I read the title, went to the link, then started to read the "understanding" document and still don't know what this actually is and its application.
It must assume that all of the jargon words are already well known by its readers but it should definitely start with what problem a "schema framework" solves, which might then allow me to understand how this fixes it.
My concern with many high-level constructs is that they quickly become a bureaucratic exercise divorced from how people actually do their work so only corporates will use it even if it is super useful.
What does this framework offer over established open source security frameworks, like the OWASP SAMM? Why not contribute your efforts back to those projects instead of proliferating an additional standard?
I always worry when I see a project like this debut with very little meat on the bones, but a HUGE fleshed out "Code of Conduct" for contributors. What's driving this?
it is cool to see someone mention SAMM. I have been obsessed with this framework since it’s inception and am hoping more and more companies adopt it over time (and let it grow with their company). Often times these frameworks are only feasible to use once you have a pretty large security team at your company that can spend their entire job to parse schemas like the one posted. I wrote a post recently talking about how to make SAMM more obtainable to smaller companies starting out thinking about security https://www.lunasec.io/docs/blog/security-guide-for-startups...
This appears to be more literally a schema for information sharing based on https://schema.ocsf.io/ which is probably a better link for the original submission.
Looks like a schema for data in a SIEM+ but without the actual SIEM software. I like how the categories are broken down in this and the depth of the fields. Very data first, but there really could be more breadth to the categorizations.
Right. CNN just runs a story about this with some background:
https://edition.cnn.com/2022/08/10/tech/companies-data-shari...
Edit:
„was announced Tuesday at the Black Hat cybersecurity conference in Las Vegas. The project is being led by AWS, the cybersecurity firm Symantec and Splunk, a data analysis company.“
Joining us in this announcement is an array of key security vendors, beginning with Splunk, the co-founder with AWS of the OCSF project, and also including Broadcom, Salesforce, Rapid7, Tanium, Cloudflare, Palo Alto Networks, DTEX, CrowdStrike, IBM Security, JupiterOne, Zscaler, Sumo Logic, IronNet, Securonix, and Trend Micro
Trying to implement security at scale and cover all the different aspects of it more or less requires a bunch of different applications all of which are trying to make sense of the same data.
This OCSF framework is trying to set out some standards on how that interop should happen. Put another way they're trying move from having plain text logs in Apache format to something more structured and formal that is (hopefully) easier to work with.
You might be thinking: "Well what could be easier and more open than plain text logs? Some grepping, some regex and we're golden."
The issue comes in that every single app that consumes those logs does so in a slightly different way and there's no standard (yadda yadda XKCD n+1 standards) enforceable format for handling those.
Judging by https://schema.ocsf.io/ which is a link with more detail but less explanation, it's a schema for sharing information about events, incidents etc relating to infosec.
In a nutshell (I have been in Cybersecurity for 18 years...) one key aspect of cybersecurity is to centralize all logs of security (and a few other tools) in a central repository and use that data to identify threats through rules, correlation, ML, analytics or any other means (SIEM space). Also compliance requirements...
Basically every vendor has its own formats, fields and the way to centralize this data (syslog still rules...) and parse it in a common way (a source IP is a source IP in all tech) has been a pain point since forever. There is basically a whole industry around it, and a whole bunch of logstash parsers have been scarificed. Even better is that vendors have a tendency to change format once in a while, so even some you have will break way more often then they should. Many vendors dont see that as an issue as it locks their clients in.
This is another attempt at solving this. It does seem to have traction for once, and nobody wants to piss off Amazon, if they make this a prerequesite to be on their marketplace then it will actually work.
Back in 1999 I worked at a company as IT manager, and the CIO had me parsing logs every morning. On paper. On a line-type printer. We fed the logs directly to the printer in real-time because he was concerned if a system had been hacked that they would fuss with the logs and he wanted a physical print out in real time to thwart any efforts to munge the logs post hack. Highlight any potential threats with an actual highlighter.
This sucked.
However, it really taught me how to skim logs for threats in the physical form super fast...
Yeah? Don't like this from what I have seen so far. The malware.json looks like a joke. They should take a gander at MISP galaxies and taxonomy stuff. The xkcd about inventing a new thing to replace others and that being yet another thing comes to mind.
20 comments
[ 6.2 ms ] story [ 55.3 ms ] threadIt must assume that all of the jargon words are already well known by its readers but it should definitely start with what problem a "schema framework" solves, which might then allow me to understand how this fixes it.
My concern with many high-level constructs is that they quickly become a bureaucratic exercise divorced from how people actually do their work so only corporates will use it even if it is super useful.
I always worry when I see a project like this debut with very little meat on the bones, but a HUGE fleshed out "Code of Conduct" for contributors. What's driving this?
> OWASP SAMM
"Software Assurance Maturity Model"
https://owaspsamm.org/
Without some institutional sponsors I have a hard time seeing this getting adopted--presumably you need cybersecurity companies to adopt the standard.
Edit: it looks like maybe AWS, based on the contributors!
Edit 2: Here we go: https://github.com/ocsf/governance/blob/main/Maintainers.md
* AWS
* Sumo Logic
* Rapid7
* Splunk
* Trend Micro
* IBM
* Tanium
* IronNet
Edit: Quote from the announcement...
Joining us in this announcement is an array of key security vendors, beginning with Splunk, the co-founder with AWS of the OCSF project, and also including Broadcom, Salesforce, Rapid7, Tanium, Cloudflare, Palo Alto Networks, DTEX, CrowdStrike, IBM Security, JupiterOne, Zscaler, Sumo Logic, IronNet, Securonix, and Trend Micro
Seriously though. I'm all for any attempts to standardize schemas. Most SEIMS end up being a sprawling/proprietary/incompatible mess.
Can I ask why? What's wrong with the word "cyber"? The field is called "cybersecurity".
This OCSF framework is trying to set out some standards on how that interop should happen. Put another way they're trying move from having plain text logs in Apache format to something more structured and formal that is (hopefully) easier to work with.
You might be thinking: "Well what could be easier and more open than plain text logs? Some grepping, some regex and we're golden."
The issue comes in that every single app that consumes those logs does so in a slightly different way and there's no standard (yadda yadda XKCD n+1 standards) enforceable format for handling those.
Basically every vendor has its own formats, fields and the way to centralize this data (syslog still rules...) and parse it in a common way (a source IP is a source IP in all tech) has been a pain point since forever. There is basically a whole industry around it, and a whole bunch of logstash parsers have been scarificed. Even better is that vendors have a tendency to change format once in a while, so even some you have will break way more often then they should. Many vendors dont see that as an issue as it locks their clients in.
This is another attempt at solving this. It does seem to have traction for once, and nobody wants to piss off Amazon, if they make this a prerequesite to be on their marketplace then it will actually work.
This sucked.
However, it really taught me how to skim logs for threats in the physical form super fast...
https://xkcd.com/927/