Cybersecurity Vocabulary & Glossary
Term | Definition |
What is a SOC | |
CERT | Computer Emergency Response Team |
CIRC | Computer Incident Response Center (or Capability) |
CIRT | Computer Incident Response Team |
CND | computer network defense |
Constituency | A bounded set of users, sites, IT assets, networks, and organizations which are served by a SOC |
CSIRC | Computer Security Incident Response Center (or Capability) |
CSIRT | Computer Security Incident Response Team |
CSOC | Cybersecurity Operations Center |
Incident | an assessed occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system; or the information the system processes, stores, or transmits; or that constitutes a violation or imminent threat of violation of security policies, security procedures or acceptable use policies. |
SIEM | Security Information and Event Management |
SOC | Security Operations Center A SOC is a team primarily composed of security analysts organized to detect, analyze, respond to, report on, and prevent cybersecurity incidents. Must Provide: 1. means to report suspected incidents 2. incident handling assistance 3. Share incident information to constituents and external parties |
Tier 1 | real-time monitoring, fielding phone calls |
Tier 2 | in-depth analysis |
Mission and Operations | |
CIO | Chief Information Officer |
CISO | Chief Information Security Officer |
Event | May be simply benign or can spawn an incident |
Forensic analysis | determine the nature of the attack using artifacts such as hard drive images or full-session packet capture (PCAP), or malware reverse engineering on malware samples collected in support of an incident |
HIPS | Host intrusion prevention system |
IDS | Intrusion Detection System |
IPS | Intrusion Prevention System |
ISCM | Information Security Continuous Monitoring responsible for incident detection and response |
ISSO | Usually involved with IT compliance and ensuring the security of specific systems |
NIPS | Network intrusion prevention system |
NOC | Network Operations Center |
PSM | Physical security monitoring (e.g., “gates, guards, and guns”) |
COTS | Commercial Off-The-Shelf |
FOSS | Free or Open Source Software |
Characteristics | |
Characteristics of the SOC | 1. Organizational relationship 2. Distribution of resources 3. Authority |
Coordinating SOC | SOC mediates and facilitates CND activities between mul- tiple subordinate distinct SOCs. |
Internal centralized SOC | A dedicated team of IT and cybersecurity professionals reports to a SOC manager who is responsible for overseeing the CND program. |
Internal distributed SOC | One person or a small group is responsible for coordinating security operations, but the heavy lifting is carried out by individuals who are matrixed in from other organizations |
MSSP | Managed security service providers (External SOC) |
Security team | No dedicated team, resources are gathered (usually from within the constituency) to deal with the problem, reconstitute systems, and then stand down. |
Organizational Model | |
Authority | |
No authority | A SOC can suggest or influence |
Shared authority | Make recommendations, giving the SOC a vote but not the final say. |
Full authority | SOC can direct, without seek- ing or waiting for the approval or support (is never absolute) |
Reactive | Incident is either suspected or con- firmed. Actions are usually more tactical in nature—they are temporary |
Proactive | Preemption of a perceived threat, before direct evi- dence of an incident is uncovered. These actions are more strategic |
Capabilities | |
Real-Time Analysis | Call Center, monitoring |
Intel and Trending | Trending, Analysis, Response |
Artifact Analysis | Artifact Handling, Malware Analysis, |
SOC Tool Life-Cycle Support | Border Protection Device, Sensor Tuning, Tool Research |
Audit and Insider Threat | Audit Data, Insider Threat Support and Investigation, Network Mapping, Vulnerability Scanning, Penetration Testing |
Outreach | Product Assessment, Security Consulting, Training and Awareness, Media Relations |
Situational Awareness | |
SA | Situational Awareness Perception of the elements of the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future. (Aviation example) 1. Information: Sensor data, cyber intel, news, product vulnerabilities 2. Interpreting and processing 3. Depicting information visually |
Network | |
Network | assets, topology, applications, vulnerability of hosts and applications from network |
Mission | |
Threat | |
Adversaries’ | 1. Capability, including skill level and resources 2. Intent and motivation 3. Probability of attack 4. access (legitimate or otherwise) 5. Impact 6. Actions: past present and projected |
Incident Tip-offs | |
Cyber attack life cycle | 1. Recon - identifies and investi- gates targets 2. Weaponize - tools are pack- aged for delivery and execution 3. Deliver - attack tools are delivered 4. Exploit - initial attack 5. Control - direct the victim system 6. Execute - fulfilling his mission 7. Maintain - Long-term access |
Tools and Data Quality | |
From Tip-offs to Ground Truth | |
False positives | a positive indicator is incorrect |
Detection | |
Intrusion detection approaches | 1. Signature-based detection – has a priori knowledge of how to characterize malicious behavior 2. Anomaly detection - what normal or benign behavior looks like and alerts whenever it observes something that falls outside |
Data Quantity | |
Too much data | 1. Signal is lost in the noise 2. Systems cannot handle the data load |
Agility (2.8) | |
Lack of Agility of SOC | The lack of speed and freedom of the SOC may undermine the SOC’s ability to spot and repel attacks. |
APT | Advanced Persistent Threat |
TTP | Tactics, Techniques, and Procedures |
OODA Loop | observe–orient–decide–act If they can process this cycle quickly, observing and reacting to unfolding events more rapidly than an opponent can thereby "get inside" the opponent's decision cycle and gain the advantage. |
Microsoft Security Video