The cybersecurity industry has been abuzz with discussions around models, copilots, and agents in the past year. However, beneath all of this, a significant shift is taking place: Vendors are coming together around a unified way to describe security data. The Open Cybersecurity Schema Framework (OCSF) has emerged as a leading contender for this role.
OCSF provides vendors, enterprises, and practitioners with a standardized way to represent security events, findings, objects, and context. This common framework reduces the need for rewriting field names and custom parsers, allowing more time for correlating detections, running analytics, and creating workflows that can function seamlessly across different products. In a landscape where security teams are integrating various types of telemetry from endpoints, identity sources, cloud environments, SaaS applications, and AI systems, having a shared infrastructure has long been a challenge. With OCSF, this goal is now within reach.
In simple terms, OCSF is an open-source framework for cybersecurity schemas. It is designed to be vendor-neutral and agnostic to storage formats, data collection methods, and ETL (extract, transform, load) choices. This framework provides application teams and data engineers with a standardized structure for events, enabling analysts to work with a consistent language for threat detection and investigation.
Within a security operations center (SOC), the daily tasks involve a significant amount of effort in normalizing data from different tools to correlate events. For example, identifying a scenario where an employee logs in from one location and accesses a resource from another location could indicate a security breach. However, achieving this level of correlation is challenging due to the varied ways in which different tools describe similar concepts. OCSF aims to simplify this process by helping vendors map their schemas to a common model, facilitating the movement of data through various systems without the need for extensive translations at each step.
The development of OCSF has seen rapid progress in the last two years. Initially announced in August 2022 by Amazon AWS and Splunk, the project has garnered contributions from industry giants like Symantec, Broadcom, Cloudflare, CrowdStrike, IBM, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro, and Zscaler. The OCSF community has expanded rapidly, with over 200 participating organizations and 800 contributors. The framework’s growth led to its inclusion in the Linux Foundation in November 2024.
OCSF is now widely adopted across the observability and security sectors. Major players like AWS, Splunk, Palo Alto Networks, and CrowdStrike have integrated OCSF into their products, enabling seamless data translation and interoperability. The framework has transitioned from a conceptual standard to a practical tool that underpins operations across the industry.
With the increasing deployment of AI infrastructure in enterprises, the need for a shared security schema like OCSF has become more pressing. AI systems generate vast amounts of telemetry data that span multiple products, necessitating a common framework for understanding security events and breaches. OCSF plays a crucial role in this context, facilitating data correlation and analysis in AI-driven environments.
Looking ahead, OCSF continues to evolve to meet the changing needs of the industry. New versions of the framework introduce enhancements that enable security teams to investigate complex incidents involving AI systems more effectively. By providing insights into the actions of AI models and their impact on security, OCSF equips organizations with the tools needed to safeguard their data.
In conclusion, OCSF has transformed from a community initiative into a foundational standard in the cybersecurity landscape. With robust governance, frequent updates, and widespread adoption, the framework plays a vital role in connecting data across systems to enhance security measures. As the threat landscape evolves with the proliferation of AI technologies, OCSF remains a critical component in safeguarding data and detecting potential breaches.
Nikhil Mungel, a seasoned professional with expertise in building distributed systems and AI teams, has been at the forefront of driving innovation in the SaaS industry for over 15 years.