Five Open Data Formats Every Cybersecurity Operations Team Should Know


GUEST NOTE: Accelerating cybersecurity operations relies on interoperability.

Security teams are often measured on their ability to act quickly, with effectiveness metrics expressed in terms of average time to detect and contain a threat, average time to recover compromised systems, and average wait time for attackers.

All of them require regular care and procedure, but at the same time a certain level of speed is required.

Teams can move faster when all parts of security operations are in sync. Tooling plays a key role in helping operational security teams do their jobs more efficiently, but security setups are historically complex. Case in point: Gartner recently found that 75% of teams are trying to reduce the number of security vendors they work with to reduce complexity and improve risk management. This figure is up from 29% in 2020.

The environments will always be the best, with only fewer providers. There are good reasons to want it. A cutting-edge approach ensures teams have access to best-in-class tools at the best price. No single vendor can handle all cybersecurity operations well on its own, and consolidation brings the risk of vendor lock-in.

The reason the number of tools and vendors involved in top environments is seen as a problem is because of the difficulty of connecting all of these systems together. This task is traditionally left to the security operations team itself to try to establish a common ontology or structure for collecting data across all of these systems. This means a lot of hard integration work and software development.

The problem has multiplied in recent years with the realization that security is a team sport. Entire industries are now joining together – for example through the Information Sharing and Analysis Center (ISAC) community structures – to exchange intelligence and collectively impose costs on attackers by exposing their infrastructure and methods. Shareable commerce is increasingly critical in security contexts, but is made much more difficult when data is collected in fragmentary, proprietary formats and is difficult to share.

Security teams need easier ways to understand the vast IT estates they protect. They need standard methods to collect and ingest data into a central log management store to improve their visibility and response time. They need systems that automatically recognize what data has been collected and what to do with it: how to index it and make it searchable, how to understand vulnerabilities and their organization’s security control posture, and how to share information on threats and response processes with other security teams.

If it happens “magically” without people having to switch between screens, or without an engineer wiring the whole thing up for months and thousands of dollars in consulting fees, then it’s is a win for security teams around the world.

what victory looks like

Vendors have a role to play in relieving security teams of this extra effort, and they are increasingly doing so by adopting common data formats as standards.

Several data standardization efforts are paving the way to simplifying the work of operational security teams. The five standards that all security teams should be aware of are STIX, OCSF, OSCAL, SPDX, and CACAO.

Structured Threat Information eXpression (STIX), which falls under the Organization for the Advancement of Structured Information Standards – better known as OASIS Open – is one such data format and a success story in interoperability. As it is designed to enable the exchange of cyber threat intelligence, STIX is especially useful for teams and organizations involved in sharing communities and forums.

Another OASIS Open specification that is gaining traction is Collaborative Automated Course of Action Operations (CACAO). CACAO makes it possible to share incident response playbooks between security operations teams using a machine-readable JSON format. CACAO playbooks can include sequential and parallel actions, decisions, loops, and error handling. Stages in CACAO playbooks can be manual or automated, with variables passed between stages. Additional variables in playbook metadata allow customization of a playbook to a particular environment.

More recently, the Open Cybersecurity Schema Framework (OCSF), announced at Black Hat USA 2022 and backed by some of the world’s largest technology vendors, has also shown great promise. The OCSF is notable because some of its funders are organizations that in the past would not have produced easily interoperable tools. By standardizing how data is defined and stored in cyber observable space, security teams using OCSF-compliant tools can be confident that field names and timestamp formats, for example, are the same and aligned on all tools.

For security posture management, the Open Security Controls Assessment Language (OSCAL), published by NIST, is a convenient format for representing formal lists of security controls. This format has been used to publish the US NIST Security and Privacy Controls for Information System and Organizations (SP 800-53r5), the US Federal Risk and Authorization Management Program (FedRAMP), and more recently, the Australian Information Security Manual (ISM) . OSCAL has schemas in JSON, YAML and XML, and allows catalogs of security controls to be both human and machine readable.

For posture management at a more tactical level, the Software Package Data Exchange (SPDX) is an open standard for transmitting a software bill of materials (SBOM). SBOMs were mandated for U.S. federal agencies by executive order in May 2021, to ensure that agencies can track the provenance of software components included in federal information systems. SPDX was adopted as an international standard, ISO/IEC 5962:2021, in August 2021. The ability to receive, store, and query SPDX enables a security team to quickly find vulnerable dependencies in the IT environment of their organization.

Seamless integration through the adoption of standardized data formats can save security teams a lot of friction and help them respond faster, minimizing time to triage, analyze, and contain threats. This has ongoing impacts, reducing the window of time an attacker has to perform internal reconnaissance and lateral movement within a network. Ultimately, if the window of opportunity is narrowed enough by a faster response, it prevents an attacker from performing their actions on the objective.


Comments are closed.