This is a living document that will be updated from time to time with information security terminology that is both specific to our business and, more generally, the information security industry as a whole.
Content*: Content is the defensive data that we create to arm, detect, and defend a customer network against attacks. Content can include (but is not limited to) hashes, IP addresses, security information and event management (SIEM) correlations rules, and more. This content is aligned with scenarios (defined below) and organized into use-cases (also defined below). All content is tagged, and if certain content relates to certain vulnerabilities, then we can improve hygiene as we curate content (see content curation).
Content Curation*: Content curation is the process of analyzing threat intelligence and mining network sensors and other IT equipment to create content. This content is ultimately added to security and IT devices to defend customer networks against known malicious activity.
Hygiene: Hygiene is a measure of system integrity within a given network. System-level vulnerabilities are a major hygiene factor, and patching vulnerabilities by installing security updates might be the most important driver of hygiene improvement. However, the age of systems and the level of technical wear they have endured are additional contributors to an organization’s overall hygiene. So too is the architecture of the network and the nature of an organization’s development operations process.
Maturity Model Assessment*: A company’s maturity model is a measure of its ability to detect and defend against threats. As such, MKACyber performs an audit near the beginning of our customer engagements and quarterly throughout our period of performance, an audit in which we attempt to collect data from, and determine the customer’s ability to access, various IT gear and sensors on a their network. In essence, we are trying to figure out the customer’s level of visibility (defined below). We are basically looking to see how reliably a security department can access information like active directory and intrusion detection system (IDS) logs to name a couple common data sources. Ultimately, access to these sources of data determines an organization’s capacity to detect and block attacks and how effectively it will be able to deploy the content that defends the it from attacks.
Maturity Model Matrix*: The Maturity Model Matrix is the output produced from our Maturity Model Assessment. We determine the customer’s ability detect attacks by use-case (defined below), and give them grades accordingly. The matrix is, for all intents and purposes, a data-backed illustration of an organization’s visibility (defined below) level. This matrix is also an invaluable tool for tracking security improvements and progress, as we continually reassess our customer’s security maturity throughout our engagements.
MDR: Shorthand for “managed detection and response,” MDR is Gartner’s nomenclature for a rapidly growing subsect of the managed security service provider (MSSP) market (defined below). Vendors in this space offer security services that enable targeted incident response to be implemented upon detection of threats that bypass traditional rule-based detection systems. MDR focuses on threat detection rather than compliance, using the provider’s own set of on-premise tools and technologies. These tools, monitored by the MDR provider, are put in place to guard internet gateways and detect threats that may have gotten through traditional perimeter security tools, such as firewalls and antivirus products. While some automation is used, around the clock monitoring of networks is done by humans, which analyze security events and alert customers of any threats directly as opposed to relying on a portal or dashboard. This enables customers to rely on their MDR service provider to identify indicators of compromise, reverse engineer pieces of malware, or conduct containment and remediation if and as needed.
MSSP: An MSSP is a managed security service provider. Definitions for MSSP are all over the map, ranging from TechTarget’s oddly specific claim that an MSSP “an Internet service provider (ISP) that provides an organization with some amount of network security management, which may include virus blocking, spam blocking, intrusion detection, firewalls, and virtual private network (VPN) management” to BeyondTrust’s more general “IT service businesses that specialize in providing security-as-a-services offerings for their customers.” We lean more toward BeyondTrust’s definition and consider the TechTarget definition somewhat archaic. As such, we define MSSPs as vendors that provide managed services that relate to security. Such services can range from the SOC services we provide to threat intelligence services to security tooling services like firewall configuration and management.
Scenario*: Put most simply, a scenario is an element of an attack, or a suspicious system or network behavior that is potentially indicative of an attack. By and large, scenarios dictate the defensive security content we create to arm our customer’s networks against attacks (hashes, signatures, SIEM correlation rules, etc.). We organize these scenarios into broader patterns of attack behaviors that we call use-cases (defined below). While every organization will have a unique and long list of scenarios, some common examples include administrative activity outside work hours, (malicious) user-agent detection, logins from unusual locations, and rogue process creation.
SOAR: SOAR, or Security Orchestration and Response, is defined as technologies that enable companies to collect threats data and derive alerts from a variety of sources, leveraging human and machine power to analyze incidents and to help define, prioritize, and drive standardized incident response activities in accordance with a standard workflow. Like MDR, the SOAR space has been largely defined by Gartner.
SOC: SOC is the common abbreviation for a “security operations center.” SOCs were originally spaces for monitoring facility surveillance cameras, lighting, building access, and other devices relating to physical security. However, information or cybersecurity operations centers are now largely known as SOCs as well. Like their physical forbearers, digital SOCs are concerned with maintaining the security and integrity of computer networks against digital threats. All SOCs are different, but by and large they are in the business of detecting threats, mitigating attacks, and otherwise responding to security incidents.
Threat Model Assessment*: Although similar to the maturity model assessment, the threat model assessment is a more involved, hands-on effort to accurately determine an organization’s real and specific risks. Carrying out a threat model assessment means conducting interviews with various managers, administrators, and other customer stake-holders to determine what systems they use and how they use them. Beyond interviews, we conduct vulnerability scans, draw out network diagrams, and gather intelligence from IT systems. This assessment allows us to truly get a grasp on what is normal and anomalous behavior on a customer network.
Use-Case*: A use-case defines a broad method of attack. These methods of attack, although similar in nature, have many different scenarios (defined above) in which an attack can occur. The purpose of the use-case is to organize and standardize the detection of attacks on our customer’s networks. The use-case is the heart of the MKACyber methodology. It enables a repeatable methodology for detection of known-known behaviors. In each of our engagements, MKACyber works with its customers to establish a customized and dynamic list of use-cases. That said, the majority of our use-cases—data exfiltration, malware, or unauthorized access, for example—are relevant across most organizations and even industries.
Visibility: Visibility quantifies how clearly a customer can see into their own network. As we explained in the maturity model section above, an organization’s ability to detect attacks is dependent on its ability to access critical IT data and assets—i.e. to see their network. As such, an organization’s visibility is the measure of its level of access to the data and systems it needs to defend itself against attacks.
*Asterisks denote definitions that exclusive to MKACyber. Others very likely use these terms, but their definitions may well differ from ours.