Some of the biggest names in security have banded together for a new industry initiative to make it easier for different security technologies to work together. While a laudable goal, without concerted effort to get everyone on board, this project will turn into yet another partnership program among select vendors.
Open standards consortium Organization for the Advancement of Structured Information Standards announced the Open Cybersecurity Alliance, a new OASIS Open Project focused on improving data sharing and interoperability across various security technologies. OCA's goal is solve a very big problem: The security market is littered with many products, but most of them aren’t designed to work together. The OCA will encourage member companies to form an open ecosystem where security products can share information, insights, orchestrated responses, and analytics.
"The purpose of the OCA project is to develop and promote sets of common code, tooling, patterns, and practices for sharing data among cybersecurity tools," OASIS said in its project announcement.
According to figures from the Enterprise Strategy Group, a typical organization on average uses 25 to 49 different security tools from up to 10 vendors. That is a lot of competing products , but integrating them tended to be expensive and time-consuming. Security technologies frequently operate in silos as information collected by one cannot be easily consumed by another.
Past efforts to encourage data exchange has floundered because there wasn’t a standard format for tools to transmit and receive messages from each other, said Carol Geyer, chief development officer of OASIS. OCA will develop protocols and standards to make it possible to integrate these tools and share information across vendors.
“The aim of the OCA is to accelerate the open sharing concept making it easier for enterprises to manage and operate,” Geyer said.
OCA launched with two technologies from its two lead sponsors, McAfee and IBM Security. McAfee contributed its security messaging format OpenDXL Standard Ontology. The other, STIX Shifter, is a search capability for security products which can identify information in data repositories that related to a potential threat and pop it into a usable format before sharing. STIX Shifter is based on an IBM open source library.
OCA's Project Governing Board will identify and select additional projects.
“Vendors who make use of these code, tooling, and patterns, will be able to seamlessly interoperate with any other vendors who are making use of OCA project deliverables,” OASIS said in its project announcement. “Integrate once, reuse everywhere.”
The OCA will address the entire threat management lifecycle, including threat hunting and detection, analytics, operations, and response. If the OCA delivers on its promises, enterprise defenders will be able to share data collected by one product with other products in its infrastructure, which would reduce the problem of vendor lock-in. The ability to connect data across the portfolio would improve security visibility because defenders may uncover new things that would otherwise have been missed.
"Easy integration also mitigates the problem of having to be too selective and narrow in focus when it comes to choosing which vendor technologies to integrate with," wrote Jason Keirstead, IBM Security Threat Management chief architect and a member of the OASIS Board of Directors.
Other companies signing onto OCA include Advanced Cyber Security Corp, Corsa, CrowdStrike, CyberArk, Cybereason, DFLabs, EclecticIQ, Electric Power Research Institute, Fortinet, Indegy, New Context, ReversingLabs, SafeBreach, Syncurity, ThreatQuotient, and Tufin. In some cases, OCA is reaffirming existing partnerships. For example, many of the participating organizations are Fortinet Fabric-Ready Technology Alliance partners, Fortinet said.
“OCA would improve our integration efforts and act as a catalyst for easing the move for our customers embarking on new digital transformation projects,” Fortinet said.
This isn't the first time a security company tried to encourage interoperability through open systems. Symantec's Integrated Cyber Defense Exchange had similar goals, which means vendors have to decide which initiative to support. For open information sharing to really work, all the vendors have to work together. An ecosystem where security tools work with only some vendors is not an open one. Instead of having each security technology in its own silo, the market winds up fragmenting into silos of information exchange standards.
An ecosystem where IT and security vendors work together will make life easier for enterprise defenders, and a community-driven effort like OCA could potentially expedite risk identification and vulnerability remediation, said Thomas Hatch, CTO at SaltStack. However, he warned that just forming a consortium wasn’t enough; there would need to be concrete deliverables.
“Too often we've seen industry consortiums struggle to deliver any real value to the security and IT operators who are on the front lines of protecting the world’s digital infrastructure,” Hatch said. “The cybersecurity industry needs less talk and more action.”