Terms & Definitions
AV (Antivirus): We’ll start with an easy one. Antivirus is a type of software that is designed to prevent, search for, detect and remove viruses and other malware from a computer. AV software is typically installed on the endpoint to block malicious software from infecting the machine, mobile device or network. It works by scanning a file, program or application and comparing a specific set of code with information stored in its database. If the software finds code that is identical or similar to a piece of known malware in the database, that code is deemed malicious and is quarantined or removed.
DLP (Data Loss Prevention): A set of policies, practices and tools used to ensure that sensitive data is not lost, misused or accessed by unauthorized users. DLP solutions perform both content inspection and contextual analysis of data sent from or across corporate networks to provide visibility into who is accessing data and systems (and from where) and filter data streams to restrict suspicious or unidentified activity. DLP solutions are usually deployed as a way to reduce the risk of sensitive data leaking outside an organization, and some solutions can also go beyond simple monitoring and detection to provide alerts, enforce encryption and isolate data as needed.
EDR (Endpoint Detection and Response): An integrated endpoint security solution designed to detect, investigate and respond to cyber threats. EDR solutions offer greater visibility into what’s happening on endpoints by recording granular endpoint activity and monitoring for signs of malicious behavior. If the EDR technology detects any of these malicious signs, it will provide security analysts with the necessary information to conduct both reactive and proactive threat investigations and minimize the impact of an attack.
Firewall: A type of network security system that monitors traffic to or from a network. A firewall acts as an outer barrier that either allows or blocks network traffic based on a predefined set of rules. It scans specific data packets—units of communication sent over networks—for malicious code or known threats. Should a data packet be flagged, the firewall prevents it from entering the network.
IDS (Intrusion Detection System): A form of network security that uses known intrusion signatures to detect and analyze both inbound and outbound network traffic for abnormal activities. An IDS focuses on monitoring for malicious intent or signs of compromise, and when detected, will send alerts to the system administrators or security personnel. Intrusion detection systems are designed to warn of suspicious activity taking place but they don’t prevent it.
IPS (Intrusion Prevention System): A form of network security that can identify malicious activity, collect information about said activity, report it and attempt to block or stop it. An IPS works by actively scanning and analyzing network traffic for malicious activities and known attack patterns. Similar to an IDS, intrusion prevention systems are designed to warn of suspicious activity, but the key difference is that they can also take automated action and respond to active threats based on a predetermined set of rules.
MDR (Managed Detection and Response): A combination of technology and human expertise that tightly focuses on detecting, analyzing and responding to the threats that have snuck past preventive tools. MDR technology collects and analyzes information from logs, events, networks, endpoints and user behavior—which is then paired with a team of experts who can take over to validate incidents, escalate critical events and provide recommended response actions so threats can be quickly remediated. MDR services are managed or co-managed by an outside partner to provide value to organizations that either have limited resources or lack the expertise to keep eyes on all of their potential attack surfaces.
MFA (Multi-Factor Authentication): An authentication method that requires users to provide two or more verification factors before granting access or signing in. These factors can include something only the user would know (e.g., password/PIN), something only the user would have (e.g., token) or something only the user is (e.g., biometric). MFA then uses these factors to confirm the identity of someone who is requesting access to an application, website or another resource.
NDR (Network Detection and Response): An integrated network security solution designed to detect threats and suspicious behavior on an organization's networks using non-signature-based techniques (such as machine learning and other analytical techniques). NDR solutions track north/south network traffic that crosses the perimeter, as well as east/west lateral traffic to establish a baseline of normal behavior and raise alerts when anomalous behavior is detected. NDR solutions give security teams real-time visibility and awareness over network traffic and the ability to respond to perceived threats.
NGAV (Next-Generation Antivirus): An expanded version of antivirus that goes beyond performing signature-based detection—typically by incorporating some type of advanced technology—to prevent a wider range of attacks. Unlike traditional AV, next-generation AV focuses on events (files, processes, applications, network connections, etc.) to help identify malicious intent or activity. NGAV has emerged in recent years to address the proliferation of new types of malware and viruses that can easily bypass traditional AV.
Password Manager: A tool that allows users to store, generate and manage their passwords for local applications and online services. A password manager will house a user’s passwords, as well as other information, in one convenient location with one master password. Also, it can assist in generating and retrieving complex passwords.
SIEM (Security Information and Event Management): A software solution that aggregates and analyzes activity from many different sources across an entire IT infrastructure. A SIEM gathers immense amounts of data from an entire networked environment, then consolidates and makes that data human accessible. With the data categorized and laid out, SIEM solutions are often used by security operation centers (SOCs) to streamline visibility across an environment, centralize data for security monitoring and investigate logs and events for incident response.
SOAR (Security Orchestration, Automation and Response): A collection of software solutions and tools that aggregate security intelligence and context from disparate systems, and applies machine intelligence to streamline (or even completely automate) the threat detection and response process. SOAR combines three software capabilities: the management of threats and vulnerabilities (orchestration), automating security operations (automation) and responding to security incidents (response). Due to its aggregation and automation capabilities, SOAR solutions are often used by security operation centers (SOCs) to collect threat-related data from a range of sources and automate the responses to certain threats.
SOC (Security Operations Center): A centralized unit that deals with security issues on an organizational and technical level. SOCs are typically staffed with a team of domain experts (either in-house or outsourced) who focus on preventing, detecting, analyzing and responding to cybersecurity incidents. A SOC acts as a central command post that continuously monitors an organization’s environments and toolsets and improves its security posture.
Threat Hunting: The practice of searching through environments to detect and isolate advanced threats that evade existing security solutions. Threat hunting combines technology, threat intelligence and methodical humans to find and stop malicious activities. Generally, threat hunting is performed by security analysts, or threat hunters, who use their highly tuned skills to zero in on potential threats or attackers who have snuck into a protected environment.
XDR (Extended Detection and Response): A security technology that provides extended visibility, analysis, detection and response across an entire IT environment. XDR solutions access data from multiple sources to detect more advanced attackers and quickly respond to those threats. XDRs are usually comprised of EDRs, NDRs, NGAVs and cloud monitoring tools, and have some ability of log aggregation and orchestration across what it detects.
The information security and cybersecurity realm has countless terms and acronyms. Those listed here are among the predominate terminology questions we get regarding infosec and cybersecurity today.
We’ll continue to add more as we get questions regarding terminology; if you see a term or acronym that you don't understand, shoot us an email and ask what it means - we'll send a response directly to you, and we'll add it to the list.
And we'll also start diving deeper and exploring some of these terms in more detail. Watch our Resources section for more!