Naturally, many business owners are feeling increasingly concerned about the security of their digital assets. They search Google for tips and tricks to help them develop their security policy, only to be hit by a barrage of acronyms – many of which representing technologies and concepts that are seemingly indistinguishable from one another. Understandably, we’ve seen some confusion across forums and communities as to how the technologies work and where the overlap is.
With this in mind, here’s a break-down of the key acronyms businesses need to understand, along with a brief explanation about where they fit in, how they relate to each other, and how they differ.
IDPS: Intrusion Detection and Prevention Systems
An IDPS typically incorporates both an intrusion detection system (IDS) and an intrusion prevention system (IPS). While a firewall is designed to prevent unauthorised access to a network, an IDS simply monitors and reports on suspicious network activity. Unlike a firewall, an IDS contains a database of known attack signatures, which it uses to detect incoming threats.
An IPS basically extends the functionality of an IDS by enabling it to respond to events. As each of these technologies become more sophisticated, they adopt each other’s functionality, and so the lines between them become blurred. To add to the confusion, there is now a technology that is referred to as Next Generation Firewall (NGFW), which basically acts as both a firewall and an IDPS.
Endpoint Detection and Response (EDR)
Continuing with the assumption that you are not a seasoned IT security professional, an “endpoint” is any device that is connected to your network, which may include a workstation, server, modem, router, printer, etc. As the acronym suggests, EDR solutions are designed to detect and respond to endpoint anomalies. EDR solutions are not designed to replace IDPS solutions or firewalls but extend their functionality by providing in-depth endpoint visibility and analysis. EDR uses different datasets, which facilitates advanced correlations and detection.
It should also be noted that EDR is not the same as Endpoint Protection Platform (EPP), which is designed to block threats at the device level. EPP includes things like anti-virus/malware, personal firewalls, data encryption, and so on.
Security Information and Event Management (SIEM)
SIEM and EDR have many overlapping features; however, they do not directly compete with one-another, but instead work alongside each other. Like EDR, SIEM solutions are used to aggregate data from multiple sources. However, SIEM solutions have a much broader scope, in that they are able to monitor events from IDPS, firewalls, antivirus, end-user devices, servers, network traffic, operating system logs, and even EDR solutions.
User Behavior Analytics (UBA/UEBA)
SIEM solutions focus on a wide variety of system events, which is great; however, understanding the output from an SIEM solution requires both time and expertise. Additionally, they also require a high level of technical expertise to install, configure and maintain. UBA, as you might expect, focuses on user behavior. UBA solutions are affordable and much easier to use than SIEM. User Behaviour Analytics solutions enable you to detect, alert, report and respond to changes made to your critical data, either based on a single event or threshold condition.
Another term you may have come across is identity and access management (IAM). IAM is a core feature of UBA systems, and involves reviewing access permissions, monitoring and alerting on changes made to those permissions. This helps organisations maintain “least privilege” account access. Additionally, UBA solutions enable you to manage suspicious file and folder activity, account modification/deletion, inactive user accounts, unauthorised mailbox access, password rotation, and a lot more. Given that the majority of security threats originate from insiders – whether by accident or on purpose – UBA solutions should be a core component of every organisation’s defence strategy.
Data Loss Prevention (DLP)
On the surface, it would appear as though DLP and UBA do the same thing. They are both used to keep track of sensitive data, and to ensure that is it not lost or mishandled in some way. However, UBA solutions focus on how users interact with the data, while DLP focuses on the data itself. Again, these days most sophisticated UBA solutions provide DLP functionality.
As you can see, there are many cross-overs between the technologies covered in this article, and if you are still slightly confused, that is understandable. On one hand we have firewalls, IDPS and EDR focusing on perimeter and endpoint security. On the other we have UBA, IAM and DLP, which focuses on users and data they access. And then we have SIEM which acts as an all-seeing-eye, collecting and correlating data from a wide range of sources. As each of these technologies evolve, the differences between them will become increasingly subtler, and hopefully, a more intuitive and standardized set of acronyms will emerge.
This article is published as part of the IDG Contributor Network. Want to Join?