AWS Security Lake and OCSF: A Cyber Risk PerspectiveIT Risk & Cyber Risk | 4 Min Read |31 January 23|by Anilkumar GK and Raghuram Srinivas
Amazon Security Lake is an exciting development for cybersecurity and cyber risk management. Announced at the AWS re:invent 2022 conference, it formalizes the concept of a security data lake where organizations can consolidate security data across cloud and on-prem assets to get a complete picture of their security posture. Amazon Security Lake proposes normalizing security data under the recently announced the Open Cybersecurity Schema Framework (OCSF) project, so that data can be easily analyzed, monitored, and connected for ongoing cybersecurity and risk protection and insights.
The Open-Source OCSF Project
OCSF, launched in August 2022, is the outcome of collaboration among leading vendors across the cybersecurity ecosystem, including IBM, AWS, Splunk, and Crowdstrike. It is intended to improve the productivity of security analysts in the security operations teams. That said, the framework is not limited to only the cybersecurity domain or events, as per the framework document.
Historically, instead of focusing on detecting and responding to events, security teams have spent a lot of time normalizing security event data from diverse sources to further their investigations. By providing a simplified and vendor-agnostic taxonomy for security data, OCSF aims to simplify the process of capturing and analyzing security data from multiple sources, thereby improving and accelerating threat detection and investigation.
OCSF aims to eliminate the time-consuming normalization effort and to accelerate the incident triage process across various security products and services. The end-point security solutions and solutions with network security capabilities record the security event. These solutions, aligned with the framework, would store the security events in the OCSF schema structure.
How Can OCSF Accelerate Cyber Resilience
Organizations across the globe have shifted their focus from a reactive to a proactive approach to cyber risk management and are investing in building greater cyber resilience. According to a December 2022 report by Cisco, 96% of surveyed executives said cybersecurity resilience is a high priority. OCSF is a great initiative to support the acceleration of cyber resilience efforts.
A holistic view of security-related data across tools is vital to effectively detect, investigate, and mitigate cyber risk. However, a major challenge for cyber professionals has been to deal with the process of normalizing troves of data before they can derive meaningful and actionable insights. The challenges primarily result from data heterogeneity and inconsistencies and the lack of complete data.
OCSF ensures that the schema is consistent and that the data flows seamlessly into the data lakes and analytics tools that the Security Operations Center (SOC) relies on. By accelerating the process of analyzing security data, it enables CISOs and security teams to identify, assess, and mitigate cyber risks quickly and more effectively.
Where Do We Go from Here?
AWS Security Lake has adopted OCSF as an open standard and while the framework is proposed by a reputable group of cybersecurity vendors, industry adoption statistics are yet to be made available. Additionally, the initial focus of OCSF has been largely on cybersecurity. It will be interesting to see the domains they focus on next. The next logical step is to include cyber risk, compliance, and GRC.
Acceleration of cyber resilience requires the cyber community to break down silos. AWS Security Lake and OCSF are steps in the right direction to enable data interoperability. Similar to how STIX/TAXII is being used for threat intelligence and the MITRE ATT&CK framework for tactic classification, OCSF will streamline and simplify vendor-agnostic taxonomy for accelerated data ingestion and analysis. The eventual success, however, will depend on adoption levels across environments, applications, and solution providers.
How Does Cyber Risk Fit In?
Cyber risk solution providers, like MetricStream, that empower cyber leaders to proactively and meaningfully act on security findings have an outsized role to play in the mass adoption of technologies such as Security Lake. We at MetricStream are actively engaged with our technology partners at AWS to enhance these offerings and bring meaningful capabilities to the market at rapid speed to effectively mitigate cyber risk. MetricStream CyberGRC enables CISOs to efficiently mitigate cyber risk while ensuring continuous compliance to regulations and industry standards. It acts as both the management and orchestration layer for continuous control monitoring. CISOs can define the controls to be evaluated within MetricStream in addition to configuring the necessary orchestration for evidence collection.
MetricStream CyberGRC then delegates the automated evidence collection to the multiple disparate systems running both on-cloud and on-prem via a host of delegation protocols such as APIs, Robotic Process Automation etc. The challenging aspect for our customers has always been to consolidate data across disparate sources, both on-prem and cloud assets. With the proposed Security Lake capability, cyber risk solution providers, like MetricStream, will have a single source of truth in a common language to reference, thereby eliminating additional technical debt enterprises have to undertake in their quest for continuous compliance monitoring – improving compliance, visibility and reducing risk.
1: Understanding the Open Cybersecurity (https://github.com/ocsf/ocsf-docs/blob/main/Understanding%20OCSF.pdf)
2: Open Cybersecurity Schema Framework (ocsf.io)