The Rosetta Stone for Security Data: How the OCSF, Amazon Security Lake, and Tanium are Giving Security Teams a Unified View to Stop Threats Faster

You can’t stop what you can’t see.

Many cyberattacks now go undetected for days, weeks, or even months.

During that time, they spread through their target’s network, compromise as many of their systems and as much of their data as possible, and create a big enough foothold to demand a crippling ransom and cause substantial harm to their target.

The sooner you can spot these attacks, the sooner you can stop them, and the less harm you will suffer. Yet many organizations are struggling to build the holistic view of their environment they need to detect, investigate, and resolve attacks quickly.

In this article, we’ll explore why that is and what to do about it.

To do so, we’ll walk through:

• Why organizations are struggling with security visibility
• How the Open Cybersecurity Schema Framework (OCSF) is standardizing security datasets
• How Amazon Security Lake uses OCSF
• How Tanium brings endpoint visibility to the OCSF and Amazon Security Lake

Why organizations don’t see attacks fast enough

Now, every organization knows they need to spot attacks quickly.

They know they need to build a unified, accurate view of their environment in order to detect, investigate, and resolve attacks before they cause harm.

They have even invested in dozens of tools that collect security data from multiple sources in their environment and have built complete security teams who work around the clock to monitor their security data and look for potential incidents.

And yet many organizations still fail to detect attacks before they strike.

Here’s why.

Every security tool defines and organizes its security data under its own schema, and often uses different names and conventions for the same things. This means all of the security data that organizations collect cannot work together out-of-the-box, and won’t naturally add up to a holistic, unified view of their environment.

To combine all the data into a complete and actionable view — one where every dataset can be used together to detect, investigate, and resolve attacks quickly — security teams must manually normalize every scrap of data into one standard format.

The process is slow, challenging, and error-prone, and results in:

• Security teams spending more time wrangling security data than analyzing it
• Operators working from a fragmented, inaccurate view of their environment
• Criminals finding many blind spots to hide within as they progress their attacks
• Attacks going undetected, uninvestigated, and unresolved until it’s too late

All because organizations and vendors work from their own schemas for defining and organizing security data. Thankfully, a new project, a new platform, and many of the industry’s leading vendors are coming together to solve this problem.

How OCSF solves the standardization problem

The Open Cybersecurity Schema Framework (OCSF) solves the massive problem of the lack of standardized cybersecurity data across vendors and organizations.

OCSF was created to solve this problem. It is a common language for threat detection and investigation that can be used by any cybersecurity team, at any organization, for any incident. To do so, OCSF provides a standard set of names, definitions, and taxonomies for core cybersecurity data. This schema is simple, vendor-agnostic, and easy to extend with domain-specific cybersecurity data.

Simply put — every vendor and organization that adopts OCSF will use the same framework to describe and organize their cybersecurity data. By doing so, they can rapidly ingest, combine, and analyze each other’s data. This makes it easier to rapidly spot, scope, and ultimately resolve cybersecurity incidents.

By adopting OCSF — and using tools that conform to it — security teams will:

• Reduce the time and effort needed to combine security data
• Eliminate cybersecurity data silos and improves data accuracy
• Create a holistic view of cybersecurity data across tools and sources
• Streamline and accelerate Security Operations to resolve incidents faster

Anyone can adopt and contribute to OCSF. It’s an open-source project that offers an open standard that works with any environment, application, or solution, and fits into existing security standards and processes. As more organizations and vendors adopt the OCSF, the process of combining security data will get easier and easier.

And we’re already seeing a few big projects emerge that adopt OCSF, including AWS’ recent security data lake solution, Amazon Security Lake.

How Amazon Security Lake uses OCSF

OCSF was co-founded by Amazon Web Services (AWS) and Splunk, with just a handful of other companies contributing, including Tanium.

Recently launched Amazon Security Lake is a security data lake from integrated cloud and on-premises data sources as well as from their private applications that uses the OCSF schema in parquet format. Security Lake reduces the complexity and costs for customers to make their security solutions data accessible to address a variety of security use cases such as threat detection, investigation, and incident response. Security Lake helps organizations aggregate, manage, and derive value from log and event data in the cloud and on-premises to give security teams greater visibility across their organizations. With Security Lake, customers can use the security and analytics solutions of their choice to simply query that data in place or ingest the OCSF-compliant data to address further use cases. Security Lake helps customers optimize security log data retention by optimizing the partitioning of data to improve performance and reduce costs. Now, analysts and engineers can easily build and use a centralized security data lake to improve the protection of workloads, applications, and data.

In essence, Amazon Security Lake creates one home for all of your security data using an open-source schema, it ensures all your data plays well together, and it makes it easy to build a single, unified, and actionable view of any incident you suffer.

By using Amazon Security Lake, security teams will:

• Gather logs from multiple accounts, regions, networks, and tools in one lake
• Simplify the process of running correlations and analysis on diverse data sets
• More efficiently store and query massive security log sources

Amazon Security Lake collects a wide range of cybersecurity data from multiple sources that can be used during security incidents. And at Tanium, we are proud to have contributed our experience, and expertise with endpoint datasets to both OCSF and Amazon Security Lake.

How Tanium brings endpoint visibility to OCSF and Amazon Security Lake

Tanium is the only Converged Endpoint Management (XEM) platform and provides visibility, control, and remediation through a single, lightweight, distributed solution.

Tanium generates complete, accurate, real-time data for every endpoint — whether managed or unmanaged — across environments of every size and level of complexity.

With Tanium’s endpoint data, organizations can:

• Create a complete and accurate inventory of all endpoints in minutes
• Discover hidden and hard-to-find endpoints that CMDBs and other tools miss
• Identify vulnerabilities, compliance gaps, missing patches and updates, or misconfigurations across every endpoint in the environment in minutes
• Locate changes to sensitive data fields, configurations, access rights, or IoCs
• Monitor sensitive data, and set up alerts that trigger during potential incidents
• Enrich asset catalogs and make security workflows smarter and stronger
• Fill some of the most common gaps in many organizations’ security data pools
• Drive a more complete detection, investigation, and remediation of threats

In sum: Tanium collects all of the key endpoint data that security and operations teams need to detect, investigate, and resolve incidents. And now, due to new partnerships with OCSF and Amazon Security Lake, organizations can easily use Tanium’s experience, expertise, and data sets to create a holistic view of their security risks.

Here’s how Tanium has partnered to support OCSF and Amazon Security Lake.

• Tanium and OCSF: Tanium was one of the original contributors to OCSF. OCSF came to Tanium to add our experience and expertise with all things endpoints, and we played a significant role in setting down their complete and standardized taxonomy for endpoint security data. Naturally, our endpoint data conforms to the OCSF’s schema.
• Tanium and Amazon Security Lake: We’ve maintained a robust partnership with AWS for many years, and we offer a formal, technical integration with Amazon Security Lake. With this integration, it’s simple and easy to add our comprehensive visibility to your data lake, and combine our fresh, accurate endpoint data with other data sources to drive more complete and effective incident investigations.

By joining forces with the OCSF initiative and Amazon Security Lake, we’re helping to create a large cybersecurity ecosystem where many different players work together. By combining our datasets, we can give security teams the single, unified view of their environment they need to rapidly detect, investigate, and stop their incidents.

But we can’t do it alone.

Join the cause: Adopting OCSF, and working with Amazon Security Lake, and Tanium

OCSF is new, but it’s already generated a lot of support from some big players.

The two partners behind the project — AWS and Splunk — are two of the largest data vendors on the market. Many of OCSF’s initial contributors — like Salesforce and Palo Alto Networks — are some of the world’s biggest software vendors.

We are committed to working on an open-source schema that will help customers solve the challenges that they have with data interoperability and data normalization between security products.

The takeaway here is clear. Learn more about OCSF, and strongly consider adopting it within your organization. Doing so will help you simplify and streamline a huge point of complexity in Security Operations, it will help you work seamlessly with leading cybersecurity vendors, and it will likely future-proof your security function.

To do so, take the next step:

• Learn more about OCSF: Get the technical details here and here. You can also learn more in our Tanium community article.
• Learn more about Amazon Security Lake: Try out Amazon Security Lake here.
• Learn more about Tanium: Read details or schedule a chat and demo here.