Making Sense of Alphabet Soup
Let’s be honest, the cybersecurity marketplace is complex and confusing. Businesses are already struggling to make sense of security and defend themselves from modern attackers. It doesn’t help that they are also drowning in a sea of acronyms and jargon while doing it. MDR, EDR, NGAV, SIEM, the list goes on and it can feel like you’re staring at a bowl of alphabet soup.To help you make sense of today's complex security landscape, we've defined the key acronyms and capabilities that can be found in several of today's most crucial security categories.
Key Cybersecurity Terms and Definitions
AV (Antivirus): We'll start with an easy one. Antivirus is a type of software designed to prevent, search for, detect and remove viruses and other malware from a computer. AV software is typically installed on the endpoint to block malicious software from infecting the machine, mobile device, or network. It works by scanning a file, program, or application and comparing a specific code set with information stored in its database. If the software finds code identical or similar to known malware in the database, that code is deemed malicious and is quarantined or removed.
DLP (Data Loss Prevention): A set of policies, practices, and tools used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. DLP solutions perform content inspection and contextual analysis of data sent from or across corporate networks to provide visibility into who is accessing data and systems (and from where) and filter data streams to restrict suspicious or unidentified activity. DLP solutions are usually deployed to reduce the risk of sensitive data leaking outside an organization, and some solutions can also go beyond simple monitoring and detection to provide alerts, enforce encryption and isolate data as needed.
EDR (Endpoint Detection and Response): An integrated endpoint security solution designed to detect, investigate and respond to cyber threats. EDR solutions offer greater visibility into what's happening on endpoints by recording granular endpoint activity and monitoring for signs of malicious behavior. Suppose the EDR technology detects any of these malicious signs. In that case, it will provide security analysts with the necessary information to conduct reactive and proactive threat investigations and minimize the impact of an attack.
Firewall: A network security system that monitors traffic to or from a network. A firewall acts as an outer barrier that either allows or blocks network traffic based on a predefined set of rules. It scans specific data packets—units of communication sent over networks—for malicious code or known threats. Should a data packet be flagged, the firewall prevents it from entering the network.
IDS (Intrusion Detection System): A form of network security that uses known intrusion signatures to detect and analyze inbound and outbound network traffic for abnormal activities. An IDS focuses on monitoring for malicious intent or signs of compromise and, when detected, will send alerts to the system administrators or security personnel. Intrusion detection systems are designed to warn of suspicious activity, but they don't prevent it.
IPS (Intrusion Prevention System): A form of network security that can identify malicious activity, collect information about said activity, report it, and attempt to block or stop it. An IPS works by actively scanning and analyzing network traffic for malicious activities and known attack patterns. Similar to an IDS, intrusion prevention systems are designed to warn of suspicious activity. The critical difference is that they can also take automated action and respond to active threats based on predetermined rules.
MDR (Managed Detection and Response): A combination of technology and human expertise that focuses on detecting, analyzing, and responding to the threats that have snuck past preventive tools. MDR technology collects and analyzes information from logs, events, networks, endpoints, and user behavior. This information is then paired with a team of experts who can take over to validate incidents, escalate critical events and provide recommended response actions so threats can be quickly remediated. MDR services are managed or co-managed by an outside partner to provide value to organizations with limited resources or the expertise to keep eyes on all of their potential attack surfaces.
MFA (Multi-Factor Authentication): An authentication method that requires users to provide two or more verification factors before granting access or signing in. These factors can include something only the user would know (e.g., password/PIN), something only the user would have (e.g., token), or something only the user is (e.g., biometric). MFA then uses these factors to confirm the identity of someone who is requesting access to an application, website, or another resource.
NDR (Network Detection and Response): An integrated network security solution designed to detect threats and suspicious behavior on an organization's networks using non-signature-based techniques (such as machine learning and other analytical methods). NDR solutions track north/south network traffic that crosses the perimeter and east/west lateral traffic to establish a baseline of normal behavior and raise alerts when anomalous behavior is detected. NDR solutions give security teams real-time visibility and awareness over network traffic and the ability to respond to perceived threats.
NGAV (Next-Generation Antivirus): An expanded version of antivirus that goes beyond performing signature-based detection—typically by incorporating advanced technology—to prevent a broader range of attacks. Unlike traditional AV, next-generation AV focuses on events (files, processes, applications, network connections, etc.) to help identify malicious intent or activity. NGAV has emerged in recent years to address the proliferation of new malware and viruses that can easily bypass traditional AV.
Password Manager: A tool that allows users to store, generate and manage their passwords for local applications and online services. A password manager will house a user's passwords and other information in one convenient location with one master password. Also, it can assist in generating and retrieving complex passwords.
SIEM (Security Information and Event Management): A software solution aggregates and analyzes activity from many different sources across an entire IT infrastructure. A SIEM gathers immense amounts of data from an entire networked environment, then consolidates and makes that data human accessible. With the data categorized and laid out, SIEM solutions are often used by security operation centers (SOCs) to streamline visibility across an environment, centralize data for security monitoring and investigate logs and events for incident response.
SOAR (Security Orchestration, Automation, and Response): A collection of software solutions and tools that aggregate security intelligence and context from disparate systems and apply machine intelligence to streamline (or even completely automate) the threat detection and response process. SOAR combines three software capabilities:
- The management of threats and vulnerabilities (orchestration)
- Automating security operations (automation)
- Responding to security incidents (response)
Due to its aggregation and automation capabilities, SOAR solutions are often used by security operation centers (SOCs) to collect threat-related data from various sources and automate the responses to specific threats.
SOC (Security Operations Center): A centralized unit that deals with security issues on an organizational and technical level. SOCs are typically staffed with a team of domain experts (either in-house or outsourced) who focus on preventing, detecting, analyzing, and responding to cybersecurity incidents. A SOC acts as a central command post that continuously monitors an organization's environments and toolsets and improves its security posture.
Threat Hunting: The practice of searching through environments to detect and isolate advanced threats that evade existing security solutions. Threat hunting combines technology, threat intelligence, and methodical humans to find and stop malicious activities. Generally, threat hunting is performed by security analysts, or threat hunters, who use their highly tuned skills to zero in on potential threats or attackers who have snuck into a protected environment.
XDR (Extended Detection and Response): A security technology that provides extended visibility, analysis, detection, and response across an entire IT environment. XDR solutions access data from multiple sources to detect more advanced attackers and quickly respond to those threats. XDR is usually comprised of EDRs, NDRs, NGAVs, and cloud monitoring tools and has some ability of log aggregation and orchestration across what it detects.
• • •
There are endless acronyms to define, but these are the ones we feel are most important and relevant to cybersecurity today.
With all the options and jargon out there, it's become way too challenging to grasp what a product actually does, how it works, and whether it makes you more secure in the long run. We believe that security offerings should be straightforward—so we're starting by helping you better understand the capabilities you need to protect your business. To learn more about these terms or how to prepare your business better, reach out to your Pendello Solutions team today!