The best cybersecurity strategy requires building a good defense. Much of the attention in cybersecurity focuses on what the bad guys are doing — we see depictions of hackers and cyber defenders doing vague things like “cracking encryption” or “bypassing the firewall.” But what exactly do the good guys do to keep an organization safe? Here are some key terms you should be familiar with when it comes to building and running a cybersecurity program capable of defending your business against the bad guys.
Endpoint Detection & Response (EDR) and Managed Detection & Response (MDR)
- What is it: Anti-virus (AV) is where it started, but malicious software (malware) has gotten smarter, which means we need smarter tools to detect and respond. That’s where Endpoint Detection and Response (EDR) comes into play. Traditional AV software uses signatures of known malware, which requires researchers to first analyze the malware, create a signature, and then push out updated signatures to all users of the AV software. Malware spreads much faster than this process, rendering traditional AV ineffective.
- How is it used: EDR uses advanced techniques like artificial intelligence (AI) and machine learning (ML), and shares data across devices running the EDR software. By monitoring a specific endpoint — typically a computer system like a server or a laptop, although endpoints can also include smart devices and network infrastructure — the EDR software agent is able to identify what normal activity looks like. Anything that deviates from this baseline can be flagged, quarantined, or eradicated immediately, and the resulting data is shared across all endpoints to help their EDR agents defend against emerging malware faster than the old AV approach. MDR adds a managed service on top of EDR to provide human-powered services like digital forensics or ransomware recovery and is typically offered by the EDR provider.
- Learn more: Coalition advocates for EDR anywhere you can possibly deploy it! Check out our EDR partners Malwarebytes and SentinelOne, and remember, Coalition policyholders get a discount! You can learn more about these solutions and access your discount in Coalition Control.
Managed (Security) Service Provider (MSP/MSSP)
- What is it: MSPs are service providers that handle key functions like IT management, and because cybersecurity is such a vital part of modern business, the Managed Security Service Provider (MSSP) market is growing quickly. MSPs and MSSPs can be generalist firms that offer a broad range of services or may be highly specialized — an MDR is a good example of a targeted MSSP providing malware incident response services.
- How is it used: MSPs and MSSPs provide businesses with IT services and support resources that would otherwise be cost-prohibitive. Cloud providers like AWS and Microsoft Azure are great examples: the amount of money required to build, run, and maintain your own network of global data centers and communications infrastructure is enormous. These shared services give even the smallest companies access to more robust tools and capabilities, and MSSPs can be useful in building out security functions like 24x7 security monitoring or vulnerability and patch management. Many cybersecurity hardware and software vendors offer service packages that allow businesses to integrate their products without the need for full-time staff, reducing the cost of owning and operating a more robust cybersecurity program.
- Learn more: Coalition Control provides automated scanning & monitoring as a free service to our policyholders, as well as discounts for other managed service offerings.
Governance, Risk, & Compliance (GRC)
- What is it: GRC can be tricky to pin down because it is both a set of business processes as well as a specific type of software. Governance is the process of defining and managing business operations, like putting up guard rails to help employees achieve the business goals within defined parameters. Risk refers to the process of risk management and typically involves identifying, analyzing, and mitigating both cyber and operational risks. Compliance deals with external mandates like privacy laws and information security regulations, which require the business to implement certain processes and procedures.
- How is it used: GRC software is used to perform the vital functions across each of the three practice areas, like writing policies or inventorying information system assets (G), managing a risk register and documenting risk mitigations (R), and documenting the implementation of controls to meet compliance frameworks (C). A business’ GRC professionals may be responsible for coordinating and executing these activities (all of which center around understanding and managing risk), and one or more GRC software tools may be implemented to support their operations.
- Learn more: The OCEG is a great resource for learning about GRC and how it can enable your business to achieve key objectives. You can also check out Coalition’s GRC partner, Reciprocity, from your Coalition Control dashboard.
For 10 simple steps you can take today to protect your business, download the Coalition Cybersecurity Checklist.
Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR)
- What is it: Cybersecurity is ultimately a data game. We are trying to protect valuable data and the systems that process it, but monitoring what’s happening with the data and systems is a monumental task. SIEM tools allow us to achieve near real-time monitoring of even very complex IT environments where thousands or even millions of events happen every day — things like users logging in or accessing data. SOAR takes this data a step further by harmonizing vast amounts of data to detect suspicious activity, then taking appropriate steps to remediate issues automatically.
- How is it used: SIEM tools primarily focus on computer logs, which are the record of all events that happen on a system. The SIEM centralizes logs from disparate systems and performs analysis to identify anomalous or suspicious activity. This analysis can then be used by security personnel to investigate; given the volume of data that we generate every day when using computers, this is an impossible task without the speed a computer brings to the analysis task! SOAR takes the security game to the next level by orchestrating the data gathered via logs (where SIEM is focused) and incorporating data from security tools like EDR and external threat intelligence feeds. This information can be used to perform automated responses, helping computer systems respond to and defend themselves against attacks much faster than a human incident response team.
- Learn more: SIEM platforms are a relatively mature set of tools, while SOAR is an emerging category that will require a few years to reach maturity. The Infosec Institute has good primer guides for both SIEM and SOAR.
Making sense of it all
Security is fast-paced, and the terminology is a challenge. The acronyms and concepts in this guide are far from exhaustive but explain some of the most common issues we see at Coalition in terms of questions, incidents, and insurance claims.
If you’d like to learn more, we encourage you to check out the Coalition Learning Center, where you’ll find explainer articles on common security and insurance topics, as well as links to help you implement many of these recommendations.
Coalition Control offers access to free cybersecurity tools and services, and for Coalition policyholders, it also contains links to discounted security services from our partner network. For specific questions or additional details, you can always reach us at firstname.lastname@example.org, and we’ll be happy to set up a time to discuss how to improve your security and reduce your cyber risk.