You are currently viewing AWS and Splunk team up to respond faster to cyberattacks • The Register

AWS and Splunk team up to respond faster to cyberattacks • The Register

Black hat AWS and Splunk are leading an initiative to create an open standard for data ingestion and analysis, enabling enterprise security teams to respond more quickly to cyber threats.

Seventeen security and technology companies attending Black Hat USA 2022 this week unveiled the Open Cybersecurity Schema Framework (OCSF) project, which will use the ICD schema developed by Symantec as the basis for the vendor-neutral standard.

The creation of the OCSF, licensed under the Apache License 2.0, comes as organizations see their attack surfaces rapidly expand as their computing environments become increasingly decentralized, spanning from central data centers to the cloud and on the outskirts. At the same time, the number and complexity of the cyber threats they face are growing rapidly.

“Today’s security leaders face an agile, determined, and diverse set of threat actors,” wrote officials from cybersecurity vendor Trend Micro, an early member of the OCSF. , in a blog post. “From emboldened nation-state hackers to ransomware-as-a-service (RaaS) affiliates, adversaries are sharing tactics, techniques, and procedures (TTPs) on an unprecedented scale – and it shows.”

Trend Micro blocked more than 94 billion threats in 2021, a 42% year-over-year increase, and 43% of companies responding to a vendor survey said their digital attack surface was becoming uncontrollable.

Cybersecurity vendors have responded by creating platforms that combine attack surface management, threat prevention, detection and response to make it easier and faster for businesses to thwart attacks. They streamline processes, close security gaps, and reduce costs, but they’re still based on vendor-specific products and point offerings.

Vendors may use different data formats in their products, which means that moving data sets from one vendor’s product to another’s often requires the tedious task of changing the data format.

“Unfortunately, normalizing and unifying data from these disparate tools takes time and money,” Trend Micro said. “This slows threat response and ties up analysts who should be working on higher value tasks. Yet, so far, this has simply become an accepted cost of cybersecurity. Imagine the additional value that could be created if we were finding an industry-wide way to free teams from that operational burden?”

Dan Schofield, program manager for technology partnerships at IBM Security, another OCSF member, wrote that the lack of open industry standards for logging and event purposes creates challenges in detection engineering, threat hunting and analysis, and so far there is no critical mass of vendors ready to fix the problem.

Mark Ryland, Director of the CISO Office at AWS, wrote in a blog post that organizations said interoperability and data standardization between security products is challenging, requiring security teams to correlate and unify data on multiple products from different vendors in a proprietary format. .

The OCSF scheme “will allow security teams to more easily ingest and correlate security log data from different sources, enabling greater detection accuracy and faster response to security events,” Ryland wrote. “Although as an industry we cannot directly control the behavior of threat actors, we can improve our collective defenses by enabling security teams to do their jobs more effectively.”

AWS worked with other project members to create the specifications and tools available to cybersecurity vendors and partners, as well as enterprises and other organizations. The public cloud giant is also contributing engineering, training and guidance support to the standards effort.

The Integrated Cyber ​​Defense Exchange (ICDx) from Symantec, a division of Broadcom, is used to normalize incoming event data for the company’s ICD schema, which organizes attributes and objects into event types classified into different categories.

Trend Micro compared the OCSF initiative to other security-based frameworks, such as MITER ATT&CK for tactical classification and STIX/TAXII for threat intelligence.

Over the years, vendors have collaborated with each other, businesses, and governments in areas such as intelligence sharing to address cybersecurity threats, but more needs to be done.

Analyst firm ESG said in a cybersecurity report released last month that 77% of respondents wanted to see more cooperation between vendors in developing open standards and 85% said the ability of a product to fit in with others was important.

“It is understood that data is the lifeblood of security operations centers, but often times that data needs to be manipulated and normalized to be in a form that can be used by the teams and tools on which the SOC builds,” wrote Paul Agbabian, Distinguished Engineer and Vice President of Technology Strategy for Splunk’s Security Business Unit. “There is a lot of industry sentiment in favor of simplifying data standardization.”

Other OCSF members are Cloudflare, CrowdStrike, DTEX, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, and Zscaler. ®

Leave a Reply