So why is something like this necessary? Monitoring the computers systems under their purview is a major challenge for cybersecurity departments. In order to stop hacks—or piece together what happened after one—these departments need to be able to see information about things like the number of recent login attempts, what files have been accessed, and when it’s all happened.
In other words, cybersecurity teams aren’t solving cybersecurity problems: they’re using spreadsheets to try and get the data they need from one product to line up with the data they need from another. For example, one bit of software might track logins and login attempts, another tracks what logged-in users do with files on the server, and a third tracks admin access and other high-level requests. Then, assume a hacker breaks into a computer system, installs a bit of malware into a particular folder, and uses that piece of malware to get admin access—all so they can download a load of industry secrets or whatever their target might be.
To follow or recreate this complex sequence of events, the cybersecurity team will have to combine data from all three logging tools. The login-tracking app will report how the hacker got in, the file-tracking app will report the malware install and the download of all the important files, while the admin-tracking app will report how and when they did it. Unless all three apps use the same data format , that’s going to involve a lot of data manipulation.
What the OCSF does is create an open data format that any product vendor can use. This means that different security, hosting, and other relevant tech products can all work together much more easily. Instead of the login, file, and admin-tracking apps all having their own proprietary way of logging timestamps, they’d all be able to use the same standardized data structure. That way, the cybersecurity team could easily track—and ideally stop—the hacker.