The Open Cybersecurity Schema Framework (OCSF) is a standardized data model for cybersecurity information sharing.

It is composed of categories, event classes, data types, attributes, and objects. It provides a detailed overview of the framework, its key concepts, and its role in standardizing cybersecurity data sharing.

OCSF has also evolved significantly since its initial release.

The following analysis provides a detailed overview of the key updates and changes introduced in each major version. By understanding the key changes and enhancements introduced in each version, you can:

• Make informed decisions: Choose the most suitable OCSF version for your organization's specific needs.
• Stay up-to-date: Keep abreast of the latest developments in cybersecurity data standardization.
• Improve data sharing: Leverage OCSF to enhance data sharing and collaboration within your organization and with external partners.

OCSF 1.0.0

• Initial Release: OCSF 1.0.0 laid the groundwork for a standardized cybersecurity data model.
• Core Concepts: Introduced fundamental entities like assets, threats, vulnerabilities, and incidents.
• Basic Relationships: Defined relationships between these entities to represent cybersecurity events and incidents.
• Limited Flexibility: While providing a foundation, OCSF 1.0.0 had limitations in terms of granularity and flexibility for certain use cases.

OCSF 1.0.0 introduced fundamental entities like assets, threats, vulnerabilities, and incidents, along with relationships between them to represent cybersecurity events and incidents. While providing a foundation, OCSF 1.0.0 had limitations in terms of granularity and flexibility for certain use cases.

Release candidates (RCs) played a crucial role in the development and refinement of OCSF. These pre-release versions were made available to the community for testing and feedback, helping to identify and address potential issues before the official release. The RCs ensured that OCSF 1.0.0 was stable, reliable, and met the needs of its intended users.

OCSF 1.1.0

• New Event Classes: Introduced new event classes for user inventory, vulnerability findings, network traffic, and data access.
• New Objects: Added new objects like cwe, kb_article, and epss for vulnerability and knowledge base information.
• Improved Profiles: Enhanced the security_control profile to include access control semantics and firewall properties.
• Metaschema Improvements: Introduced JSON-schema based metaschema validation for improved data correctness and consistency.

OCSF 1.2.0

• New Event Classes: Added event classes for data security findings, file queries, folder queries, and other query types.
• New Objects: Introduced new objects like auth_factor, data_security, and autonomous_system.
• Improved Event Classes: Enhanced existing event classes with new attributes and functionalities.
• Improved Objects: Expanded existing objects with new attributes and improved data types.
• Metaschema Improvements: Continued to refine the metaschema for better validation and error reporting.

OCSF 1.3.0

• New Event Classes: Introduced event classes for remediation activities, software inventory, and device config state changes.
• New Profiles: Added the osint profile for OSINT data.
• New Objects: Introduced new objects like d3fend, d3f_tactic, d3f_technique, and ja4_fingerprint.
• Improved Event Classes: Enhanced existing event classes with new attributes and functionalities, such as file_result in File Hosting Activity and risk_details in Detection Finding.
• Improved Objects: Expanded existing objects with new attributes, such as ext in File, auth_factors in Authentication, and data_classification in multiple objects.
• Bug Fixes: Implemented various bug fixes to improve the schema's accuracy and reliability.
• Deprecated Features: Marked some attributes and objects as deprecated in favor of newer or more standardized alternatives.

Future of OCSF - OCSF 1.4.0-dev

As OCSF continues to evolve, the upcoming version 1.4.0-dev is set to bring a wide range of new advancements that will further elevate its role in the cybersecurity ecosystem. Here are some of the key areas where the framework is expected to innovate:

• Enhanced Integration with AI and ML: It aims to seamlessly integrate with artificial intelligence and machine learning technologies for improved threat detection, incident response, and risk assessment.
• Expanded Support for Emerging Technologies: It will incorporate data models and schemas to address the challenges and opportunities presented by emerging technologies, such as quantum computing and blockchain.
• Improved Data Governance and Privacy: It will focus on enhancing data governance features to address increasing concerns around data privacy and compliance, including compliance with regulations like GDPR and CCPA.
• Enhanced Interoperability: It aims to further improve its interoperability with other cybersecurity standards and frameworks, such as Open Threat Intelligence (OTI) and Common Vulnerability and Exposure (CVE).
• Support for Cybersecurity Automation: It will include features to support automation workflows and integration with automation platforms, enabling organizations to streamline their security operations.

Key Changes Between Versions

Detailed Analysis of Specific Changes

OCSF 1.1.0 introduced significant enhancements in terms of coverage and flexibility. It introduced new event classes for user inventory, vulnerability findings, and network traffic, as well as new objects like cwe, kb_article, and epss. The security_control profile was also improved to include access control semantics and firewall properties.

OCSF 1.2.0 further expanded the scope of OCSF by adding event classes for data security findings, file queries, folder queries, and other query types. It also introduced new objects like auth_factor, data_security, and autonomous_system. The framework's flexibility and integration capabilities were also enhanced during this version.

OCSF 1.3.0 introduced new event classes for remediation activities, software inventory, and device config state changes. It also added the osint profile for OSINT data and several new objects like d3fend, d3f_tactic, and d3f_technique. The framework's capabilities for capturing detailed information about cybersecurity events were further enhanced during this version.

OCSF 1.4.0-dev is currently under development and is expected to introduce significant enhancements in terms of integration with AI and ML, support for emerging technologies, data governance and privacy, interoperability, and cybersecurity automation.

Final Thoughts

By understanding the key changes and enhancements introduced in each OCSF version, organizations can make informed decisions about which version best suits their specific needs and goals.

To gain a deeper understanding of how OCSF structures and organizes its data, including the key elements and relationships within the data model, you can refer to our detailed blog on the OCSF Data Hierarchy. This will provide additional insights into how the framework standardizes security telemetry.

Also Read: Improved Data Integration with OCSF

Metron Security provides on-demand and effective approaches to managing third-party integrations for security ecosystems. Since 2014, Metron has delivered automation solutions for over 250 security applications along with several hundred custom automation solutions.

If you are looking to set up any integrations with the OCSF Schema and are facing challenges, you can reach out to us at connect@metronlabs.com.