Enterprise cybersecurity teams use on average 25 to 49 different security tools, each of which generates an explosion of data and insights. The necessity and value of integrating security tools is undeniable. Integration lets companies streamline their security management, consolidate vendors and policies, improve data exchange, and automate workflows.
Although many tools already integrate with one another, there is a lack of industry-wide vendor cooperation on protocols and standards surrounding sharing cybersecurity insights and findings. It’s led to one-off, vendor-specific integrations that are expensive to maintain and often limited in their ability to share full data on findings, insights, or incidents. Enterprises are often unable to break down their data silos and extract peak value from their investments. Vendors find themselves torn on where to invest their finite resources when it comes to choosing integration partners. The only ones who benefit are the bad guys.
The OCA works to change that. We develop and promote sets of common code, patterns, and practices so that cybersecurity tools can share data. Products that support the OCA ecosystem will be able to seamlessly interoperate with one another.
Our focus is on data interchange over a common, standardized messaging bus within the threat management lifecycle. That includes threat hunting and detection, analytics, operations, and response.
OCA supports current standards such as STIX and OpenC2, as well as other standards that may be chosen by the community (no matter where they’re developed). OCA deliverables themselves have the potential to evolve into OASIS Standards, depending on the wishes of the community.
Companies want the ability to integrate ‘best-of-breed’ products and solutions into their operational environments with minimal effort and time. It’s only the lack of real interoperability at the communications and data levels that’s been standing in the way. For end users, the inability to properly optimize and extract value from existing toolchains, often leads to attempts to re-solve problems that have been already solved in other cyber domains – simply because clients do not realize a solution already exists due to failure to interoperate and extract that value.
This can lead to the unnecessary procurement of new tools to replace functions that already exist in current tools but are being under-utilized – exponentially exasperating the problem of too many non-integrated tools in their environments. Further, poor integration can also lead to missing critical insights and findings that would have otherwise been detected if the tools were more well-integrated. A second benefit to end users is reduction of vendor lock-in, as more tools in the cybersecurity operations ecosystem implement their integrations using OCA tooling and standards. The choice of which tools to integrate can now be placed in the hands of the end user rather than waiting for vendors to strike agreements with one another.
For vendors, the ability to integrate cybersecurity products with multiple vendors using one common set of communication capabilities and tooling will greatly reduce the expense of engineering resources spent on integration. Easy integration also mitigates the problem of having to be too selective and narrow in focus when it comes to choosing which vendor technologies to integrate with. Resources previously spent on integrations can then be re-deployed to other parts of the product pipeline, enabling higher value functionality to be developed in the products.