XDR, EDR, XSOAR, SIEM, UEBA Flashcards
What does UEBA
stand for?
User and Entity Behavior Analysis
What is UEBA
?
security analytics approach that focuses on detecting and analyzing abnormal or suspicious behavior exhibited by users and entities within an organization’s network or system
What does UEBA combine to establish baseline behavior patterns of users and entities (devices, applications, servers, …) within an organization’s environment?
- machine learning
- statistical analysis
- behavioral modeling
What is the benefit of combining UEBA
with SIEM
?
organizations can correlate behavioral anomalies with other security events and log data, providing a more comprehensive view of potential threats
What are the three parts of UEBA
?
-
use cases
- establishes what’s the normal behavior
-
data sources
- defines what to capture and what to watch for
-
analytics
- machine learning and AI compare the normal behavior to the current behavior of the entities in order to catch anything suspicious
What does SOAR
stand for?
Security Orchestration, Automation, and Response
What is SOAR?
framework that combines security orchestration, security automation, and incident response into a unified approach
What is the goal of SOAR
?
improve the efficiency and effectiveness of security operations by automating repetitive tasks, orchestrating security processes, and enabling faster incident response and remediation
What tasks are included in security automation in terms of SOAR? (8)
Stop and think
-
Threat Intelligence Gathering and Enrichment
- automatically collecting and aggregating threat intelligence from various sources
-
Alert Triage and Prioritization
- analyzing and filtering security alerts to identify false positives and prioritize real threats
-
Incident Response and Remediation
- executing predefined response procedures for common types of incidents
-
Workflow and Process Automation
- automating routine tasks and workflows to streamline security operations
-
Vulnerability Management
- automatically applying security policies across the network
-
Phishing Response
- automating the analysis and response to reported phishing emails
-
Threat Hunting
- automating the search for indicators of compromise or suspicious activities within the network
-
Case Management
- automatically generating incident reports and maintaining case logs
In terms of purpose and focus, what are the differences between SIEM
and SOAR
?
-
SIEM systems
- primarily designed to collect, correlate, and analyze security event logs and data from various sources
- real-time monitoring, threat detection, and incident response capabilities
-
SOAR platforms
- focus on automating and orchestrating security processes, including incident response, vulnerability management, and security operations
What does EDR
stand for?
Endpoint Detection and Response (EDR)
What’s the goal of EDR
?
detect abuses that are potentially more advanced than what can be detected by traditional antivirus or HIDSs, while optimizing the response time of incident response, discarding false positives, implementing blocking for advanced threats, and protecting against multiple threats occurring simultaneously and via various threat vectors
What’s Managed Detection and Response (MDR)
?
cybersecurity service model in which an external company or Managed Security Service Provider (MSSP) is responsible for monitoring an organization’s IT environment, detecting security threats and incidents, and responding to them on behalf of the organization
What’s EDR
?
- evolution of traditional antimalware products
- seeks to detect, record, evaluate, and respond to suspicious activities and events, which may be caused by problematic software or by valid and invalid users
- natural extension of continuous, monitoring focusing on both the endpoint device itself and network communications reaching the local interface
- some EDR solutions employ an on-device analysis engine whereas others report events back to a central analysis server or to a cloud solution
What are common features of EDR solutions?
- auditing a device for common vulnerabilities
- proactively monitoring a device for suspicious activity such as unauthorized logins, brute-force attacks, or privilege escalations
- visualizing complex data and events into neat and trendy graphs
- recording a device’s normal operating behaviour to help with detecting anomalies
What are the two basic log source types that SIEM handles?
- Host-Centric Log Sources
- Network-Centric Log Sources