I've written about security a number of times, and it's always a mess of confusing acronyms. Here's a quick cheat sheet of the common terms I have been using in writeups lately.

This is not all-inclusive! For the inner tech details, I recommend the extensive Flavors of Security series from 2019 for the overall picture across network and cloud security, The Age of Hacking from Jul-20 on social engineering, and my Okta platform dive from 2018 for the basics on identity management (summed up at the bottom).

Security oversight

  • Security Information & Event Management (SIEM) ["sim"] = A forensics-oriented centralized collection system for tracking and correlating disparate events from network, system, app, and device logs, for near real-time monitoring & alerts.
  • Security Orchestration and Automated Response (SOAR) = Service to automate workflows and incident response handling of low-level security events and policy violations detected in a SIEM. (Typically combined as a SIEM+SOAR.)
  • Security Operations Center (SOC) = a centralized team that deals with security issues within an organization.

Managing a pool of users

  • Identity and Access Mgmt (IAM) = an application to track and manage a workforce's authentication and authorization details across an organization. SaaS platforms are known as Identity-as-a-Service (IDaaS).
  • Single Sign-On (SSO) = a centralized service over an IAM that acts as a login gateway into all the SaaS apps a given user can access.
  • Consumer Identity and Access Mgmt (CIAM) ["cee-yam"] = an IAM for tracking authentication and authorization details within an application's pool of users (the app's consumers).
  • Identity Governance and Administration (IGA) = an application to govern over user access rights across an organization's systems, and automate the workflows around changes to the rights.
  • Privileged Access Management (PAM) = an application to govern over the administrative (sysadmin) rights across an organization's systems, that can also serve as a proxy for access.
  • Identity Threat Detection & Response (ITDR, or IDR) = tools that sit over an existing identity store (IAM) to bolster its security, through the use of scanning and runtime monitoring tools. Scanning systems monitor the IAM for misconfigurations & known vulnerabilities, plus track privilege changes and risks in the pool of identities. Runtime tools provide protection via behavioral analytics as the IAM is used for authentication (verification) & authorization (access granted) actions.

Managing a pool of servers/devices

  • Endpoint Protection Platform (EPP) = a service (via installed agent) deployed on all servers, laptops, and devices (collectively known as endpoints) for monitoring and detection of malicious activity. EPP is about protecting the device itself, not the traffic to and from it. It includes preventing malware and virus attacks, and typically includes cloud-based endpoint mgmt capabilities (EDR).
  • Endpoint Detection & Response (EDR) = a cloud-based platform over deployed EPP agents, to continuously monitor a pool of endpoints for advanced threats and broader attacks, and helps automate remediation (such as taking action when a malicious file or breach is detected).
  • eXtended Detection & Response (XDR) = extending EDR further by pulling in complementary data sources to provide the full context of endpoint usage. This can include security data from any other related network systems (such as network traffic, cloud infrastructure, and application logs), pulling from either a centralized SIEM, or directly from other integrated partnering services. Think of XDR as EDR+SIEM. Full bidirectional integration with XDR partners is ultimately similar to what a SIEM+SOAR is striving to achieve, but XDR allows for adjusting conditional access in real-time across integrated services.
  • Cloud Workload Protection Platform (CWPP or CWP) = a service (via an installed agent) deployed into cloud-native environments that provides real-time threat detection and monitoring. Can be thought of as a cloud-native version of EPP/EDR, specifically for the runtime protection of VMs, containers, and Kubernetes clusters that are running in the cloud.
  • Cloud Infrastructure Entitlement Mgmt (CIEM) ["cee-yem"]  = a platform for governing privileged sysadmin access to cloud infrastructure and services. Think of CIEM as PAM+CASB.
  • Cloud Security Posture Mgmt (CSPM) = a scanning service that continuously and autonomously monitors cloud environments for the security posture of all cloud infrastructure, typically including VMs and containers. It evaluates configuration & settings against set policy & compliance rules, allowing for an enterprise to score its risk against known vulnerabilities, regulations, and cloud-native security best practices. The starting C can also stand for "Container" (instead of "Cloud") for services focused solely on scanning cloud-native containers.
  • Kubernetes Security Posture Mgmt (KSPM) = a flavor of CSPM specifically for monitoring Kubernetes clusters in any environment.
  • SaaS Security Posture Mgmt (SSPM) = a scanning service, similar to CSPM, that is specifically for evaluating an enterprise's usage of external SaaS apps, monitoring for misconfigurations and policy or compliance violations.
  • Vulnerability Mgmt = a scanning service to measure and monitor known vulnerabilities within the operating systems (OS) used across a pool of managed systems. This typically includes patch prioritization based on risk scoring, and can work over containers as well – which are not patched, but instead rebuilt from updated base images (newer patched version of the OS).
  • External Attack Surface Mgmt (EASM, or just ASM) = a platform that continuously scans, tracks, and monitors all external-facing servers and services on an enterprise network. This is an outside-in service performed from the public Internet side, to find vulnerabilities and exploitable security gaps (penetration testing).
  • Cyber Asset Attack Surface Mgmt (CAASM) = a platform that helps an enterprise track and monitor over all of its known systems and services. It is typically built atop or integrates with an asset mgmt system (inventory of systems and services) and vulnerability mgmt system (tracking known vulnerabilities in system OSes), as well as EASM for the outside-in view.

Network Security

  • Secure Web Gateway (SWG) = provides real-time protection of outgoing web requests to external SaaS services, which can include employee compliance checking, policy enforcement, and malware detection. Think of it as a web firewall over outgoing requests.
  • Zero Trust Network Access (ZTNA) = is an access system to create a secure ephemeral point-to-point network connection between a user and the app being requested. There is no implicit trust until an identity is established, typically through an integration with an IAM. Besides identity, Zero Trust can adaptively factor in other attributes and context (time of access, geolocation, and device used) while determining trust, plus can use behavioral analytics to monitor and adapt to threats in real-time. Zero Trust removes two critical exposures common in major breaches: it eliminates lateral movement (moving between systems), as the user is never on the network, as well eliminates privilege escalation (promoting your user acct to admin rights), as the rights are set at login.
  • Cloud Access and Security Brokers (CASB) ["cass-bee"] = network service to monitor and govern user access to external SaaS services, and block the usage of unsanctioned ones (known as shadow IT).
  • User and Entity Behavioral Analytics (UEBA) = is the utilization of ML algorithms to track normal behavior of users and systems, in order to detect anomalous behaviors or deviations, to help mitigate against insider threats, compromised accounts, brute-force attacks, or intrusions.
  • Network Detection & Response (NDR) = network service (akin to an EDR for endpoints) that continuously monitors over all enterprise network traffic for signs of advanced threats and broader attacks, and helps automate remediation (such as taking action when malicious traffic is detected).
  • Network Traffic Analysis (NTA) = is the utilization of ML algorithms and rule-based detection over raw network traffic and flow data, in order to isolate abnormal traffic and suspicious activities on an enterprise network.  Think of it as UEBA, but for anomalous network traffic.
  • Data Loss Prevention (DLP) = network service to help monitor and govern over data at rest, in motion, and within SaaS services, in order to assure compliance, and prevent exfiltration via attacks or insider threats.
  • Remote Browser Isolation (RBI) = a cloud service that provides an ephemeral sandbox to handle an enterprise user's web requests, in order to run the resulting web pages in a protected isolated space. The results and interactions are safely relayed to and from the user's browser, while any threats or malware remains safely away from the original device.
  • Security Service Edge (SSE) = is a combined SWG + Zero Trust platform, for protecting user access and traffic to both external SaaS apps and services (via SWG), as well as internal apps (via Zero Trust). Like an SSO, it can serve as a gateway into all the services a user can access, plus can be enriched with other security services such as CASB, DLP, RBI, and WAF.  [SSE was a term created by Gartner to split out SWG + Zero Trust capabilities (the user access side) from broader SASE. Forrester called it Zero Trust Extended (ZTX) but Gartner's term has been more heavily adopted.]
  • Secure Access Security Edge (SASE) = centralized cloud-based Zero Trust platform to serve as the interconnective network between all of an enterprise's users, devices, networks, and services – across all environments the organization is in (on-prem, cloud, hybrid, multi-cloud). Think of SASE as a cloud-native enterprise network-as-a-service over Zero Trust access (SSE). This service helps provide security and networking in a single solution, and no longer tries keeping a network perimeter – the platform IS the perimeter. As with SSE, SASE provides a platform that can be enriched with other security services, such as governing access (CASB) and securing data (DLP) over disparate environments across the overall network. [SASE was a term Gartner created for the evolution of Zero Trust + SD-WAN into an overall network-as-a-service, but they then split Zero Trust user access capabilities back out into SSE. Forrester called it Zero Trust Edge (ZTE), but Gartner's term has been more heavily adopted.]

App Security

  • Distributed Denial of Service (DDoS) Mitigation = network service that sits over an app's network traffic, to monitor and filter out DDoS attacks, which seek to overwhelm a service with illegitimate traffic. Identifies normal conditions & patterns of user traffic, in order to detect threats and filter out malicious traffic.
  • Bot Protection (or Bot Mgmt) = network service that sits over an app's network traffic, to monitor and filter out malicious bot traffic (an attempt to scrape all of your content) vs legitimate (a search engine scan).
  • Web Application Firewall (WAF) = a cloud-based firewall over a web app or API, to set statically-defined rules about what user traffic is allowed or disallowed.
  • Web Application & API Protection (WAAP) = is Gartner's new name for the next evolution of WAF that is able to dynamically monitor request traffic with behavioral analytics, to continuously monitor for malicious activities, as well as be enriched with other security services like DLP and DDoS and bot protection.
  • Cloud-Native App Protection Platforms (CNAPP) = is Gartner's new name for the combination of WAAP with cloud-native real-time security and posture protection & governance (CWP, CSPM, CASB, CIEM) along with code-level DevOps security testing tools.
  • Data Security Posture Mgmt (DSPM) = a scanning service, similar to CSPM/SSPM, that evaluates an enterprise's data stores and app databases, monitoring for misconfigurations, excessive user permissions, abnormal access behaviors, and tracking data use.
  • Data Protection Platforms = a combination being provided by CNAPP and SSE networks of DLP data monitoring and DSPM scanning in order to discover, map out, monitor, and protect data at rest and in-motion. Typically has sensitive data monitoring features to keep a tighter watch on organizational crown jewels.
  • AI Security Posture Mgmt (AI-SPM) = a scanning service, similar to CSPM/SSPM, that evaluates an enterprise's Generative AI and LLM engines, monitoring for misconfigurations, abnormal access behaviors, and tracking AI use (prompts/responses).

Security Services

  • Digital Forensics and Incident Response (DF/IR, or just IR) = Advisory services that help clients deal with a security breach, investigate a security incident to determine the scope and timeline of the breach, and take responsive action to remediate.
  • Managed Security Services Provider (MSSP) = Outsourced service that uses log aggregation to discover threats. Customers ship logs to an automated service that provides user alerts via a portal. Think of it as a managed SIEM.
  • Managed Detection and Response Services (MDR) = Outsourced service that uses continuous monitoring to discover threats and the actions to remediate. Provides deeper inspection than MSSP, typically using human & ML/AI monitoring over NDR (network protection) and EDR (endpoint protection), plus might include DF/IR services to provide remediation. This can be thought of as a "SOC-as-a-Service" for companies without the in-house staff or expertise to manage their own security.
  • Managed Extended Detection and Response Services (MXDR) = An MDR service that is focused on monitoring over the broader XDR landscape, continuously tracking endpoint behavior as well as context from network, cloud, identity, and data security.
  • Managed Cloud Workload Protection = An MDR that is solely focused on providing managed monitoring and threat detection over CWP platforms (cloud-native services, VMs, and containers).
  • Digital Risk Protection Service (DRPS) = A service for measuring and monitoring digital risk of a enterprise's network and public exposure of external-facing assets. This is typically measured around specific operational objectives (not security ones), and can be especially useful during digital transformation projects that are moving systems and processes into the cloud.  This would typically utilize other systems like EASM (attack surface mgmt) and vulnerability mgmt to measure risk via security scoring.

Identity-based Security Basics

Here are some identity-based security basics for the non-technically inclined amongst you.  These were taken from the "Security Basics" section in An Okta technical review, Oct-19.

  • Authentication (authN) = proving to a system that you (the user) are who you say you are. Can be as basic as username & password, a PIN code, or as advanced as biometric scans on your phone with TouchID (fingerprint) and FaceID (facial recognition). End result is being a trusted user.
  • Authorization (authZ) = once you are authenticated, now what can you do? What level of access do you have? This is normally tracked via some combination of RBAC (role-based access control) or ACLs (access control lists that track the rights each individual user has for every action in the system). Roles are fairly self-explanatory. For example: In a sales tracking app, are you a salesperson tracking their assigned leads, or a manager needing dashboards to oversee metrics? In an HR app, are you the employee entering time sheets and viewing their own paystubs, or a manager that is managing the users and approving payroll?
  • Authentication factor = categories of info that is user is presenting during authentication. Either something you know (a password or PIN), something you have (a token or device), or something you are (biometric data). Most common form is username and password.
  • One-Time Password or PIN (OTP) = security mechanism where a single use temporary validation password or PIN is generated for authentication, provided to the user via a trusted method. Stronger than static passwords, as it is not subject to common attack vectors like man-in-the-middle or replay attacks. [I'm not getting into attack vectors here. Look 'em up if you want more details.]
  • Security token = security mechanism where a temporary code must be used that is associated with a given user's identity for a set time frame. Common in authentication systems where trusted hardware devices (like RSA SecurID) or software apps can generate a token to use for login attempts, each valid for a short time window (say, 30 seconds) before it then refreshes with a new one.
  • Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) = having a system require more than a single authentication factor (user credentials) to log into it. First called 2FA until security folks realized they should leave it a bit more open-ended. If you use online banking, you likely have been using some type of MFA to complete your login. Forms of MFA may include receiving an OTP via SMS or email, using an OTP from a software app, using a software- or hardware-based token generator, or providing biometric information like a fingerprint, retinal scan or facial recognition. [As an aside, I highly recommend using the Authy app from Twilio to track 2FA software tokens for all your accounts.]
  • Lightweight Directory Access Protocol (LDAP) = an open protocol and data store (a "directory") for tracking user authentication (credentials) and authorization (access rights) on a organization's trusted private network. A common one is Active Directory (AD), Microsoft's LDAP service for Windows networks.
  • Identity and Access Management (IAM) = a application to track and manage users' authentication and authorization details across an organization's systems.
  • Provisioning = process in IAM that relates to automating authorization changes (access rights) when users are created, modified, disabled or deleted. An example is when a new employee on-boards, HR would need to coordinate with IT to get accounts and rights set up in multiple systems (such as systems for payroll, benefits, travel expensing, email account, server or software access, etc). This step has becoming increasingly complex with the proliferation of SaaS tooling!
  • Delegate = handing your access rights over to another trusted system or user.
  • Federation = common standards and protocols to enable identity sharing across trusted disparate systems. This is the key to enabling inter-dependencies between SaaS apps!
  • Security Assertion Mark-up Lang (SAML) = open standard to pass authentication and authorization data between federated parties (the user, an identity manager, and the service the user is accessing). Typically used in enterprise systems.
  • Open Authorization (OAuth) = an open standard for token-based authentication to authorize across systems (enabling "delegated authorization"). For example, this enables how you can allow LinkedIn to access your GMail contacts, or let Yelp post on Twitter on your behalf. OAuth 2.0 is the current standard. After authentication, OAuth will generate a token that subsequent requests can use for a limited time (say, an hour), instead of requiring re-authentication each request. Internally the system will track what tokens are associated with what identity, and will expire or invalidate those tokens as needed.
  • OpenID Connect (OIDC) = an identity layer over OAuth 2.0, allowing OAuth authorization across cooperating systems over a common identity (enabling "federated authorization"). For example, this allows how you can use a Google or Facebook account to log into Yelp or LinkedIn, where it then creates a new local account within that app, linking back to that Google or Facebook identity for needed details like name or email. Typically used in web and mobile apps.
  • Single Sign On (SSO) = the ability to use same credentials to authenticate into multiple disparate systems. SSO is enabled by SAML or OIDC. (NOTE: SAML or OIDC are competing standards for identity intercommunication, with different process flows and message formats. OIDC is newer, and IMHO, more streamlined for using with web & mobile apps and APIs.)
  • Federated Identity Mgmt (FIM) = an IAM system linking your users' identities across multiple disparate systems. SSO is one of the important features federation enables.
  • Identity-as-a-Service (IDaaS) = FIM SaaS provider.
  • Zero Trust Security = emerging business strategy for keeping systems secure, by no longer trusting a network perimeter (such as a firewall blocking the public internet from accessing a company's private network) to isolate trusted users from untrusted. Zero Trust = Always Verify -- all users must be verified on every system at all times.