Skip to main content

Evolution of Security

Updated Jan 30, 2024 ·

SIEM

A SIEM (Security Information and Event Management) is a comprehensive security solution that collects, correlates, and analyzes log data from various sources across an organization's IT infrastructure.

A SIEM typically provides the following features:

  • Log consolidation, which consists in collecting logs from various sources (like servers, firewalls or IDS/IPS) and then storing them in one central location.

  • Log retention, which consists in storing logs for a specific period (like 90 days), so as to allow security analysts to keep track of and investigate past events.

  • Log encryption, which is an optional feature that safeguards the confidentiality of log data.

  • Log analysis, which involves identifying patterns, trends and anomalies related to security events, in or close to real time.

For more information, please see SIEM

info

Log correlation involves analyzing and linking related events from multiple sources to detect patterns or incidents.

It’s more than just collecting logs; it’s about finding connections that indicate security issues.

Endpoint Detection and Response

EDR

Endpoint Detection and Response (EDR) refers to security technologies that continuously monitor endpoint activities to detect, analyze, and respond to potential security threats.

  • Watches endpoint activities in real time.
  • Isolates affected endpoints, and takes automated actions.
  • Supports detailed investigations and root cause analysis.
  • Collects endpoint data for security and compliance reporting.

While SIEM centralizes log collection and analysis, it still depends on tools like EDR for endpoint data collection. EDR forwards relevant data for further review and helps incident responders quickly understand and contain threats.

EDR Process

  1. Data Collection
  • Monitors endpoint activities.
  • Captures data from various sources on the endpoint:
    • System processes
    • Changes to the Registry
    • Memory Usage
    • Patterns of Network Traffic
    • Other system activities
  1. Data Consolidation
  • Aggregates data from multiple endpoints
  • Sends the data to a database.
  • Centralizes data for easier analysis
  • Can be on-prem or in the cloud.
  1. Threat Detection
  • Analyzes patterns and anomalies in the data.
  • Uses algorithms and techniques to identify potential threats.
    • Signature-based Detection
    • Behavior-based Detection
  1. Alerts and Threat Response
  • Generates alerts when a potential attack is detected.
  • Initiates predefined response actions to mitigate threats.
  1. Threat Investigation
  • Analyzes the cause and impact of detected threats.
  • Examines data to understand attack methods and sources.
  1. Remediation
  • Applies fixes and updates to prevent further incidents.
  • Implements changes to improve security posture:
    • Removing malicious files
    • Reversing changes made by the threat
    • Restoring effective systems

FIM

File Integrity Monitoring (FIM) is a security measure that ensures the files on a system remain unchanged by unauthorized alterations.

  • Monitors files for unauthorized changes.
  • Compares current file states to known good baselines.
  • Alerts on discrepancies or changes.

Files that can be checked:

  • Binary files
  • System and application files
  • Configuration and parameter files

XDR

Extended Detection and Response (XDR) is a security solution that provides integrated threat detection, investigation, and response capabilities across multiple security products.

  • Combines endpoint, network, cloud, and email data.
  • Provides centralized alerts and investigation tools.
  • Uses analytics to detect complex threats faster.
  • Reduces need for separate security solutions.

XDR goes beyond EDR (endpoint-focused) and NDR (network-focused) by collecting and correlating data from multiple sources, such asendpoints, networks, cloud workloads, and applications, to provide a unified view of threats.

info

EDR focuses on endpoints, XDR monitors endpoints, network, cloud, and email.

User Behavior Analytics

UBA

User Behavior Analytics (UBA) involves monitoring and analyzing the behavior of users within a network to identify patterns that may indicate malicious activity or security risks.

  • Learns normal user behaviors to set a baseline.
  • Detects deviations from typical patterns.
  • Uses machine learning to spot anomalies.
  • Helps detect insider threats early.

How it works:

  1. Collect and analyze data from diverse sources.
  2. Employ advanced analytics methods.
  3. Create a baseline for normal user behavior.
  4. COntinuously monitor user activity to detect anomalies.

UEBA

User and Entities Behavior Analytics (UEBA) extends the principles of traditional user behavior analytics to include all entities in an organization, such as devices, applications, and network connections.

  • Identifies unusual patterns across all entities.
  • Uses machine learning to detect potential incidents.
  • Provides context on relationships between users and devices.

UEBA gives a full view of threats by looking at both users and their digital environment.

Software Defined Networking

Software Defined Networking (SDN) centralizes network control to make networks programmable and easier to manage.

  • Separates control plane from data plane for flexibility.
  • Enables automated configuration and monitoring.
  • Improves network efficiency and response to changes.

For more information, please see Software Defined Networking