Introduction to Amazon Security Lake

In May 2023, AWS announced the general availability of a new service aimed at enhancing the security data management capabilities of AWS users: Amazon Security Lake. Designed to facilitate the effortless establishment of a data lake specifically for security-related data, Amazon Security Lake stands out by offering a distinctive OCSF Event class for storing and managing Cloud Native Logs. From the perspective of Organization, it enables the collection of logs from multiple accounts and regions at once, allowing for centralized monitoring of which accounts’ logs in which regions are not configured. Additionally, even if a new account is added, it can be set up in less than a minute. These features highlight the advantages of enabling Amazon Security Lake.

One of the key strengths of Amazon Security Lake lies in its ability to aggregate security logs not only from AWS Native services but also from a variety of third-party security solutions. These logs are stored in the Amazon S3 service using the Parquet file format, known for its efficient data compression and storage capabilities. The collection and storage process adheres to the standards of the Open Cybersecurity Schema Framework (OCSF), significantly reducing the time and resources required for the normalization of security data.

Moreover, the separation of logs into a distinct OCSF Event class paves the way for addressing one of the most critical challenges in security compliance and governance: the establishment of robust incident prevention and monitoring systems. Amazon Security Lake leverages OCSF to normalize data from all security resources within a workload, storing this unified data in Amazon S3. This approach facilitates the creation of a comprehensive system for responding to security threats through the use of various Subscriber Tools.

To further enhance its utility, Amazon Security Lake supports configuration with a range of AWS services, including Amazon Athena, Amazon Redshift, and Amazon QuickSight, as well as third-party Subscriber Tools like Imply and Splunk. This versatility allows businesses to conduct thorough log data analysis and visualization, while also offering the flexibility to tailor the system to meet specific security needs. Through the strategic use of Subscriber Tools that align with a company’s unique environment, Amazon Security Lake enables more efficient and customized security data management solutions.

What is OCSF?

OCSF stands for ‘Open Cybersecurity Schema Framework’, a framework developed as an open-source project by prominent security and technology companies such as Splunk, AWS, and IBM. The primary goal of this initiative is to dismantle the existing security data silos and to standardize the data formats utilized across different security tools. This standardization is aimed at enhancing the efficiency of detecting and analyzing security threats.

Numerous organizations rely on a variety of security solutions and services. However, a significant challenge arises due to the disparate data formats employed by the different security solutions. This diversity necessitates a considerable expenditure of time and resources on data normalization processes before any meaningful analysis and investigation can be conducted to identify and respond to cyber attacks. The introduction of OCSF addresses this issue by enabling the management and sharing of security-related data and logs in a uniform structure and format. Consequently, security teams can allocate more of their time and efforts towards data analysis, threat identification, and cyber defense, rather than being bogged down by data normalization tasks. This simplification of processes is a key benefit of adopting OCSF.

Furthermore, OCSF has been designed with the flexibility to accommodate various event types and cases within the cybersecurity domain. With ongoing updates and improvements, its applicability and utility are expected to broaden even further, making it a valuable asset for enhancing cybersecurity efforts across industries.

OCSF v.1.1.0

In the previous year, version 1.0.0 of OCSF was initially released, featuring six categories:
System Activity, Findings, Identity & Access Management, Network Activity, Discovery, and Application Activity.

OCSF is fundamentally categorized into ① Data Types/Attributes and Arrays, ② Event Class, ③ Category, ④ Profile, ⑤ Extension. (For more detailed descriptions, refer to the OCSF GitHub)
① Data Types, Attributes and Arrays:
● The types of Data Type include data types such as strings, integers, floating-point numbers, and booleans.
● Attribute is a unique identifier name for a specific valid data type among scalar or complex data types (defined as an object).
② Event Class: Constitutes a set of properties that elaborately describe the meaning of an event.
③ Category: Groups Event Classes by category (System Activity, Findings, Identity & Access Management, Network Activity, Discovery, Application Activity).
④ Profile: Additional related characteristics of Event Class and Object.
⑤ Extension: Allows for the extension of the schema using the framework without modifying the core schema (Linux, Windows, macOS).

Since its release, an update to v1.1.0 was implemented in January of this year. Significant enhancements involve the expansion and updating of new Event Classes, Profiles, and Objects. Further details are outlined below.

OCSF v1.1.0 Added

Added Class Type to OCSF v1.1.0

Compared to OCSF v1.0.0, where vulnerabilities, compliance, detections, and threats were all classified under the Security Finding class, the introduction of v1.1.0 has brought significant enhancements. Detailed Event Classes such as Vulnerability Finding, Compliance Finding, Detection Finding, and Incident Finding (Linux) have been added. These additions enable the effective utilization of the results from security investigations, including those from services like AWS Security Hub.

Network Activity category has been expanded with the introduction of a new NTP Activity class. In the Discovery category, several new classes have been introduced, including User Inventory Info, Operating System Patch State, Device Config State Change, Registry Key/Value Info, and Prefetch Info. Additionally, in the Application Activity category, new classes such as Datastore Activity, File Hosting Activity, and Scan Activity have been added. These updates enhance the succinct representation of data and improve usability by mapping various security logs and events to more specific and appropriate event classes.

OCSF v1.1.0 Improved

Not only were new Event Classes, Profiles, and Objects introduced in v1.1.0, but significant enhancements were also made to the details of these elements. For example, within the ‘Account Change’ event class, specific values such as ‘MFA Factor Enable’ and ‘MFA Factor Disable’ have been incorporated into the ‘activity_id.’ This addition provides a more detailed means to verify whether MFA authentication for an account is activated or deactivated. Moreover, the ‘Web Resources Activity’ event class now includes ‘http_request’ and ‘http_response,’ enabling a thorough examination of HTTP request and response details. Additionally, the introduction of a ‘tls’ attribute enhances the ability to inspect TLS properties, among others, facilitating a more precise and detailed mapping of logs.

Building upon these enhancements, v1.1.0 introduced further updates, including the removal of obsolete or unused attributes and objects, the integration of the SentinelOne Extension, and adjustments to ensure the validity of data types, among other modifications. These changes collectively contribute to the ongoing refinement and utility of the system, underscoring a commitment to highlighting the precision and relevancy of log mapping.

Update of OCSF v1.2.0

Following v1.1.0, the most recent version, v1.2.0, has been freshly updated in April 2024. v1.2.0 is not yet supported as a source version in Security Lake, but it seems likely that it will be available soon. The updates in v1.2.0 are as follows.

OCSF v1.2.0 Added

v1.2.0 has brought about a significant expansion in the Discovery category of the Open Cybersecurity Schema Framework (OCSF), particularly with the addition of event classes related to queries such as Kernel, Folder, File, Module, and Networks. This enhancement facilitates the categorization of event classes based on each system and type, thus enabling the transformation of information about kernel resources, system files and folders, and loaded modules into schemas that are more suitable for logs and events. Moreover, the inclusion of profiles, objects, and observables has been highlighted, building upon the introduction of more detailed event classes and objects in v1.1.0, which also provided various options for different use cases.

Continuous research and updates are being conducted on OCSF with the aim of becoming widely adopted across numerous sectors and establishing itself as a formal cybersecurity standard in the future

By leveraging Amazon Security Lake in conjunction with OCSF for standardization and centralization, organizations can efficiently integrate and analyze security logs and events not only from AWS Native Services but also from third-party solutions. This approach enables consistent security data management and significantly reduces the time and effort required during the data preparation process, offering a streamlined and effective strategy for managing security threats and vulnerabilities.

Amazon Security Lake and MegazoneCloud

Dealing with a new service for the first time can often involve a significant learning curve or require prior experience. However, MegazoneCloud offers a variety of offerings that utilize Amazon Security Lake.

Last year, MegazoneCloud was selected as the first Security Lake SDP (Service Delivery Partner) in Korea.
AWS evaluates and verifies the experience and expertise of partners in specific services to select them as SDPs. MegazoneCloud has been supporting cloud journeys ranging from cloud adoption to optimization for over 2,000 customers as an AWS Premier Consulting Partner. Now, as an AWS Security Lake SDP, MegazoneCloud provides consulting and construction services to help customers adopt Security Lake.

● Consulting: MegazoneCloud conducts assessments and designs architectures tailored to the customer’s security objectives.
● Implementation: Following the assessments and architecture design aligned with the customer’s security goals, MegazoneCloud carries out the actual implementation and verification.

In the security industry, there are numerous security categories, and third-party MSPs (Managed Service Providers) offer solutions for security threat response, compliance review, and assessment (CSPM, CWPP, CNAPP, SOAR, etc.). MegazoneCloud is also actively driving the 3rd Party CSPM, CWPP, and CNAPP lineup. Additionally, through the construction of Security Lake and consulting, MegazoneCloud provides an experience that allows customers to enhance their own security level. The distinguishing feature of MegazoneCloud’s security consulting and implementation services is that they provide tools and experiences that enable customers to define their security goals and assemble data from numerous services and security solutions into a single outcome.

If you have any questions or need further information about Amazon Security Lake, please don’t hesitate to contact us at the email address provided below or leave your comments. Thank you for reading!

✉️Email us: megazonecloud-asl@megazone.com

Written by Danny Woo, Office of CTO, MegazoneCloud
SeungHyun Yoo / Sojeong Baek / Yeeun Lee, Cloud Technology Center, MegazoneCloud