CSNF Powers Multi-Cloud Security Analytics

The “Cloud Security Notification Framework” (CSNF) is an open-source initiative launched by the ONUG Collaborative in 2021 to address a vexing challenge in cloud computing today: how to respond effectively to the disparate and growing array of security-related alarms and notifications generated in multi-cloud operational contexts encompassing public cloud services and private cloud infrastructure. Large-scale enterprise hybrid multi-cloud environments typically feature workloads deployed across a multitude of cloud services and on-premise systems, each generating its own set of alarm and event notifications that are collected, processed and analyzed in the NOC and/or the SOC.

Security analysts in the SOC rely on systems that ingest and store a steady stream of security-related notifications so that they can detect and respond to a non-stop barrage of security threats. Experienced analysts are adept at performing a series of database queries and interpreting the results to deduce the root cause of security incidents. The critical time-to-resolution is a direct function of how quickly analysts are able to work through this process.

The trouble is, cloud services and on-premise systems emit security notifications using a Tower of Babel of different languages and varying message formats. The leading cloud providers emit notifications that are too often “semantically equivalent but syntactically different” from each other. A seasoned analyst might be able to mentally translate between notifications generated by a handful of systems on-the-fly, but as the number of services and systems increases, this becomes untenable for all but true savants, resulting in unacceptably long response times for resolving security incidents in complex hybrid multi-cloud scenarios.

One approach for overcoming this challenge is to throw people at the problem by employing multiple analysts, with each responsible for analyzing notifications originating from a partitioned subset of services or systems. While this approach may prove effective, it is more costly and still requires intensive, real-time communication between analysts when the SOC team is responding to threats spanning multiple services and systems, which is increasingly common in large-scale multi-cloud environments targeted by sophisticated threat actors.

In addition, as cloud computing environments grow increasingly complex and the volume of security notification messages increases, human analysts will be challenged to keep pace with the flow of information, regardless of their expertise. Ultimately, security operations will require automated, AI-based systems to rapidly respond to security threats. However, due to the security notification Babel problem, constructing and keeping these systems up to date will be tedious and costly.

When the ONUG Collaborative CSNF team began looking at these challenges in 2021, the members believed that there had to be a better way: develop a canonical data model for cloud security notifications that solves the Babel problem by defining a universal log message format for normalizing security notifications that can be easily interpreted by security analysts struggling to decode the syntax of messages generated by a myriad of cloud services and systems.

CSNF’s common format enables analysts to perform a wide range of queries with no need to understand the peculiarities of each message source, simplifying threat analytics and reducing the time-to-resolution for security incidents. Analysts are also more productive and can easily share information across multiple operational domains. In addition, CSNF’s canonical data model is also well-suited for feeding normalized security notifications to AI-based security analytics tools that will augment the abilities of human analysts.

To be clear, sifting through log messages to identify security threats is a painstaking process, even after applying CSNF’s canonical data model to log messages. However, CSNF allows security analysts to concentrate on the detective work of threat surveillance and not squander precious time decoding proprietary message formats – a problem that is only getting worse as the number of services and systems supporting cloud-based workloads increases.

A simple example helps to illustrate the power of CSNF. Here are the message formats that three different cloud services use to convey the same information:

Oracle Cloud Guard: `data.additionalDetails.resourceName`

Azure Defender: `properties.extendedProperties.client`

AWS GuardDuty: `Resource.AccessKeyDetails.GeneratedFindingUserName`

CSNF’s canonical data model maps each of these to a common normalized representation which is syntactically concise and semantically clear:

CSNF: `event.actor`

CSNF can serve as the lingua franca for passing information between security analysts so that teams collaborating on threat surveillance and incident response are working with a common taxonomy for interpreting log messages. CSNF also helps streamline the process of integrating new services and systems into security operations, reducing complexity and cost by defining – up front – normalized security notification mappings that SOC analysts already understand.

In 2023, the two-year effort of the CSNF team culminated in the integration of CSNF’s normalized, canonical data model message mappings into Splunk’s industry-leading SIEM platform as a CSNF Splunk TA (technology add-on) that “offers support for multiple cloud providers and integrates with your existing Splunk security landing zone to deliver powerful security searches, dashboards and analytics, allowing you to secure your multi-cloud security practice in minutes.” This major milestone provides the foundation for what the CSNF team has planned for 2024, which will be the subject of my next CSNF post.

In the meantime, to learn more about the CSNF project and the ONUG Collaborative, check out these links:

ONUG Collaborative CSNF Project


CSNF Technical Information


If you would like to get involved in the CSNF project, then join the ONUG Collaborative. The team will appreciate any assistance you can provide.

SOC analysts who are interested in gaining hands-on experience with CSNF and the opportunity to test their threat surveillance skills are encouraged to join us at ONUG Spring 2024 in Dallas for the CSNF Capture the Flag event, sponsored by World Wide Technology, Oracle and Splunk:


We hope to see you there, but if you can’t make it to Dallas, ONUG Spring is also a virtual event, so players also have the option to register for the virtual conference and compete remotely in the Capture the Flag.

Author's Bio

Stephen Collins