3-Minute Breakdown of Cybersecurity’s Biggest Buzzwords

January 26, 2018

Cybersecurity, as a technology industry, is particularly loaded with misconstrued buzzwords and competing acronyms that confuse useful infosecurity capabilities. If you’re BS-o-meter has been throwing alerts as you browse the web, there’s good reason. Let’s cut to the chase and separate fact from fiction regarding cybersecurity’s biggest buzzwords.

Artificial Intelligence, Machine learning, and User and Entity Behavior Analytics

That’s right. These big three really all belong in one group. Artificial intelligence (AI) and machine learning (ML) are two very significant concepts right now, and often seem to be used interchangeably. However, while related, they are not quite the same thing. Artificial intelligence is the wider concept of machines being able to carry out tasks in a way that we would consider "smart" while ML is the application of AI based on the idea that machines should be able to learn on their own from the data provided to them.

An actionable security intelligence platform uses machine learning to understand and predict normal system activities and event occurrences within an enterprise. In the context of cybersecurity, machine learning is leveraged for User and Entity Behavior Analytics (UEBA).

UEBA capabilities use machine learning to gain an understanding of how users (humans) and entities (machines) typically behave within an environment. It looks for risky, anomalous activity that deviates from normal user behavior, and alerts accordingly based on what may indicate a threat. Common examples include a user accessing a system at an unusual time or location, or simply accessing a system not in their routine. In terms of entity behavior, an example would be a compromised computer being used as an entry point to attempt to log into various other servers and assets.

All of this analysis, correlation, and reporting is done by first collecting and storing event and log data within the SIEM (Security Information and Event Management) technology – an actionable security intelligence platform.

Security Orchestration and Automated Response (SOAR)

Machine learning capabilities allow a platform to more effectively find the proverbial "needle in a haystack" by detecting and alerting to real threats and minimizing false positives. But security analysts still need to respond to such incidents. EventTracker incorporates SOAR functionality to reduce response times, improve remediation consistency, and increase SOC productivity. For instance, unknown processes can be immediately terminated, monitored for propagation of suspected malware, and placed in an incident report in an enterprise's IT management platform (Security Orchestration). In such case, when EventTracker detects a threat, it does not just "say something", it "does something" (Automated Response).

Intelligence-Driven Security Operations Center (iSOC)

Technology is only part of the equation. Many organizations lack the staff and resources to realize the full potential of their investment in threat lifecycle management. A comprehensive managed solution includes a team of security analysts armed with global and local threat intelligence, which is layered on top of a SIEM platform to perform 24/7 monitoring, analysis, and incident response. This is basically SOC-as-a-Service. The “i" in iSOC means that this group includes a threat research lab, which in some cases is an entity in and of itself.

An iSOC typically consists of:
  • SOC Analysts: Tier 1 and 2 security analysts monitoring events, delivering critical observations reports (COR), and responding to early warning health alarms
  • CSIRT: Tier 3 incident response analysts reviewing the COR and managing priority 1 incidents
  • Threat Research Lab: Analysts focused on collating indicators of compromise (IOC) from multiple sources
  • Platform Specialists: SIEM administrators who collaborate with engineering on product enhancements and fixes as well as perform routine tuning to optimize the installation
With SIEMphonic, the iSOC understands the unique needs of an organization and manages systems administration and tuning, builds out response play books, and conducts regular executive summaries and critical observation reports (CORs). This co-managed SIEM solution is, for many organizations, a much more cost-effective method to achieve security and compliance results.

So, there you have it. Artificial intelligence (AI), machine learning (ML), User and Entity Behavior Analytics (UEBA), Security Orchestration and Automated Response (SOAR), and Intelligence-Driven Security Operations Center (iSOC) are concepts that are often misconstrued or misused, but when properly understood, they really do convey beneficial cybersecurity concepts and capabilities. The best way to apply these concepts to your organization, depends on your unique situation. Talk to a Netsurion expert to find out what cybersecurity solution is right for you.