in Cyber Security
Careers
FAQs
Cyber security has become laden with jargon and terminology, often understood only by a handful of professionals and experts. With the intense interest in cyber security over the past few years, we have seen a corresponding increase in the introduction and, therefore misinterpretation of commonly used security terms.
One domain this is particularly cumbersome is in the Security Operations or Defensive Services domain. We recognise this challenge at Ionize, so we have set about helping build a common lexicon for consumers and providers alike to speak the same language, improve clarity, and reduce ambiguity.
We have found people are using terms such as MDR, SOC, SIEM interchangeably. This makes discussing, planning and aligning a cyber capability uplift difficult. The development and promulgation of a common cyber language helps alleviate confusion.
Managed Detection and Response (MDR) describes the final service that is delivered. We refer to managed because it is a managed service, delivered by a skilled and experienced cyber security service provider. The references to detection and response aligns with the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) domains that the service covers.
This term is often used interchangeably with SOC, SIEM, SOC as a Service (SOCaaS) or SIEMaaS.
A Security Operations Centre (SOC) is the physical facility from which the service is delivered. But why are we talking about a physical facility in the age of work from home? This is because some clients have strict security requirements for the management of their information and systems. These strict security requirements do not preclude SOC analysts and engineers working from home; they just require a secure solution with which to access the MDR related infrastructure. Ionize maintains a PROTECTED SOC facility to meet Australian government security requirements. However, not all clients require this. The Ionize SOC operates 24x7x365 with a true “eyes-on-glass” service where our analysts monitor activity for our clients on a continuous basis. Learn more here.
Endpoint Detection Response (EDR) software resides in the desktops, laptops and servers, which are designed to detect, facilitate, and ultimately prevent a cyber security event—often referred to as a breach. EDR is great when you can identify and control the endpoints in your network. If that is not the case, then EDR may not help you achieve your cyber security objective.
Network Detection Response (NDR) is hardware/software that monitors network traffic, detects, and prevents malicious activity passing through the network. NDR is great when you are unable to identify or control the endpoints in your network.
Extended Detection Response (XDR) software is the natural adaptation of EDR into a cloud first world, with a focus on Response. Most modern networks are hollowed out of infrastructure with most functionality residing in cloud services (e.g., M365, Google Workspace, etc). This means that the endpoint has extended into the cloud and interactions with these services are included in the detection and response. The XDR tools also provide greater incident response capability through improved workflows. This is a response to the increase in network compromises and the effort required by security analysts to respond to them.
Security Incident and Event Management (SIEM) software is a log/event collection, search, and correlation capability. SIEM technology emerged in response to the growing size and complexity of networks, and the growing need to trace and compare results across system logs.
Contrary to popular belief, a SIEM is not required for an MDR service. It helps, but an MDR service refers to the function performed, not the tools used. A SIEM will certainly help improve the quality and coverage of an MDR service but ultimately is not required.
Security Orchestration and Automated Response (SOAR) technology is, again, a natural and evolutionary response to the increase in cyber threats and compromises. A SOAR capability is configured to detect a malicious activity and automatically respond or orchestrate a response to the activity. Increasingly, the line between SIEM and SOAR is blurred as SIEM technology incorporates SOAR capabilities.
Summary
This piece provides an initial high-level overview of the use of common jargon, and what they mean in some detail. A follow-up piece will be developed addressing the name of the tech, what it does, common use cases, and leading vendors of that tech. Stay tuned.
For comments and questions, drop us an email at info@ionize.com.au.
Follow us on LinkedIn for weekly insights: https://www.linkedin.com/company/ionize
