Terms I Hear at Work Pt. 1

Introduction

Let me start by saying, man oh man is there a lot of acronyms when first coming into the workforce. I mean, so many of us jumped head-first into it and I think there are a lot of terms that you slowly build muscle memory upon as you go. So many other professionals I’ve been around are starting at different points in their career, and I think we all agree that it can be a bit anxious to ask what a specific acronym pertains to, or what a specific concept is.

My whole objective here is to open this as a series where I may randomly hear one of these terms or concepts thrown around throughout the week, and find it best to break it down or define it for others, not only for my own knowledge, but also so I can make sure I can teach these later while I’m on the job. I’m sure at one point or another I will revisit some of these concepts/topics in more detail, but for now, consider this an initial guide as to what these terms are in layman language, as well as how they apply to the job at hand.

Disclaimer: I do not claim to have experience in every single one of these areas in detail, however I believe it is useful to understand the terminology/definition.

Terms - Pt. 1

Events: Events are specific actions that are usually tracked via logs, and are typically what Security Analysts start with when they are investigating an alert or a case.

• These events can be something like a user changed their password, or a specific endpoint connected to Google.com.
• Events themselves aren’t inherently malicious, and usually verbose in nature.

Alerts: Alerts are typically generated by a source system or by a specific detection. These source systems can vary, but generally these source systems are solutions that vendors sell, and provide certain levels of detection/protection.

• Examples of source systems include Microsoft Defender, CrowdStrike, Abnormal, etc.
• Examples of alerts can be ‘Malicious email detected’ or ‘Defender tampering detected’.
• Alerts typically warrant an Analyst’s attention and are less verbose in comparison to Events.

Case: A case is a group of related items (e.g. events, alerts, artifacts, etc) for a specific investigation.

• The main difference between the detections that cause alerts vs. the detections that cause cases, are that cases span across different sources.
• Cases can also be referred to differently depending on the SIEM of choice. For example, in Sentinel, cases are typically called Incidents, but I have a personal preference to call them cases. This arises from an Incident Response engagement I was part of :).

Correlation: Correlating is when we link events across different sources of information. For example, when we build detections within a SIEM, the high fidelity detections tend to be ones that apply correlation.

• Think of an example where we are only taking user logs: We don’t need Analysts looking into a user every time they update their password. However, if a user has recently received confirmed malicious phishing emails (using email logs) and they also update their password (using user logs) around the timeframe, this may warrant an investigation.
• A key reason why we ingest security-relevant logs and event data into a SIEM is to achieve the ability to correlate.

Security Information and Event Management (SIEM): Collects security-relevant log and event data from an organization’s applications, servers, security devices and systems, into a centralized platform. I’ve gone into detail onto the post here.

• Typically used by Security Engineers to query specific logs or build detections, or by Security Analysts to investigate further into alerts/events/cases.

False Positives: Cases that are incorrectly classified as cybersecurity incidents but are not actual threats.

• A primary goal of creating/onboarding detection rules are to minimize the amount of false positives, as this can cause noise for analysts and can cause something known as alert fatigue.

True Positive: Cases that are correctly classified as confirmed malicious activity within the environment. This is usually referred to when it is at a case/alert level.

• True Positives do not always warrant an Incident and may not require an organizational response. Could be that someone accidentally fell for a phishing email, but there was no further impact to the organization, and was resolved with a password reset.

Incident: Not to be confused with the earlier ‘Incident’ in Sentinel, these are confirmed active and ongoing threats to the environment and where organizational coordination/response is required to address it.

• This is usually the worst, and can result in something like a completely new deployment of Active Directory or public disclosure.