TalksAWS re:Invent 2025 - Build a Future-Ready SOC:Transform security logging with OCSF and generative AI

AWS re:Invent 2025 - Build a Future-Ready SOC:Transform security logging with OCSF and generative AI

Transforming Security Logging with OCSF and Generative AI

Challenges with Modern Security Logging

  • Security is a data problem, not a lack of data
  • Enterprises manage diverse environments (on-premises, multi-cloud, SaaS) with different log formats
  • Security teams spend time writing custom data parsers instead of focusing on threat detection
  • Exponential growth in log data volume and variety leads to "data tsunami" and lack of insights

Introducing OCSF (Open Cybersecurity Schema Framework)

  • OCSF is an open-source, purpose-built framework for security data
  • Provides a universal data format to normalize logs from diverse sources
  • Maintains consistent data structure, field names, and query paths
  • Source-agnostic - works with AWS platform logs and third-party tools
  • Enables cost savings through compressed storage and faster queries

Merc's OCSF Transformation Journey

  • Merc, a global healthcare company, had a central logging environment with visibility gaps
  • Aimed to accelerate incident response, enable AI/ML, and optimize costs
  • Implemented AWS Security Lake to automatically transform logs to OCSF format
  • Achieved 48% reduction in operational overhead and 47% infrastructure cost savings

Leveraging OCSF and Generative AI for Incident Response

  • OCSF's consistent data schema enables more effective AI/ML analysis
  • Agentic AI prototype can investigate security incidents in under 5 minutes
  • Agents correlate security context, threat intelligence, and infrastructure data
  • Reduces manual effort in log analysis and investigation

Extending OCSF Benefits to Operational Insights

  • OCSF's standardized schema allows quick root cause analysis for cost spikes
  • Identified a spike in KMS decrypt events due to S3 data events being enabled
  • Enables self-service access to data and accelerates operational troubleshooting

Key Takeaways

  • OCSF provides a future-ready solution to transform security logging and enable AI/ML
  • Merc achieved significant operational efficiency, cost savings, and accelerated incident response
  • Agentic AI leverages OCSF's consistent data model to automate security and operational analysis
  • OCSF is an open-source, customizable framework with a growing ecosystem of partners and contributors

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

This website stores cookies on your computer.

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.