In
September
2022,
there
was
a
critical
bug
in
Confluence,
CVE-2022-26134,
which
was
under
active
exploit.
Due
to
the
nature
of
the
vulnerability,
customers
could
find
out
if
they
were
impacted,
but
they
couldn’t
necessarily
determine
the
initial
infection
point.
They
could
have
been
exploited
3
days,
or
90
days,
or
even
3
years
prior.
And
data
older
than
90
days
isn’t
stored
by
most
EDR
vendors.
Even
worse,
if
a
customer
had
switched
EDR
vendors,
they
would
no
longer
have
access
to
even
the
last
90
days
of
their
data.
This
is
but
one
of
many
real-world
examples
of
why
customers
should
have
direct
access
to
their
EDR
data.
You
might
be
wondering,
“This
is
my
company’s
data
–
why
can’t
I
use
it?”
Well,
there
are
a
few
reasons.
For
one,
every
vendor
has
their
own
taxonomy
for
how
data
is
stored
and
indexed,
so
even
if
you
had
access
to
it,
you
might
not
be
able
to
do
anything
with
it.
Some
large
enterprises
have
their
own
tooling
to
enable
teams
to
discover
things
about
threats
in
their
environment
–
like
the
initial
attack
vector
for
a
specific
CVE
–
but
if
they
change
vendors
or
don’t
have
direct
access
to
the
raw
data,
it’s
hard
for
even
those
specialized
teams
to
do
their
job.
There
are
APIs,
messaging
frameworks
and
data
formatting
differences
to
navigate.
It’s
a
lot
of
grunt
work
before
getting
any
real
value
out
of
your
data.
AWS
sought
to
solve
this
problem,
and
Trend
was
on
board
from
the
start.
We
believe
that
this
is
your
data,
and
it
should
be
owned
by
you.
We
were
thrilled
AWS
was
creating
a
solution
to
this
business
problem.
Amazon
Security
Lake
With
data
contributors
like
Trend
Micro
sending
customer
EDR
data
to
the
customer’s
owned
data
lake
in
AWS,
you
now
have
control
of
and
access
to
your
data.
The
full
life
of
data
with
full
autonomy
of
data
governance
under
the
control
of
your
teams.
This
allows
for
a
new
and
unique
way
for
data
analysts
to
have
access
to
EDR
telemetry
in
a
way
that
makes
sense
for
them
while
still
allowing
the
SOC
to
have
the
XDR
console
and
information
they
need.
But
what
about
taxonomy?
Amazon
Security
Lake
is
a
great
central
location
for
analysts
to
work
with
their
data
from
across
vendor
types
–
Trend’s
EDR
data
is
just
one
data
type
available
to
customers.
But
having
it
one
place
under
your
control
doesn’t
matter
if
the
individual
vendors
are
all
using
different
naming
conventions
and
indexing
approaches.
AWS
partnered
with
Splunk
and
a
few
others
earlier
in
2022
to
solve
this
problem
first.
The
Open
Cybersecurity
Schema
Framework
(OCSF)
was
launched
at
Black
Hat
US
2022
to
help
defenders
spend
less
time
on
collecting
and
normalizing
threat
data
and
more
time
on
analyzing
and
acting
on
it.
OCSF
was
the
precursor
to
Amazon
Security
Lake
so
the
normalized
data
taxonomy
was
already
in
place.
By
using
OCSF,
ISV’s
are
providing
normalized
data
to
customers
that
can
be
analyzed
and
used
in
one
place.
We’ve
really
enjoyed
supporting
each
step
of
this
project
as
a
launch
partner
for
both
OCSF
and
Amazon
Security
Lake.
Together,
we’re
putting
the
customer
in
control,
making
critical
data
available
to
them
from
third-party
security
and
analytics
solutions
of
their
choice.
After
all,
it
is
your
data
–
there
shouldn’t
be
significant
barriers
to
using
it.
About Author
