As I have said repeatedly, the Cyber industry is one in
which there is plenty of technojargon.
So the next one to come of age is “Framework”. There is nothing really new about it, it’s
been around for quite some time, but it is being used quite a bit these
days.
Generally speaking, a framework can be thought of as a set
of guiding principles in which to guide companies from accomplishing a certain
task that they want to. For example, the
National Institute of Standards and Technology, also known as a “NIST” has
compiled a ton of these Frameworks to help business owners better protect
themselves.
They range from providing checklists as to how you should
conduct a risk assessment to how you should become compliant with the many data
privacy laws that are now coming about.
I know about some of them, but not in a lot of detail. Probably the one I am the most well versed in
is the NIST SP 800-171, which deals with the CMMC.
While the NIST documents do provide excellent content in how
to use the tool that is provided in it, it is always wise to check with a
compliance expert first to see if that is what you really need.
OK, so fast forward a little bit, and just last week, a
major Cyber conference was held, known as Black Hat USA, very similar to that
of the RSA conference which is held in the Bay Area every year. At these venues, everybody is showing off
their latest gadgetry, but something unique came from this one.
The AWS and Splunk sponsored the start of a new initiative,
called the “Open Cybersecurity Schema Framework” or “OCSF” for short.
There are also 18 other vendors that have agreed to help
sponsor and contribute to this framework, and they are as follows:
Broadcom (Symantec);
Cloudflare;
CrowdStrike;
DTEX;
IBM Security;
IronNet;
JupiterOne;
Okta;
Palo Alto Networks;
Rapid7;
Salesforce;
Securonix;
Sumo Logic;
Tanium;
Trend Micro;
Zscaler.
So as you can see from this list, you have some big players
that want to help out this new framework.
So you, may be asking at this point, what is this all about? Well, as you may realize, there are literally
hundreds of network security products out there, and they all record every last
detail that transpires in your security environment.
These files can be quite huge, so advancements have been
made to consolidate all of these transactions into the most relevant ones into
one central dashboard, which is known as a SIEM.
AI and ML have a big part in this filtering process, as they
comb through all of the false positives, and discard them. Thus, only the real warnings and alarms are
presented to the IT Security team, so that they triage them from just one
dashboard.
But the problem here is that all of these different devices
output their data into different formats, which can be quite time consuming to
decipher. So, the primary objective of
this new framework is to try come with a best of standards so that these
different formats can be created into a single one.
The benefits of this are twofold:
1)
The IT Security team can make better decisions
in a shorter time period;
2)
Any intel and information gathered can be shared
with other organizations as well.
One of the other key advantages of this framework is that it
is based on an open-sourced platform, meaning any individual or company can
contribute to it, thus expanding the knowledge base. It is important to note
that this is not something that just came out of the air, rather, it has its
groundings in the set of ICD Schema specifications as it has been developed by
Broadcom.
More information about this can be seen at this link:
https://icd-schema.symantec.com/
The technical details about the OCSF can be found at GiHub,
at this link below:
https://github.com/ocsf/ocsf-docs/blob/main/Understanding%20OCSF.pdf
In fact, recent studies have also discovered that the Cyber
industry wants some sort of set best standards to follow. Here are some of the results of that:
*77% of the respondents want to see as many open frameworks
as possible;
*85% view integration and cooperation with other vendors as
almost being necessary these days.
More information about these findings can be seen at the
link below:
While many participants at Black Hat applauded this effort,
many also still wonder if this framework will have the legs to walk and
continue to grow. For example, at the
heart of any framework, is the Steering Committee.
These are made up of government officials, private industry
vendors, and even day American citizens. The purpose of them is to make sure
that the framework is fulfilling its purpose, and not veering off course from
it. At the present time, the steering
committee is still made up largely of vendors, there is very little input yet
that has been provided by the American public.
My Thoughts On This:
From the outset, I think that this new framework is a great
step forward. But as it was eluded to
before, many Cyber pundits still wonder how long this will last. For example, some wonder is this all talk
full of hot air, or will there actually be something that comes of it? It is still too early to tell, primarily
because this not a government directed effort, like the NIST frameworks have
been.
But on this theme, many CISOs in Corporate America are now
starting to realize that they have what is known as “network security
sprawl”. This is where there have been
too many products deployed to beef up the lines of defenses. The thinking here is that the more you have,
the better off you will be. But this is
far from the truth. The more tools you
have out there, simply makes the attack surface that much larger.
Plus, many CISOs often purchase network security devices
from different vendors, which makes the differing output files even more
problematic to solve. The reason for
this is that each vendor has their own set of rules for outputting events, and
the is the exact problem that the OCSF framework is trying to solve.
Perhaps one of the first mandates of this new framework
should be that before embarking on new products, a CISO must first conduct a
risk assessment to determine how any existing devices can be more strategically
placed. For example, instead of
purchasing would just 3 firewalls suffice instead of having 10 of them?
Not only will this make formatting the log output files
easier, but it will streamline the reporting process into a much more efficient
one.
No comments:
Post a Comment