Models (LLMs) and machine learning (ML) analytics for predictive threat detection, along with expanded functionality for cloud-native environments. These future developments aim to make OCSF even more adaptable to the demands of a dynamic digital landscape, empowering security teams to respond proactively to emerging threats and to gain deeper insights across multi-cloud and hybrid infrastructures.

Transforming Federated Cybersecurity with OCSF and Data Lakes

At Splunk, we’ve seen firsthand the challenges that fragmented data schemas create for organizations. After all, Splunk’s “schema-on-read” technology was one of the things that afforded the storage and search of unstructured data. That approach works well when the raw data is native to Splunk storage, but it is still expensive to transform raw data into some type of unified form at read time. We also know that there are many places where security-relevant data is stored. Every security platform often speaks its own “language,” making it difficult to search, correlate, and analyze data effectively. OCSF addresses this by offering a standardized schema, making it easier for security professionals to work with data stored in multiple repositories. The benefits are immediate: reduced overhead due to data translation, efficient stream processing and indexing, quicker threat response, and better synergy among security tools.

A great example of this is the AWS Security Lake support for the Splunk platform. We just released native integration for Security Lake, which was made possible because data in the lake is schematized as OCSF and encoded as Parquet files in Amazon S3. Splunk can now easily index customer-selected OCSF event categories and classes using Splunk’s accelerated index formats, giving analysts the full power of Splunk Processing Language (SPL) against the stream of data flowing into Security Lake.  This would not have been possible unless the schema was well known. Splunk’s Data Lake Indexing feature eliminates costly read-transform-write loads on Splunk Indexers and Search Heads, giving customers better performance at lower cost without losing fidelity. And in our implementation, indexing scales horizontally with the Splunk Indexer nodes without any Search Head impact.

With OCSF, we can finally break down the barriers between disparate data sources, enabling streamlined integration and deeper insights. For Splunk customers, this means enhanced visibility and efficiency as they investigate security incidents or look for patterns across diverse datasets. Our support for OCSF is a testament to our belief that data unification is critical to transforming cybersecurity practices industry-wide.

Splunk’s Vision and Ongoing Commitment to OCSF

Splunk has long been committed to helping organizations harness their data to create stronger, more resilient security strategies. Our active role in developing and supporting OCSF underscores our dedication to data standardization and community-driven innovation. We’re not just integrating OCSF within Splunk’s solutions; we’re actively helping shape the framework to remain relevant to real-world security challenges.

A Shared Vision for Cybersecurity’s Future

Cyber threats continue to evolve, and the cybersecurity community must adapt to keep pace. At Splunk, we believe that OCSF’s journey with the Linux Foundation will amplify the framework’s reach and potential, helping to build a more unified and secure digital ecosystem. By working together on initiatives like OCSF, we can create a future where data standards reduce complexity, improve collaboration, and empower security teams to do more with their data.

Splunk is honored to be part of this effort, and we’re excited to see the next chapter of OCSF unfold under the Linux Foundation’s stewardship. Together, we can create a stronger, more resilient cybersecurity community that’s united by a shared commitment to data-driven security and open standards. Let’s make a difference together.