October is National Cybersecurity Awareness Month and in its honor, we’ve developed a four-part series designed to help uplevel your security confidence.
Are you lost in a sea of cybersecurity acronyms? Have you been asked if your company utilizes EDR, SOC or SIEM but had no clue what that actually meant? If you find yourself nodding your head at the last two sentences, this blog post is for you. Navigating the IT landscape is difficult, especially if you don’t know the language.
In part 1 of our Cyber series, we’ll cover some of the most commonly used, and often misunderstood, acronyms in the IT security space. The goal is to help you understand not only the meaning of these acronyms but the practical application as well.
Starting off, we’ll discuss some of the acronyms related to security tools in the IT space.
SOC: Security Operations Center
Starting off with a confusing topic, a SOC. We only say this is confusing because it’s used multiple times, never interchangeably, in the information security world. A SOC – or SOC as a Service – is short for Security Operations Center. A good SOC will utilize tools like a SIEM, which we will discuss next, plus trained cybersecurity professionals who analyze the data to identify potential threats and isolate or protect information systems against their impacts.
This differs from the AICPA SOC, which is a compliance attestation standard of multiple levels. You may have heard of SOC 2 & SOC 3 reports and attestation. While a SOC can help in your pursuit of a SOC 2 certification, they are completely different.
Why would a business need to know about SOC?
You may need a SOC if you are concerned about who is watching your security software or infrastructure and responding to threats and incidents. An important distinction is that an IT help desk IS NOT a SOC, so if the automated tools don’t catch a threat, you may leave your business and employees vulnerable.
SIEM: Security Information and Event Management
SIEM, pronounced SIM, is short for Security Information and Event Management. A SIEM tool at its core aggregates, logs, and – to varying degrees – processes event information from your information and IT systems. Simply put: a SIEM allows organizations to efficiently collect and analyze log data from all of their digital assets in one place. A SIEM can be especially useful in situations where you have a production environment such as cloud-hosted servers or web apps, as these are often incredibly complex infrastructures requiring an aggregator such as a SIEM to get useful information.
The ultimate goal of a SIEM is to provide an information source for Cybersecurity Analysts or AI-powered tools to identify security threats so that action can be taken. It is also especially useful in cases where cyber forensics or threat hunting are required.
A good SIEM collects all information and then uses algorithms to “drown out the noise” to make the job of the analyst easier, while still retaining that information in the case where more advanced information gathering is necessary.
When might you need a SIEM?
You may need a SIEM if you are providing a platform or SaaS product, or housing customer data with either on-prem or cloud solutions. It’s especially important if, when going through something like SOC 2, you need to prove the ability to recall logs, or in the case where you’ve determined you need a SOC, security operations center, to give them a platform to review.
EDR, XDR, NGAV: Endpoint Detection & Response, Extended Detection & Response, and Next Generation Antivirus
EDR, XDR and NGAV are typically terms related to endpoint tools that use behavioral analysis to identify malware and other threats and prevent them from executing. EDR stands for Endpoint Detection and Response. XDR stands for Extended Detection and Response. NGAV is short for Next Generation Antivirus. It’s important to note that these are not individual products or mutually exclusive. XDRs, EDRs, and NGAVs have significant overlap, almost like a square and rectangle relationship.
NGAV is the evolution of antivirus, whereas historical antivirus solutions used signatures Think of it like checking an ID against a no-fly list: it only works if the name has been added to that list. This differs from an EDR (which we’ll cover in more detail next) which uses software to identify malicious behaviors before they have a chance to cause damage. The “Next Generation” component uses behaviors (think instead of looking for virus.exe, look for an application that is mass deleting files) to identify and block threats, then propagate that information.
EDR, or Endpoint Detection and Response, expands on the functionality of NGAV, Instead of identifying the behavior of one endpoint, It looks at the whole network and how endpoints interact as well as provides extensive centralized logging into a tool like a SIEM. Most EDRs classify as NGAV, but not all NGAVs have full EDR functionality.
XDR, or Extended Detection and Response, combines Endpoint (laptop, desktop) EDR with cloud systems, email, etc to provide holistic protections, again increasing the data points so increasing the visibility of threats.
So do businesses need all three solutions?
It’s safe to say that if you are running a legacy antivirus solution – think tools like Norton, McAfee, or the ones built into macOS – you need to upgrade to NGAV, EDR, or XDR solutions. Simply put, legacy antivirus solutions do not protect against modern threats. What to switch to depends on your internal risk management program and information security posture.
DLP: Data Loss Prevention
DLP is Data loss prevention. It isn’t a tool as much as it is an approach to preventing data breaches or compliance failures. DLP is comprised of policy, training, and technology. However, for this post, we want to touch on what a DLP tool may do.
A DLP tool uses rules and intelligence to identify sensitive information categories and restrict the sharing of information. This can be as broad or as narrow as you’d like. For example, a DLP tool could identify something complex such as a patient’s name, social security number, or home address in a Word document and prevent it from being shared outside of an organization.
DLP tools can also be used to segregate data within information systems and help enforce which employees have access to certain pieces of information. When you think of a DLP tool, think of it as having an assistant that watches your team’s back to ensure that simple mistakes or oversights don’t result in liability nightmares.
You may need a DLP tool if your business or organization is subject to legal compliance requirements. Some examples would be HIPAA for Healthcare, CMMC for Government Contractors, or SOX in the financial world. The important thing you do need to note is that just having a DLP tool alone is useless. Educating your employees about what and how data loss prevention
That’s a Wrap on Part 1
We hoped this content helped to give you a little more insight into the world of cybersecurity, especially since October is Cybersecurity Awareness month. This post is part 1 of a four-part series that we’ll be rolling out each week in October, so make sure to check back next week for our next installment.
Interlaced doesn’t just break down complex jargon – as much as we enjoy doing that- and it’s our goal to remove the burden of IT from businesses so they can focus on what matters most. To learn more about how Interlaced can help your business with IT support visit contact us today.