How to Make Sense of the Alphabet Soup of Cybersecurity Terms

Written by Huntress Labs Guest Blogger
May 2, 2022

Here's what you need to know about today's most relevant and important cybersecurity terms and categories.

Let’s be honest, the cybersecurity marketplace is complex and confusing. Businesses are already struggling to make sense of security and defend themselves from modern attackers, so it doesn’t help that they’re also drowning in a sea of cybersecurity terms, acronyms and jargon. MDR, EDR, NGAV, SIEM … The list goes on, to the point that it feels like you are staring at a bowl of alphabet soup.

So, how do you navigate it all?

To help you make sense of today’s complex cybersecurity landscape, we’ve defined the key acronyms and capabilities that can be found in several of today’s most important security categories.

Key Cybersecurity Terms and Definitions

AV (antivirus): Antivirus is a type of software that is designed to prevent, search for, detect and remove viruses and other malware from a computer. AV software is typically installed on the endpoint to block malicious software from infecting the machine, mobile device or network. It works by scanning a file, program or application and comparing a specific set of code with information stored in its database. If the software finds code that is identical or similar to a piece of known malware in the database, that code is deemed malicious and is quarantined or removed.

DLP (data loss prevention): Data loss prevention is a set of policies, practices and tools used to ensure that sensitive data is not lost, misused or accessed by unauthorized users. DLP solutions perform both content inspection and contextual analysis of data sent from or across corporate networks. This enables DLP systems to provide visibility into who is accessing data and systems (and from where) and filter data streams to restrict suspicious or unidentified activity. DLP solutions are usually deployed as a way to reduce the risk of sensitive data leaking outside an organization. Some solutions go beyond simple monitoring and detection to provide alerts, enforce encryption and isolate data as needed.

EDR (endpoint detection and response): EDR is an integrated endpoint security solution designed to detect, investigate and respond to cyber threats. EDR solutions offer greater visibility into what’s happening on endpoints by recording granular endpoint activity and monitoring for signs of malicious behavior. If the EDR technology detects any of these malicious signs, it will provide security analysts with the necessary information to conduct both reactive and proactive threat investigations and minimize the impact of an attack.

Firewall: A firewall is a type of network security system that monitors traffic to or from a network. A firewall acts as an outer barrier that either allows or blocks network traffic based on a predefined set of rules. Firewalls scan specific data packets—units of communication sent over networks—for malicious code or known threats. Should a data packet be flagged, the firewall prevents it from entering the network.

IDS (intrusion detection system): IDS is a form of network security that uses known intrusion signatures to detect and analyze both inbound and outbound network traffic for abnormal activities. An IDS focuses on monitoring for malicious intent or signs of compromise. When such activity is detected, the IDS sends alerts to system administrators or security personnel. Intrusion detection systems are designed to warn of suspicious activity taking place, but they don’t prevent it.

IPS (intrusion prevention system): IPS is a form of network security that can identify malicious activity, collect information about said activity, report it, and attempt to block or stop it. An IPS works by actively scanning and analyzing network traffic for malicious activities and known attack patterns. Like an IDS, intrusion prevention systems are designed to warn of suspicious activity, but the key difference is that an IPS can also take automated action and respond to active threats based on a predetermined set of rules.

MDR (managed detection and response): MDR is a combination of technology and human expertise that tightly focuses on detecting, analyzing and responding to the threats that have snuck past preventive tools. MDR technology collects and analyzes information from logs, events, networks, endpoints and user behavior. This information is then paired with a team of experts who can take over to validate incidents, escalate critical events and provide recommended response actions so threats can be quickly remediated. MDR services are managed or co-managed by an outside partner to provide value to organizations that either have limited resources or lack the expertise to keep eyes on all potential attack surfaces.

MFA (multi-factor authentication): MFA is an authentication method that requires users to provide two or more verification factors before granting access or signing in. These factors can include something only the user would know (such as a password/PIN), something only the user would have (such as a token) or something only the user is (such as biometrics). MFA then uses these factors to confirm the identity of someone who is requesting access to an application, website or another resource.

NDR (network detection and response): NDR is an integrated network security solution designed to detect threats and suspicious behavior on an organization’s networks using non-signature-based techniques (such as machine learning and other analytical techniques). NDR solutions track north/south network traffic that crosses the perimeter, as well as east/west lateral traffic to establish a baseline of normal behavior and raise alerts when anomalous behavior is detected. NDR solutions give security teams real-time visibility and awareness over network traffic and the ability to respond to perceived threats.

NGAV (next-generation antivirus): NGAV is an expanded version of antivirus that goes beyond performing signature-based detection—typically, by incorporating some type of advanced technology—to prevent a wider range of attacks. Unlike traditional AV, next-generation AV focuses on events (files, processes, applications, network connections, and so on) to help identify malicious intent or activity. NGAV has emerged in recent years to address the proliferation of new types of malware and viruses that can easily bypass traditional AV.

Password manager: Password managers allow users to store, generate and manage their passwords for local applications and online services. A password manager will house a user’s passwords, as well as other information, in one convenient location with one master password. Password manager also can assist in generating and retrieving complex passwords.

SIEM (security information and event management): SIEM is a software solution that aggregates and analyzes activity from many different sources across an entire IT infrastructure. A SIEM gathers immense amounts of data from an entire networked environment, then consolidates and makes that data accessible by humans. With the data categorized and laid out, SIEM solutions are often used by security operation centers (SOCs) to streamline visibility across an environment, centralize data for security monitoring, and investigate logs and events for incident response.

SOAR (security orchestration, automation and response): SOAR is a collection of software solutions and tools that aggregate security intelligence and context from disparate systems. SOAR applies machine intelligence to streamline (or even completely automate) the threat detection and response process. SOAR combines three software capabilities: the management of threats and vulnerabilities (orchestration), automating security operations (automation) and responding to security incidents (response). Due to its aggregation and automation capabilities, SOAR solutions are often used by SOCs to collect threat-related data from a range of sources and automate the responses to certain threats.

SOC (security operations center): A SOC is a centralized unit that deals with security issues on an organizational and technical level. SOCs are typically staffed with a team of domain experts (either in-house or outsourced) that focus on preventing, detecting, analyzing and responding to cybersecurity incidents. A SOC acts as a central command post that continuously monitors an organization’s environments and toolsets and improves its security posture.

Threat hunting: Threat hunting is the practice of searching through environments to detect and isolate advanced threats that evade existing security solutions. Threat hunting combines technology, threat intelligence and methodical humans to find and stop malicious activities. Generally, threat hunting is performed by security analysts, or threat hunters, who use their highly tuned skills to zero in on potential threats or attackers who have snuck into a protected environment.

XDR (extended detection and response): XDR is security technology that provides extended visibility, analysis, detection and response across an entire IT environment. XDR solutions access data from multiple sources to detect more advanced attackers and quickly respond to those threats. XDRs are usually comprised of EDRs, NDRs, NGAVs and cloud monitoring tools, and have some ability of log aggregation and orchestration across what it detects.

Conclusion

There are endless cybersecurity terms and acronyms to define, but these are the ones we feel are most important and relevant to cybersecurity today.

With all the options and jargon out there, it’s become way too difficult to grasp what a product actually does, how it works and whether it makes you more secure in the long run. We believe that security offerings should be straightforward—so we’re starting by helping you better understand the capabilities you actually need to protect your business.

This guest blog is part of a Channel Futures sponsorship.