Exploring the OCSF Framework in AWS: Design, Implementation and Performance Analysis of a Security Lake Platform

In the cybersecurity world, identifying and contrasting cyber attacks necessitates the synergistic deployment of diverse tools. These tools generate streams of alerts and isolated data, with different log formats and data schema, often demanding manual correlation for comprehensive analysis and response. The Splunk State of Security 2023 report [1] underscores that 64% of Security Operations Center (SOC) teams face challenges transitioning between security tools due to limited integration. The collected data cannot be seamlessly combined, hindering the ability to obtain a holistic view of the security environment. Cybersecurity teams find themselves dedicating significant time and effort to manually normalize data across diverse tools. This manual effort detracts from their primary focus on detecting, investigating, and responding to security events. In essence, the data manipulation and normalization process becomes a bottleneck, impeding the efficiency of security operations. The Open Cybersecurity Schema Framework (OCSF), unveiled during the BlackHat conference in August 2022, represents a groundbreaking initiative in the realm of cybersecurity. It is designed as an open schema standard with the key objective of offering a straightforward taxonomy that transcends supplier-specific constraints. This framework is deliberately vendor-agnostic, allowing it to be seamlessly integrated into any environment, embraced by any application, and adopted by diverse solution providers. This solution allows security teams to accelerate and streamline the data entry and analysis process, along with correlating data, without requiring time-intensive upfront standardization efforts. In November 2022, Amazon Web Service (AWS) introduced Amazon Security Lake, a service that leverages OCSF as its foundational data schema. It is a security data lake and helps to consolidate security-related information from various sources, including AWS environments, SaaS providers, on-premises infrastructure, cloud platforms, and third-party providers. The primary function of Security Lake is to facilitate in-depth analysis of security data, empowering organizations to gain a holistic view of their security landscape across the entire enterprise. By leveraging Security Lake, users can enhance the safeguarding of their workloads, applications, and data, thereby fortifying the overall security posture of their organization. The objective of the project is to leverage the OCSF standard and to design the architecture of a platform that is able to ingest and normalize security logs in OCSF format, integrate logs and events from external sources in the Security Lake, and develop an implementation to automate the creation and configuration of such a platform. The thesis also analyzes the scalability of the created application and measures the ability of the system to ingest data, highlighting any constraints encountered and potential alternative solutions to improve scalability. [1] https://www.splunk.com/en_us/blog/security/overcome-cybersecurity-challenges-to-improve-digital-resilience.html