AWS Security Lake and OCSF: A Cyber Risk Perspective

5 min read


Amazon Security Lake is an exciting development for cybersecurity and cyber risk management. Announced at the AWS re:invent 2022 conference, it formalizes the concept of a security data lake where organizations can consolidate security data across cloud and on-prem assets to get a complete picture of their security posture. Amazon Security Lake proposes normalizing security data under the recently announced the Open Cybersecurity Schema Framework (OCSF) project, so that data can be easily analyzed, monitored, and connected for ongoing cybersecurity and risk protection and insights.

The Open-Source OCSF Project

OCSF, launched in August 2022, is the outcome of collaboration among leading vendors across the cybersecurity ecosystem, including IBM, AWS, Splunk, and Crowdstrike. It is intended to improve the productivity of security analysts in the security operations teams. That said, the framework is not limited to only the cybersecurity domain or events, as per the framework document.

Historically, instead of focusing on detecting and responding to events, security teams have spent a lot of time normalizing security event data from diverse sources to further their investigations. By providing a simplified and vendor-agnostic taxonomy for security data, OCSF aims to simplify the process of capturing and analyzing security data from multiple sources, thereby improving and accelerating threat detection and investigation.

OCSF aims to eliminate the time-consuming normalization effort and to accelerate the incident triage process across various security products and services. The end-point security solutions and solutions with network security capabilities record the security event. These solutions, aligned with the framework, would store the security events in the OCSF schema structure.

How Can OCSF Accelerate Cyber Resilience

Organizations across the globe have shifted their focus from a reactive to a proactive approach to cyber risk management and are investing in building greater cyber resilience. According to a December 2022 report by Cisco, 96% of surveyed executives said cybersecurity resilience is a high priority. OCSF is a great initiative to support the acceleration of cyber resilience efforts.

A holistic view of security-related data across tools is vital to effectively detect, investigate, and mitigate cyber risk. However, a major challenge for cyber professionals has been to deal with the process of normalizing troves of data before they can derive meaningful and actionable insights. The challenges primarily result from data heterogeneity and inconsistencies and the lack of complete data.

OCSF ensures that the schema is consistent and that the data flows seamlessly into the data lakes and analytics tools that the Security Operations Center (SOC) relies on. By accelerating the process of analyzing security data, it enables CISOs and security teams to identify, assess, and mitigate cyber risks quickly and more effectively.

Where Do We Go from Here?

AWS Security Lake has adopted OCSF as an open standard and while the framework is proposed by a reputable group of cybersecurity vendors, industry adoption statistics are yet to be made available. Additionally, the initial focus of OCSF has been largely on cybersecurity. It will be interesting to see the domains they focus on next. The next logical step is to include cyber risk, compliance, and GRC.

Acceleration of cyber resilience requires the cyber community to break down silos. AWS Security Lake and OCSF are steps in the right direction to enable data interoperability. Similar to how STIX/TAXII is being used for threat intelligence and the MITRE ATT&CK framework for tactic classification, OCSF will streamline and simplify vendor-agnostic taxonomy for accelerated data ingestion and analysis. The eventual success, however, will depend on adoption levels across environments, applications, and solution providers.

How Does Cyber Risk Fit In?

Cyber risk solution providers, like MetricStream, that empower cyber leaders to proactively and meaningfully act on security findings have an outsized role to play in the mass adoption of technologies such as Security Lake. We at MetricStream are actively engaged with our technology partners at AWS to enhance these offerings and bring meaningful capabilities to the market at rapid speed to effectively mitigate cyber risk. MetricStream CyberGRC enables CISOs to efficiently mitigate cyber risk while ensuring continuous compliance to regulations and industry standards. It acts as both the management and orchestration layer for continuous control monitoring. CISOs can define the controls to be evaluated within MetricStream in addition to configuring the necessary orchestration for evidence collection.

MetricStream CyberGRC then delegates the automated evidence collection to the multiple disparate systems running both on-cloud and on-prem via a host of delegation protocols such as APIs, Robotic Process Automation etc. The challenging aspect for our customers has always been to consolidate data across disparate sources, both on-prem and cloud assets. With the proposed Security Lake capability, cyber risk solution providers, like MetricStream, will have a single source of truth in a common language to reference, thereby eliminating additional technical debt enterprises have to undertake in their quest for continuous compliance monitoring – improving compliance, visibility and reducing risk.


1: Understanding the Open Cybersecurity (https://github.com/ocsf/ocsf-docs/blob/main/Understanding%20OCSF.pdf)

2: Open Cybersecurity Schema Framework (ocsf.io)

3: https://solutionsreview.com/endpoint-security/open-cybersecurity-schema-framework-and-the-long-road-ahead/

Anil Kumar MetricStream

Anilkumar GK Senior Director & Head of CyberGRC Product Management, MetricStream

Anilkumar GK leads cyber risk product management for MetricStream, the leader in Governance, Risk and Compliance (GRC) software. As Senior Director, Anil is responsible for product strategy, requirements, product planning and delivery to meet the needs of clients. Anilkumar has been at MetricStream for more than a decade and has nearly 20 years of experience in GRC implementation, product management, supply chain and business consulting, spanning product development, planning, design, delivery and quality assurance. His areas of expertise include Internal Audit, Risk Management, Compliance (including SOX and IT Compliance) Issue Management and Cyber/IT Risk.

Anilkumar is currently leading MetricStream’s cyber risk and compliance product efforts, including user experience optimization, quantification, use of security frameworks and more. He lives in Plano, TX and holds a Bachelors of Engineering in Mechanical Engineering.

Raghuram Srinivas MetricStream

Raghuram Srinivas

Raghuram Srinivas is the Senior Vice President, Product Management at MetricStream. In his role, Raghuram is responsible for the product vision and roadmap across the Business, Cyber and ESGRC product lines along with the automation and augmentation capabilities powered by MetricStream intelligence. Raghuram is an accomplished software executive with more than 22 years of progressive leadership experience, successfully creating software products and delivering advanced technology solutions. Raghuram has a mix of academic and industry experience working across Research, Product Development, Consulting and Sales functions for reputed organizations.

Prior to MetricStream, Raghuram was at JPM Chase, where he was leading the corporate technology machine learning practice focused on North America Anti Money Laundering and Audit lines of business. In his role, Raghuram was responsible for product roadmaps, design, and delivery of portfolio of algorithms to introduce intelligent automation and augmentation to mitigate risk postures and improve operational process. Raghuram also worked at the Cognitive Computing Lab at KPMG, building state of the art intelligent Credit Risk Monitoring systems to drive efficiencies in audit engagements. Earlier in his career, Raghuram worked with the Watson Group at IBM, where he was responsible for building high performing ML teams and delivering value by identifying and inducing machine learning capabilities to positively impact the top and bottom lines for his customers.

Raghuram has earned his Masters and PhD from Southern Methodist University, Dallas. Raghuram has filed several patents and authored academic journals and continues to serve as an adjunct professor teaching graduate level courses at the Data Sciences program at Southern Methodist University.