Glossary of Terms

The CyVig glossary of terms is a collection of cybersecurity-specific words, and or phrases, defined to provide context and insight into the value that the CyVig security solution offers.

Alarm

An alarm is an observable event that may imply harm or carry a potential compliance violation as detected by CyVig threat sensors or log collection appliances deployed within the client’s environment.

Analyst

The human backbone of the Security Operations Center (SOC). Analysts are the first to respond to cases through threat detection, threat investigation, and timely response.

Case

A case is a correlation of alarms that imply harm to an information system, violate acceptable use policies, or circumvent standard security practices. Alarms result in the creation of cases.

CyVig classifies these cases into five case risk levels: P5, P4, P3, P2, and P1, as determined by our automated scoring system and the Security Operations Center (SOC) analyst.

Case risk levels

CyVig classifies cases – based on alarms that imply potential harm – based on five risk levels as determined by our automated scoring system and the Security Operations Center (SOC) analyst:

Low Priority (P4 and P5)
Treated as discrete event traffic and logged into the data store. Sometimes referred to as internet noise, these are typically not viewed or acted upon in any way by SOC analysts. However, P4 and P5 cases will be visible within the monthly alarm report. Common examples of low priority incidents include:

  • Vendor scans or authorized internal scans which trigger IDS events
  • Untargeted up-host or port scans

Medium Priority (P3)
Cases that include activities that require closer observation and continued monitoring but do not rise to the level of a real-time response. Attempted attacks will be blocked automatically by the firewall and additional recommendations may be made by the SOC team to help prevent these types of attempted attacks in the future. Common examples of medium-priority incidents include:

  • Brute force or dictionary attacks
  • Automated or drive-by malware infection attempts
  • Non-targeted exploit attempts

High Priority (P2)
High priority escalations result in a phone call and email to the primary contact but also require SOC analysts to proactively notify clients via every contact point provided if the primary contact is not available. This occurs until a designed point of contact is reached. Common examples of high priority incidents include:

  • High severity, aggressive, penetration tests
  • Larger scale/duration brute-force attacks
  • Potential malicious internal activity such as attempted privilege escalation
  • Potential server compromise – successful SQLi, Webshell activity, etc.

Critical Priority (P1)
Incident escalations that follow the same guidelines as high priority (P2) incidents, except that SOC analysts provide hourly status updates related to the security incident. P1 incidents are based on:

  • Information leakage/data retrieval
  • Successful lateral movement
  • Problems requiring immediate defense remediation to reduce exposure
  • Post-compromise activity
  • Malware command and control traffic
End Point Detection and Response (EDR)

Integrated end point security solution that detects and removes malware and other potentially malicious activity on a network. Managed EDR solutions detect and address suspicious activity on network endpoints.

Escalation

A notification to the client about increased activity that warrants closer monitoring and/or response. In more serious cases, the Security Operations Center (SOC) will email or call the client to follow up directly.

Event

A term to indicate any shift in activity across a monitored network. Ordinary events include users downloading or opening files, while abnormal events include those that indicate potentially damaging security lapses.

Event management

Firewall logs, as well as logs from other client servers, filter into a Security Information and Event Management (SIEM) platform. The SIEM platform is used to apply rules against collected logs to determine specific events, which trigger alarms. The alarms are then reviewed and investigated by the SOC to determine threats from false positives.

Extended Detection and Response (XDR)

Artificial intelligence-powered endpoint protection that pinpoints threats through cloud-based user behavioral analytics that proactively reveal potential threats.

Governance, Risk and Compliance (GRC)

A strategic framework for IT activities to align business goals as a measure to manage governance, enterprise risk and compliance with regulations.

Identity and Access Management (IAM)

Allows an IT team to provide or restrict the versatility of user access to a network, such as with access rights, single sign-on protocols, and multifactor authentication.

Intrusion Detection System/Intrusion Detection and Prevention (IDS/IDP)

Network security technology to detect potential vulnerabilities with monitored devices or applications.

Log

Security logs automatically generate a record of network activity and aid IT teams in uncovering potential security issues.

Managed Security Services Provider (MSSP)

A provider of monitoring and management of security devices and systems.

Next-gen firewall

CyVig clients will have a next-gen firewall to defend their perimeters. While the firewall has standard features – such as policy and VPN management – it also offers threat prevention, URL filtering, and file and data filtering. Attack attempts are blocked automatically by the firewall.

National Institute of Standards and Technology

Nonregulatory physical sciences laboratory of the U.S. Department of Commerce dedicated to promoting innovation in science and technology, including cybersecurity. The agency develops guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies and the broader public.

Required security contact information

CyVig clients provide a prioritized list of at least two security contacts during the onboarding process. Security Operations Center (SOC) analysts can also accommodate specific escalation preferences for partners and clients to assist with service integration to existing processes defined by the client.

These customized escalation preferences must be submitted in writing to the SOC for approval and clarification before they can be implemented in the escalation process.

Response time service level objectives

Security Operation Center (SOC) response time is measured from the moment an internal alarm or client phone call triggers a case for the applicable support request until the point that such incident is time-stamped. At the point of timestamping, a SOC analyst is assigned to the ticket for support.

The client is contacted pursuant to the client’s defined escalation procedures. After investigation by the SOC, if a case is revealed to be a different case risk level, it will be treated along the guidelines of the updated risk level.

Response time service level objectives by case are:

Low Priority (P4 and P5)

  • Does not impact performance
  • Only informational

Medium Priority (P3)

  • Suspicious activity or attacks that have identified mitigation methods
  • Response time within 24 hours with updates provided as needed

High Priority (P2)

  • Non-administrative level compromise
  • Response time within 60 minutes response with updates every 60 minutes

Critical Priority (P1)

  • Administrative level compromise
  • Response time within 15 minutes with updates every 60 minutes
Security Information and Event Management (SIEM)

Supports detection of threats, compliance efforts, and security incident management by logging and analyzing events.

SmartResponse™ automation framework

Automated defensive actions or operational responses to triggered alarm rules. These can be run on any hosts with the system installed and can be customized to meet client and change management requirements.

Identified threats are compiled into a case and clients are notified of the security threat based on a priority classification system (see Case Risk Level entry).