Cybersecurity jargon and acronyms may be daunting to newcomers. Below is an alphabetical list that may help explain these security terms.
Distributed denial-of-service attacks disrupt normal traffic to websites or servers by overwhelming them with messages, connections or data from multiple sources – thus making the service unavailable or unusable.
SOC
A Security Operations Center, or SOC, serves as the focal point for constant, 24/7 surveillance, detection, and response of cybersecurity threats. Comprised of security personnel who use tools such as SIEM (security information and event management), this critical center monitors everything from system software and servers to connected Internet of Things devices such as kitchen microwaves or warehouse scanners.
SOC teams also conduct regular assessments such as vulnerability evaluations, penetration tests and risk evaluations to evaluate cybersecurity risk and update applications, security policies and best practices accordingly.
SOC team members serve as first responders in an incident by disabling or isolating affected endpoints, wiping data, terminating harmful processes and more to mitigate business operations’ disruption. They follow procedures designed to minimize their impact while reviewing and updating incident response plans in order to better safeguard their organizations against future attacks.
EDR
EDR (Endpoint Detection and Response) is a cybersecurity solution that uses software agents to collect data from endpoints such as computers, laptops, servers, mobile phones and IoT systems in order to detect threats and respond accordingly. When suspicious activity is identified it alerts relevant stakeholders so appropriate steps may be taken immediately.
EDR technology can assist security teams in combatting advanced cyber threats that are too hidden for traditional antivirus and antimalware solutions to detect, as well as track adversary attack paths in real time allowing security teams to “shoulder surf”.
An effective EDR solution should provide multiple response options, including the removal or quarantining of files, so analysts can select their optimal response strategy and reduce analyst fatigue caused by security tools producing too many alerts. This approach will also reduce analyst burnout.
SIEM
SIEM stands for Security Information and Event Management and collects data from different security tools to present a consolidated view of threats in an organization. Correlation rules and models enable SIEM to quickly detect vulnerabilities that need addressing quickly, which makes this tool invaluable in terms of mitigating cyberattacks, adhering to industry regulations, mitigating risk mitigation efforts, or simply managing cyber attacks more efficiently. For a successful SIEM deployment however, business objectives and key success metrics need to be set prior to deployment.
Firewalls and antivirus software generate so much monitoring data that understaffed IT security teams may become overwhelmed with monitoring data generated from them, leading to them missing important events like DDoS attacks that damage systems or intellectual property. A SIEM solution monitors logging data to detect suspicious activities like file changes or transfers without authorization as well as combine this data with threat intelligence feeds for proactive security analysis and incident response.
IPS
An intrusion prevention system (IPS) is an intrusion detection and protection solution that works to deter attackers from exploiting vulnerabilities within a network. Most IPS solutions use signature- and policy-based detection algorithms, meaning they check for threats or attack vectors based on an array of signature patterns (signatures). They also have established policies and may apply policies when appropriate.
An Intrusion Prevention System can monitor network traffic to look for any deviations from normal, such as processes using unusual amounts of bandwidth or devices opening ports that should typically remain closed. Furthermore, an IPS can identify zero-day exploits that exploit vulnerabilities without an available patch.
Once threats are identified, an IPS can take immediate actions such as closing sessions and blocking traffic to combat attacks immediately, helping minimize damage while freeing security staff up from having to respond to IDS alerts.
DLP
DLP (Data Loss Prevention) refers to a collection of tools and inspection techniques used to detect sensitive information content that is at rest (in storage), in use (between applications), or moving between apps. DLP technologies also implement policies which log, report, classify, relocate, tag and encrypt this content.
DLP helps prevent data exfiltration, the act by which cyberattackers illegally transfer valuable information such as login credentials, intellectual property or proprietary details from devices or networks to attackers without authorisation or without their knowledge. Attackers could include current or former employees, contractors and business associates with access to privileged accounts.
DLP solutions should be regularly configured and tested to ensure their effectiveness against ever-evolving threats. Training must also take into account staff turnover or new types of sensitive information that arises; continuous monitoring and adversary emulation is key here, to help ensure your DLP solution does not experience false positives or other limitations.
AV
AV stands for audio-visual technology that transmits and displays visual data, from televisions to projectors – often including both audio and video components. You may encounter people discussing AV equipment specifically or using it to describe multimedia presentations when discussing AV in technical forums.
AV over IP (AV/IP or AVoIP) is a form of network transmission that enables audio-visual signals to be sent over standard network infrastructure. This may occur on separate networks that coexist without coexisting with packets of data on an organization’s IT network, or using existing infrastructure such as cabling and switches as carriers of audio-visual signals. Many organizations are increasingly adopting AV over IP technology as part of their AV management and deployment practices.
UEBA
User and Entity Behavior Analytics (UEBA) detects threats by monitoring the activities of users, devices, or entities within a company network. After an initial period of baseline data collection and evaluation, UEBA uses analytics software to understand what “normal” for these individuals or devices should look like and detects deviations that don’t conform.
UEBA can be used to detect suspicious activity, such as unauthorised access to sensitive data, unusual logins or malware attacks. Furthermore, it can assist security teams by analyzing behavior across multiple logs and alerting them of potential risks.
UEBA differs from signature-based detection in that it uses modeling and machine learning techniques to detect unknown threats and abnormalities. It can also be used to monitor Internet of Things devices such as medical and manufacturing equipment that could potentially be vulnerable to DDoS attacks and exfiltration attempts.
ATT&CK
The ATT&CK framework offers a modern way of looking at cyberattacks. It contains a comprehensive catalogue of adversary techniques that cybersecurity teams can use to detect threats and defend against them. The first “T” in ATT&CK represents tactics, which describe hackers’ objectives during an attack; techniques (and sub-techniques) represent how attackers achieve these objectives – for instance privilege escalation.
This framework also lists tools and malware used by attackers to gain entry to systems, providing threat hunters, red teamers, and SOCs with valuable insight into attackers’ potential tools and methods of attack. Updated frequently by MITRE researchers and security teams, the ATT&CK matrix offers a consistent way for threat hunters, red teamers, SOCs to understand risk from known adversary behavior; using this information can then build more robust defense strategies against attacks. ATT&CK includes three primary matrices: Enterprise Matrix Mobile Matrix and ICS Matrix
CSIRT
A Computer Incident Response Team (CSIRT) is an IT professional team charged with responding to cyber incidents. Their purpose is to limit damage from incidents while suggesting changes that can prevent future attacks from taking place. Common organizations that utilize CSIRTs include governments, nation states or economies, educational institutions and commercial enterprises – and their structure may either be centralized or distributed depending on size and structure requirements.
CSIRTs often lack sufficient funding and resources, which necessitates multidisciplinary teams with members with different skill sets to address this challenge. Furthermore, geographic dispersion of teams ensures someone will always be available if an information security incident arises. A good CSIRT should have communication channels and points of contact that ensure fast responses when an information security incident strikes while simultaneously creating reliable channels of communication with constituents.
ICS
Industrial Control Systems (ICSs), often called monitoring and operating systems, are designed to monitor and operate infrastructure-supporting functions such as water, power, transportation and manufacturing. Once known only for being connected to networks via traditional control panels or even completely analog, modern industrial control systems increasingly utilize networks and digitalization in their operation.
Cybercriminals often exploit industrial control system (ICS) devices as targets, as evidenced by attacks like those at Oldsmar Water Treatment Plant and ransomware threats targeting vaccine production. Furthermore, many proprietary protocols used by ICS devices lack security features.
To gain more knowledge about Industrial Control System (ICS), attending cybersecurity conferences such as ICS-CERT, GridSecCon and ISC2 may be beneficial. You can also get an overview by reading articles or books related to this topic or attending presentations by speakers with relevant experience (a minimum technical degree should suffice as proof) before trusting their claims.