DEFENSES
#63B4D1
#1D1E18
#211F63
#6C6F7F
#55917F
#FFFED21
#E1F0C4
Last updated: 10/09/2022.
Date | Highlight |
Term | Acronym | Definition | Type | Group |
Access Control | ABAC, DAC, MAC, PBAC, RBAC | Defines which Subject Actors can perform which operations on a set of Targets Actors according to a set of identity management, authentication, policy, privilege, time and duration etc. It also describes the process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., critical infrastructure facilities, federal buildings, military establishments). NIST has defined several Access Control policies including Attribute-based Access Control (ABAC), Mandatory Access Control (MAC), Discretionary Access Control (DAC) covering some areas and Role-Based Access Control (RBAC) based on the role of the actor. Policy-based Access Control (PBAC) governs an actors access based on their privilege levels according to business or technical policy. An Access Control List is defined as the list of rules that make up the policy for accessing a target actor (compute or network resource (device, network service, application, etc.) | Defense | ZT |
Air Gap | The physical or virtual separation of networks and systems. 1. Physical. Typical use is in sensitive operational networks being kept separate from external networks (e.g., Internet or internal business networks) to avoid attacks. This physical separation likely includes both wired and Wi-Fi separation. Disaster recovery offline backups are another instance to ensure resilience and 2. The logical separation of networks via encryption, Zero Trust managed access (via least privilege, identity management, policy, etc.) has superseded physical air-gaps in Operational Technology Networks in theory but not always in complex and legacy manufacturing practices. Other approaches that separate OT traffic from IT traffic in shared networks via slicing include encryption, slicing tunneling and ZTNA, none of which address the compromise at the source of the transaction. The term Demilitarized Zone (DMZ) refers to a network that isolates the Internet and a secure network (typically a LAN), similarly separating networks and has the same effect. | Defense | ||
Anti-Malware Software | Generically, a variety of software systems defined to detect and prevent users from malware/viruses/phishing/spyware attacks etc. Used somewhat named interchangeably with Anti-Virus Software and typically installed on user devices. Anti-Phishing and Anti-Spyware software is usually separately packaged but not always. Built-in protection is part of the Windows and Apple PC platforms. It’s not clear (seemingly deliberately) on the value of the market “Anti …” software add-ons are compared to the platform protection. | Defense | ||
Attack Surface Reduction | ASR | The logic is making it harder for attacks to happen if there is less visibility and access to assets. I.e., the targets for attacks, to use the Attack Surface term, are minimized. This is somewhat addressed by a policy of only making the target actor visible to subject actors who are compliant to their specified privilege. However, this term could apply to almost any set of defenses. So, it’s only included because it’s come to mean almost any collection of software and services that reduce threats. Having said that, any set of tools from a highly reliable source is likely a good thing. | Defense | |
Biometric Security | Often used by multifunction authentication using facial, fingerprint, eye, voice etc., such biometric methodologies like other MFA defenses are a great help but are definitely not infallible and each can be cracked. Passkeys use of facial recognition combined with location or device recognition and substituting voice recognition (recently user voice-recognition software is also available) can be used to confirm you are who you say you are. | Defense | ||
Browser Isolation | Browser Isolation (also known as Web Isolation) is a technology that contains web browsing activity inside an isolated environment in order to protect computers from any malware the user may encounter. This isolation may occur locally on the computer or remotely on a server. | Defense | ||
CAPTCHA | Completely Automated Public Turing test to tell Computers and Humans Apart. More recently automated by Google but many sites frustratingly still require you to identify crosswalks or bicycles, etc., often unsuccessfully!! At least it helps keep the Bots at bay. | Defense | ||
CASB and SWG | Note: what is the difference between CASB and SWG?. Both CASB and SWG offer data & threat protection, and they are cloud-based. Cloud-based SWGs have more capabilities, which made them a suitable replacement for the limited firewall. They fulfil the same use case of network/perimeter protection by delivering network security services via the Cloud. | Marketing | ||
Cloud Access Security Broker | CASB | A Cloud access security broker is Cloud-hosted software or on-premises software or hardware that act as an intermediary or gateway between users and Cloud service providers. This is curious because as with other SASE elements this sounds a similar description that Gartner provided for ZTNA (see below). | Marketing | SASE |
Content Disarm and Reconstruction | CDR | CDR is a technique for removing embedded malware from files, usually as they are received. Used increasingly with Remote Browser Isolation, CDR (1) flattens and converts files to a PDF, (2) strips active content while keeping the original file type, and (3) eliminates file-borne risks. Some loss of useful content may be encountered dependent on software functionality. | Defense | |
Context-based Access Control | CBAC | CBAC is firewall enhancement to traditional IP layer filtering. It also filters TCP and UDP packets based on application layer protocol session information. It can be configured to only allow forwarding from protected networks not ingress. IT does this via deep packet inspection. | Defense | |
Data Loss Prevention | DLP | There is some disagreement about this term. Some have a narrow focus that it only deals with prevention of data removal or replacement. Others that it encompasses several prevention tools as an approach that seeks to improve information security and protect business information from data breaches. It prevents end-users from moving key information outside the network. DLP also refers to tools that enable a network administrator to monitor data accessed and shared by end users. It’s also a set of tools that both detect and prevent threat actors from either stealing or encrypting data. It’s label here as “Marketing” because it can contain a variety of tools to prevent unauthorized access to and exfiltration of data. | Marketing | |
Data Mining | Searching through data look for key items interest to attackers. Files with text indicating usernames, passwords and social security are obvious ones. Specific applications with known CVE vulnerabilities, monitoring or identity software with user privilege values, versions of software with unpatched code, are others in a long list. | Threat | ||
Data Tagging | The addition of attributes to data. This powerful defense is the counterpart to user attributes. I.e. the methodology to say what methods and policies are authorized to access the data. This could include data only being access from certain locations, via certain software, in read-only mode, at certain times, via users with certain levels of privilege or only after a confirming multi-function authentication of the subject actor. | Info | ||
Deep Fake | Video, audio clip or picture that has been altered to trick people to believe a corruption of the truth because they believe in the person who they are seeing or hearing and that they actually said those words. etc. A deeply disturbing trend often used in conjunction with other tricks. In July 2024, it was revealed that a threat actor used a deep fake image to gain employment with KnowBe4, a well-known cybersecurity company. | Threat | ||
Deep Packet Inspection | DPI | This is a methodology for inspection of traffic typically in a network but also between processes in a system. In a cybersecurity context, it is used by threat prevention functions and tools to detect and filter potentially exploitive traffic to block, quarantine or allow its passage. It also allows examination of traffic to ensure that it does not exceed the access level of the subject actor. This can be a complex process requiring significant compute resources that might involve comparing many tens of thousands of traffic patterns. It is called “Deep” Packet inspection as opposed to conventional packet inspection that only looks at header info for routing purposes. | Defense | |
Defensive Evasion | MITRE ATT&K (TA005) defines 25 techniques by which threat actors can disable or avoid defenses. An example is disabling of security software. this is a frequent element of an Advanced Persistant Attack | Threat | APT | |
Deflection | Deflection has a special meaning in cybersecurity. The theory being that the more vulnerabilities that are protected the more attackers are deflected to easier, more vulnerable targets. It follows the simple concept of the thief walking down a line of cars looking for an unlocked door or the phone left on a seat. My book, when first published in 2022, identified more than 100 vulnerabilities or weak links. Many more have been unearthed since then. | Defense | ||
Delegation | Delegation is perhaps the most important and least understood aspect of cybersecurity. “Delegate Don’t Abdicate” is about verifying not trusting those who provide software services in fact any kind of third party action in your supply chain. Once you apply “Never Trust, Always Verify” you run into a catch 22 when you can’t control your suppliers. See more on what I believe are the six most important aspects of Delegation. CISA has begun a journey of self-attestation but is only just scratching the surface in their 2024 work. I’ve categorized it as “defense” because it falls into the “Threat Avoidance” category. In Feb 2024, NIST Special Publication 800-192 on Verification and Test Methods for Access Control Policies/Models is extending this work. | Defense | ||
DNS Security and Protocol Filtering | DNS, DoH, DoT | The Internet functions by matching website domain names to IP addresses using the Domain Name System (DNS). DNS Protocol Filtering checks whether a subset of a session contains messages that are to be allowed or blocked. DNS messages are specified in RFC 1035 and RFC 1996. DNS Security Functions are a set of important threat detection and prevention tools that are described in the DNS Threats item below. Two other functions: DNS over TLS and DNS over HTTPs (DoT and DoH) encrypt queries to provide additional protection. For example, DoT allows network admins to monitor and block DNS queries. Another DNS security protocol is DNSSSEC covering DNS data itself signed by the owner of the data rather than DNS queries and queries cryptographically-signed responses themselves. | Defense | |
Domain-based Message Authentication, Reporting and Conformance | DMARC | DMARC is an email authentication, policy, and reporting protocol. It verifies email senders by building on the Domain Name System (DNS), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF) protocols. It’s main use is as an anti-phishing tool. | Defense | |
Domain Name Filtering | DNF | Domain Name Filtering is defined as the action taken by a Service Provider to check whether a session contains domain names that are to be permitted or denied. Domain Name Filtering provides a level of protection for a Subject inadvertently attempting to access a malicious Target. | Defense | |
Encryption | AES, DES, ECC | Encryption has many specific definitions and methodologies: symmetric and asymmetric cryptography, public and private keys, encryption types: Advanced Encryption Standard (AES) developed by NIST, Data Encryption Standard (DES), RSA, MACsec(IEEE), Ascon, etc. are used for secure communications. Encryption of all sensitive data on every type of compute device is supported and recommended to prevent data breaches and ransomware. For example: Elliptic Curve Cryptography (ECC) is used for digital signatures in cryptocurrencies such as Bitcoin and Ethereum. Middle Box functions are used typically to decrypt and inspect IP flows. Decryption is the process of transforming an encrypted message into its original plaintext. A Cipher is a cryptographic algorithm for encryption and decryption. | Defense | |
End-to-End Encryption | Communications encryption in which data is encrypted when being passed through a network, but routing information remains visible. | Defense | ||
Endpoint Detection and Response | EDR | Endpoint Detection and Response tools and products combine elements of both endpoint antivirus and endpoint management. the actual functions vary by security and service provider. Primarily EDR focused on Endpoint Security rather than security of the system or nework security – the province of Extended Detection and Response (XDR) see below. See also Network Detection and Response (NDR) below. Functions may vary but typically include endpoint monitoring, threat detection, incident response and remediation. EDR typically provides less protection from Advanced Persistent Threats (APTs), the cause of most major breaches. | Marketing | ATP |
Extended Detection & Response | XDR | See also Endpoint Detection and Response above and Network Detection and Response (NDR) below. XDR is a technology that can/may offer improved threat prevention, detection and response capabilities for security operations teams. XDR describes a unified security monitoring and unified reporting incident detection and response platform that automatically collects and correlates data from multiple proprietary security components. If this sounds like marketing hype it is disguising the fact that XDR provides the best protection against APTs – the cause of most ransomware attacks. | Marketing | ATP |
Firewall | A Firewall secures a network by deciding which data packets are allowed to pass through a network. Primarily intercepting Layer 3 IP traffic. Traditionally Firewalls were dedicated devices but are more commonly delivered as a software process. Firewall management software can be susceptible to layer 2 DDoS attacks and also Port scanning. Software detecting threats to web-based applications (via HTTPS protocols) are known as Web Application Firewalls (see below). There are certainly issues related to legacy implementations so care is required. A Distributed Firewall is a recent term for a layered approach that embeds firewall code in the fabric of a network system’s architecture rather than as a separate process. Gartner’s market term: Next-Gen Firewalls refers to IP plus application layer combinations. The security functions enabled in today’s firewalls have become blurred so the key is to examine the detection and prevention functions not the marketing hype. The whole Firewall genre may have a limited lifespan. | Marketing | ||
Firewall as a Service | FWaaS | Firewall as a service, also known as a Cloud firewall, provides Cloud-based network traffic inspection capabilities to customers seeking to migrate to a hybrid or multi-cloud model. It reduces the burden on on-premises data center equipment and management burden for internal Cybersecurity teams. | Marketing | |
Generative AI Defense | GenAI, LLM | This by definition will be an incomplete entry for some time. It’s veracity is limited by the content of its Large Language Model (LLM) and more recently Small Language Models(SLMs). On the flip side of large scale attacks is the use of large scale defenses for logging of instances, defense against DDoS attacks and discovery of system status in real time. AI plus Zero Trust is likely to be a new field in its own right. Specifically, it’s Adaptive AI that is the GenAI area that deals with vast amounts of network and cybersecurity data that change moment by moment. It’s the ability to use this information to understand if a transaction is to be allowed “now,” to filter which incidents require rapid attention to predict incidents that may happen. This requires dynamically training of LMs. The overriding challenge remains to distinguish valid information, code and recommendations and to distinguish them from what are known as AI Hallucinations – basically information or recommendations generated by LLMs that make little or no sense thus discrediting or undermining all of the genuine information. The opposing forces of Hackers and legitimate forces to leverage GenAI are set in a background of fear surrounding AI. The use of GenAI to track potential intrusions in real time is under developement, with the initial solutions aimed at the largest organizations. | Defense | |
Honeypot | A Network Attached Device that lures and deflects attacks and attackers. It might represent an Internet connected Database, Web Server, PC, etc. The concept is that these devices are designed to report on any access – since there is no legitimate reason for such access. It is less easy to find reports on the effectiveness of individual solutions one of which is canary.tools | Defense | ATP | |
Hypervisor-protected Code Integrity | HVCI | Hypervisor-protected Code Integrity (also called Memory Integrity), uses Microsoft’s Hyper-V hypervisor to virtualize the hardware running some Windows kernel-model processes, protecting them against the injection of malicious code. | Defense | |
HyperText Transfer Protocol Secure | HTTPS, HTTP | HyperText Transfer Protocol Secure (HTTPS) is a protocol that secures communication and data transfer between a web browser and a website. HTTPS uses TLS (SSL) to encrypt HTTP requests and responses, HTTPS is the secure version of HTTP. Most Anti-Malware software protects users by warning or disallowing access to HTTP sites. Some browsers also detect sites as unsafe when spuriously deciding that site based graphics contain malware. Getting into details: HTTP/2 (2021) was reported by CISA (in October 2023) as having DDoS Vulnerability known as Rapid Reset (CVE-2023-44487) with patching recommended. HTTP/3 is in use by Google Chrome and Facebook is a faster protocol that is carried by the UDP protocol. | Defense | |
Identity and Access Management | IAM | IAM is a set of processes, policies and tools for controlling user access to critical information. It’s the discipline that enables individuals to access resources at the appropriate times. It’s important not to collapse Identity and Access since both are elements of Zero Trust but Identity Management and Access Management software/services are possibly independently sourced software functions or services. | Defense | ZT |
Immutable Storage | Immutable Storage is storage that when written once cannot be rewritten, just read. This can be on-premises or within Cloud storage where it is known as Immutable Cloud Storage and similarly as Immutable Backup. This means that providing the data was valid when written it cannot be encrypted by a threat actor thus preserving its integrity. This does not prevent theft but does prevent destruction, encryption or corruption by a threat actor. | Defense | ||
Incident Response Plan | Incident response is a planned approach to rapidly address and manage the reaction and recovery as soon as a cyber-attack or network security breach is detected. The procedures defined and documented in an Incident Response Plan, must be tested not just planned using Content Disarm and Reconstruction or similar software approaches to avoid saving malware infected data that would survive and negate recovery. Recovery of data from air-gapped servers must include decryption/encryption of all sensitive information. See also Asset Curation above. The plan need not be an all-or-nothing plan but can be part of operational activities. I.e. it could include how to respond to detected intrusions, notification of blocked threats, attacks on elements such as policy and asset control list, or unauthorized privileged changes, etc. | Defense | ||
Indicators of Attack | IoA | Unlike IoC below, Indicators of Attack alert administrators to precursors of attacks such as Discovery, Lateral Movement and Living-off-the-Land Attacks prevalent in ATPs, so that actions can be taken to prevent attacks before the occur. | Defense | |
Indicators of Compromise | IoC | The IETF (Internet Engineering Task Force) created RFC9424 to review fundamentals, opportunities, operational limitations, and recommendations for Indicators of compromise use. Cybersecurity “defenders” frequently rely on IoCs to identify, trace, and block malicious activity in networks or on endpoints. | Defense | |
Internet Protocol Security | IPsec | A group of IP protocols use to create encrypted connections, exchange keys, etc. The IPsec reference document is IETF RFC 6071. | Defense | |
Intrusion Detection System | IDS | An IDS gathers and analyzes information from a compute resource locally, in a cloud, or network to identify possible security breaches, including intrusions from outside and within the organization. | Marketing | |
Intrusion Prevention System | IPS, IDPS | An Intrusion Prevention System (IPS) applies IP reputation and content matching rules to block known bad sessions. These systems known as IDPS, may also include anti-virus systems for inspecting file content across many protocols, for example HTTP, IMAP, and SMB. Threat and Intrusion Detection Systems have a similar role as IPS but use detection technologies that preclude blocking. For example, behavioral analysis of file content and network anomaly detection often have detection delays and resource requirements that prevent inline deployments. The systems respond to detections by issuing SENs (alerts). | Marketing | |
IP, Port and Protocol Filtering | IPPF | It is defined as the action taken by the SASE Service Provider to check whether a session includes a list of source or destination IP addresses, source or destination port numbers, transport protocols and/or application protocols that are to be allowed or blocked. | Defense | |
Least Privilege | PoLP | The Principle of Least Privilege is that users, devices & programs should only have the privileges necessary to complete their tasks. Perhaps beyond the scope of small companies, Separation of Duties also helps to separate and limit privilege and duties rather than give privilege for roles that are beyond the user’s responsibility. There are further divisions regarding membership of Static or Dynamic Separation of Duties groups covered in NIST 800-192. | Defense | ZT |
Malware Detection and Removal | MD+R | Malware Detection and Removal is defined as the action taken by a software provider to check whether a session contains malware, and to remove the malware or block the session containing the malware. | Defense | |
Memory-Safe Languages | Many vulnerabilities occur because poor language disciplines allow malware to hide inside application memory spaces for later activation. This frequent ploy can be limited or even removed. Newer application languages are much more careful. This means that knowledge of the language that an application is written in becomes a factor in choosing an application. Examples of memory safe languages are Rust, C#, Go, Java, Ruby, and Swift as opposed to C, C++ which are not. Judicious use of complier options help here too. Thanks for this gem go to Steve Gibson of Security Now and SpinRite fame. CISA has also weighed in on the importance of this topic. Unfortunately, they are in the form of recommendations not regulations. This is hardly surprising since the cost of recreating existing work, some of the verge of deprecation would be astronomical and take years. | Defense | ||
Microsegmentation | There are several interpretations of this term with a common principle. This being the ability to compartmentalize Cloud and data center functions and applications into secure segments. This works well with implementing Least Privilege, Zero Trust enforcement points, Identity and Access Policies where it is most relevant. For this author microsegmentation is a natural instance of a Zero Trust policy enforcement point. Either way the secure segmentation at the workload or secure container level certainly helps deter lateral movement attacks. | Defense | ||
Monitoring and Auditing | Automated continuous Monitoring is a key element of any Zero Trust implementation. The continuous aspect is to make sure that any time-based access privileges are in compliance (either time-of-day or duration), or events that arise, such as blocked access attempts, etc., elevation of access changes are logged/reported via the Secure Event Notification system. Control via an automated system is required. Auditing may also be required to ensure both integrity and compliance with policies is maintained. Also incorporated should be detection of Anomalous Behavior Detection which typically includes awareness of and deviation from normal network traffic and applications flows, possible middle box functions, and built-in Security Event Notifications and alerts integrated to the user and provider systems | ZT | ||
Multi-factor Authentication | MFA, 2FA | Everyone must be familiar with this irritating phenomenon. It means that you are required to prove who you are by having two (Two Factor Authentication or 2FA) or more ways of identifying yourself (MFA). For example, after you enter a password, you must also enter a code sent to your mobile device or email. Sometimes multiple proofs are needed. e.g., face recognition or providing your dog’s birthday. See also Passkeys. Now the bad news. Roger Grimes of Knowbe4.com has identified at least 20 ways to hack two factor authentication including analysis of 25 +MFA systems. A variant that is aligned closely with Zero Trust’s “Continually Verify” is Continuous MFA where an actor is reauthenticated during a long transaction or session to ensure that it is still valid. This is particularly important to guard against exfiltration or encryrption of data beyond an authorized time or window- a teltale sign of a breach. | Defense | |
Multi-Layer Security | MLS | This concept goes back over 40 years but is often dismissed or forgotten. Most cybersecurity actions focus on users, software and devices – a.k.a. subject actors – accessing target actors. This revolves around IP (Layer 3) data flows and also to some extent application data flows. However, this overlooks attacks on the security software itself. For example, denial of service attacks at the data link layer (2) or TCP layer (4). Attacks on the management of all software and devices are also weak links that are not carefully protected. Recent examples of security software being disabled are prime examples of lack of multi-layer security. Device drivers and video application file protection are other areas that are vulnerable. The main point is that a multi-layer security approach is critical and that what is secure at one layer should not be trusted to be secure at the layer above or below. | Defense | |
Multi-Level Security | Unlike MLS above which is more frequently applied to layers of network protocols, Multi-Level Security is a generic term that is the concept that if one aspect of cybersecurity is penetrated then other defense mechanisms are there to prevent breach. In holistic cybersecurity, it can be applied even to lack of security policy, social engineering and any one of 100 factors. Advanced Persistent Threats (see earlier), are examples of attempts to break multiple levels of threats. | Defense | ||
Mutual Transport Layer Security | mTLS | Mutual Transport Layer Security (mTLS) is a process that establishes an encrypted TLS connection in which both parties use X.509 digital certificates to authenticate each other. MTLS can help mitigate the risk of moving services to the cloud and can help prevent malicious third parties from imitating genuine apps | Defense | |
Passkey | A digital credential that adheres to the FIDO and W3C Web Authentication standards. Similar to a password, websites and applications can request that a user create a passkey to access their account. Passkeys rely on unlocking a device to verify a user’s identity. A new (October 2022) web site passkey.dev, gives the latest information. | Defense | ||
Penetration Testing | Pen Testing | Penetration Testing. Testing for vulnerabilities using hacker tools. | Defense | |
Policy Management and Enforcement | Policy Management is the process in a Zero Trust enabled service that verifies whether the Actor requesting access is identified and authenticated, is in conformance with the role and policy, that the target Actor is similarly identified and monitoring of the access is initiated. Policy Enforcement is the location at which the Policy is enforced. | ZT | ||
Privileged Access Management | PAM | Also referred to PAM controls and enforces actor (user, software application or device) privilege levels. i.e the level of privilege that an actor requires to access another actor. It enables the establishment of Least Privilege to minimize risk to administrative processes. PAM is either separate software or integrated with Identity and Access Management software (IAM, see above) and as such the data it manages and the software itself must be protected from threat actor attack since elevation of privilege is an important tool for ransomware attackers. Confusingly, using the same PAM Acronym, Privileged Account Management is the subset that deals with the management of privileged accounts themselves. Even more confusion is added with PIM (Privileged Identity Management). The main difference between PIM and PAM is that PIM addresses what access a user is already granted, while PAM addresses how to monitor and control access whenever a user requests access to a resource. As always, it is necessary examine the actual functionality and security of the functions of these products! | Defense | |
Protective DNS | PDNS | Protective Domain Name System PDNS adds a threat intelligence check against all DNS queries and answers to avoid or sinkhole malicious or suspicious domain resolutions. PDNS integrates easily with existing security architectures through a simple recursive resolver switch. It’s important because it analyzes DNS queries and takes action to avoid threat websites, leveraging the existing DNS protocol and architecture. Protecting the DNS queries is a key cyber defense because threat actors use domain names across the exploitation lifecycle. Users frequently mistype domain names while attempting to navigate to websites and may be redirected unknowingly to a malicious site. From there, threat actors may exfiltrate data, conduct command and control operations, and install malware onto a user’s system. | Defense | |
Proxy Server | Unlike a VPN which transfers data via an encrypted tunnel, an IP Proxy Server acts as a gateway between users and the internet. It’s an intermediary server with its own IP address separating end users from the websites they browse. Proxy servers provide varying levels of functionality, security, and privacy depending on use case, needs, or the organization’s policy. | Defense | ||
Radio Frequency Identification Blocking | RFID | More commonly referred to simply as RFID Blocking, it prevents illicit theft of credit card information etc. Blocking is acomplished by using wallets or sleeves that block the radio frequencies. | Defense | |
Remote Browser Isolation | RBI | RBI is a security measure that separates users’ devices from the act of internet browsing by hosting and running all browsing sessions on a remote cloud-based and hopefully secure container. It also means that data can be screened to avoid exfiltration of sensitive data or access to middle box functions and as a phishing defense. This, therefore, is an efficient way and place to implement a Zero Trust Enforcement Point. It also helps prevent malware being inadvertently being loaded onto end user systems. | Defense | |
Resilience Plan | Resilience is the measurement of how well and how fast an organization can recover from a security incident and how well it is protected to prevent cybersecurity threats to avoid them occurring in the first place. If Zero Trust’s “Assume Breach” is an accepted part of the thinking, then a documented and tested Resilience Plan is a necessary part of the Security Strategy. | Defense | ||
Resource Development | Resources purchased or stolen and used as tools in attacks. Examples are Web domains, DNS Servers, Botnets, online adverts for Malvertizing. A lengthy list is documented by MITRE | ATT&CK (TA0042) | Defense | ||
Risk Appetite | A pretentious marketing term that really means the amount of risk an organization or investor is willing to take – in other words Risk Tolerance – see below. NIST has a definition of Risk Appetite: “The types and amount of risk, on a broad level, an organization is willing to accept in its pursuit of value.” This is an example of a non-implementable action, that this author believes helps no-one. | Marketing | ||
Risk Management | In the same family as Threat Management, and Asset Curation, Risk Management adds the measurement and finance component. Overall, It’s the decision making process that governs the priority of what should be protected. | Marketing | ||
Secure Access Service Edge | SASE | SASE was conceived as a collaboration between networking and cybersecurity. Its intention is to be a fully-integrated WAN networking and security framework that connects remote users and branch offices to cloud and corporate applications and the Internet. However, great caution should be exercised since almost every term is a marketing one rather than a technical definition. Also, every vendor and service provider has (legitimately) added functions to deliver more practical “SASE” or “SSE” solutions. As first outlined by Garner in December 2019 (the link to the original blog “Say hello to SASE” describing this “new package of technologies” has been deprecated by Gartner), SASE is a conceptual framework, largely consisting of marketing terms – not a product. It encompasses: features “such as” (1) SD-WAN – a network overlay technology, (2) Cloud Access Security Broker (CASB), (3) Secure Web Gateway (SWG), (4) Firewall as a Service (FWaaS) and (5) Zero Trust Network Access (ZTNA). All these terms are covered in this Terminology page. Their definition is up for interpretation. For service providers, it has become important to deliver the SASE networking and security functions as a cohesive service that can bring together a wide variety of implementations. Late in 2022 the MEF expanded on the original idea by defining a standard SASE Service combining security functions and network connectivity as MEF 117. An enhanced definition is slated for completion in late 2024 that also formalizes a number of additional security functions that are commonly part of commercial offerings. | Marketing | |
Secure APIs | Application Program Interfaces (APIs) are increasingly important and their security is critical and integral to regulate the access to code. There are many potential vulnerabilities that are well-documented with best practices for defense. Digital signing of APIs is the best of these defenses. It should also be noted that Terraform – an infrastructure as code open source tool that lets users build, change, and version cloud and on-prem resources is becoming a popular alternative that abstracts the use of APIs to Amazon Web Services, Azure, Google Cloud Platform, Oracle Cloud Infrastructure, and Docker. | Defense | ||
Secure Containers | Given the popularity of Kubernetes as the favored container platform and the home of Cloud workflows it’s no surprise that protection methodologies are required . Hence the term Secure containers. See Reference 36 on the reference page for much more information. | Defense | ||
Secure DNS Proxy | SDNSP | Smart DNS Proxy is a secure DNS Proxy service to unblock websites, global video & music streaming services. Unblock US websites like Netflix, Hulu, ABC or music streaming services like Pandora or Spotify just natively happens when you use Smart DNS Proxy. There is no connection or disconnection needed as in VPN. It claims to be faster than a VPN and works with any device; PC, MAC, Smart TV, Xbox, PS3, Router, iPad, iPhone or any Android devices. | Defense | |
Secure IP Service Functions | SIG | The functions required to provide secure IP services on ingress and egress at a given Service End Point are covered on this page. The collection of these functions are summarized here and include: IP, Port and Protocol Filtering | Domain Name Filtering | URL Filtering | Malware Detection and Removal | Data Loss Prevention | DNS Security Functions: DNS Protocol Filtering and Protective DNS. | Defense | |
Secure Internet Gateway | SIG | A SIG is a cloud-delivered internet gateway that provides safe and secure access to the users wherever they go, even when the users are off the VPN/network | Marketing | |
Secure Network as a Service | SNaaS, NaaS | Secure Network as a Service is a Zero-Trust enabled service. While Zero Trust is neither a system nor a product and the Gartner concept of SASE and SSE are important steps forward, SNaaS is a framework service that incorporate (1) the principles of Zero Trust, (2) the network and security elements of SASE, (3) around 30 defensive elements associated with SSE and (4) encompasses the elements of holistic security across an extended organization. When looking at Securing Network as a Service (NaaS) it’s important to separate how solution and service providers provide the service and what it can provide for the enterprise as an evolving concept. What NaaS should provide is being defined and will be covered elsewhere as 2023 progresses. | ZT | |
Secure Web Gateway | SWG | Secure web gateways act as a barrier, keeping users from accessing malicious websites, malware, or web traffic that is part of a Cyberattack. SWG is a solution that filters malware from user-initiated Internet traffic to enforce corporate and regulatory policy compliance. A secure web gateway is a Cyberbarrier or checkpoint that keeps unauthorized traffic from entering an organization’s network. The traffic that a secure web gateway governs is all inline—the gateway stands between all incoming and outgoing data. | Marketing | |
Security Event Notification | SEN | This is a broad definition of what, how and where events are notified. In this security context, for Zero Trust implementations this could include access requests being blocked or quarantined due to improper access privilege, identification, authentication or policy failures, target actors being out of scope for the subject actors access or monitoring noting that timed access was being violated. It could also notify management issues such as Denial of Service attacks or failure in secure services such as unexpected termination. These notifications or Alerts are in addition to service notifications of IP failures, QoS violations from network services, secure container or other data related notifications. There is no industry standards that encompass all network, IT, or security notifications via common secure APIs. | ZT | |
Security Functions | A Service that delivers and manages cloud-native security functions as specified by the Subscriber’s Policy for a specific session. These security functions must be deployable anywhere within the Service in order to optimize the performance and security provided by the SASE service for that session.. The security functions available in a service are listed in the body of the work. The security functions are ‘atomic’ in the sense that they are frequently combined as part of a package recognized in the market under different terminology – for example, ATP, CASB and SWG. | Defense | ||
Security Key | A hardware securty key made by DUO (Cisco Brand), Yubico, etc., that is an alternative to phone codes, biometrics, passkeys, and emails for two factor access authentication. It is support via USB ports on laptops and wirelessly on mobilde devices. | Defense | ||
Security Orchestration Automation and Response | SOAR | Clearly an important function, though Gartner’s marketing engine referring to it as “The SOAR market continues to build toward becoming the control plane for the modern SOC environment” may be a little over the top. | Marketing | |
Single Sign-on | SSO | Single sign-on (SSO) is an identification method that enables users to log in to multiple applications and websites with one set of credentials without re-authenticating themselves. It is not the same as using a common sign on (E.g. Google, or Facebook) where the same login is used for multiple sites – effectively reusing the same login username and passwords and if compromised can give hackers access to all site. | Defense | |
URL Filtering | URLF | URL Filtering is defined as the action taken by a Service Provider to check whether a session contains a URL that is to be Allowed or Blocked. URL is specified in IETF RFC 3986. URL Filtering applies to cases where the domain name is on the “Domain Name Filtering Allow List,” but one or more URLs associated with that domain have a security issue and need to be blocked. | Defense | |
Virtual Private Network | VPN | A service that protects Internet connections and privacy online. It creates an encrypted tunnel for data, protects your online identity by hiding IP addresses, and allows the use of public Wi-Fi hotspots safely. However, VPNs are only useful if they are implemented safely and enhanced with ZTNA capabilities. In early 2024 CISA themselves were breached by a vulnerability in a “secure” VPN. | Defense | |
Virus | A virus is a specific type of Malware that self-replicates by inserting its code into other programs and is then spread to other systems and executed. See also Lateral Movement Attacks. A common source has been open-source software that is included and distributed without proper testing. The infamous Log4Shellbeing an example. | Threat | ||
Web Application Firewall | WAF | Unlike traditional Firewalls (see above) that filter unauthorized IP traffic, WAFs look at web application layer to filter, monitor, and block HTTP traffic to and from a web service. They can prevent attacks exploiting a web application’s known vulnerabilities, such as SQL injection, cross-site scripting (XSS). | Marketing | |
Zero Trust | ZT | This is the key topic in cybersecurity so it’s worth describing in detail. A set of principles and strategies intended to prevent the exfiltration of data in many areas, layers and apps operating in a hybrid cloud, perimeter-less network. See this site’s page on the Zero Trust and in Section 7 of the Book for an in-depth examination. Two of these principles are “Assume Breach” where enemy has already penetrated your edge defenses and “Never Trust, Always Verify.” The word “Always” is important and doesn’t just mean verify once. It means continually verify, since access may have time limit or other restrictions and the user, app or device may suddenly attempt actions that are not aligned with the access policy, etc. Perhaps the term should have been “Never Trust, Allow only While Valid” Implementing Zero Trust involves (a)Identity and Authentication, (b) Access Control, (c) Policy Management, (d) Policy Enforcement at appropriate locations or between designated points, (e) continual Automated monitoring and auditing plus (f) Event Notification. In a world where the network perimeter no longer exists, A Zero Trust approach is the best and perhaps the only approach to protecting your assets. Remember it’s not a system but an approach whose deployment is context and location dependent. NIST has defined a Zero Trust Architecture – 800-207. Zero Trust was actually coined by Stephen Paul Marsh in 1994 but was popularized by John Kindervag almost a decade later. Today, circumstances have made it rise to the status of essential. He is now recognized as the father of the movement and he describes a 5 step methodology which is as follows:(1) Define the Protect Surface (2) Map the transaction flows (3) Architect a Zero Trust Environment, (4) Create a Zero Trust Policy, (5). Monitor and Maintain. This is an iterative process coined as “Antifragile” – systems that gains strength from disorder – an idea described by author Nassim Nicholas Taleb. Like many others, I do not express it in exactly the same way as it does not take into account holistic principles and is an over-simplification. In fact, seeking an exact definition of Zero Trust – something that many seek to do so they can understand it better themselves – may not be a useful pursuit! The 2022 NSTAC definition is close but here’s my definition: Zero Trust is a cybersecurity strategy premised on the idea that no asset (user, software, device) or transaction between them is to be trusted. It assumes that a breach has already occurred or will occur, and therefore access to information is only to be granted only while the transactions between assets are valid as compliant to the policy in place. | Info | ZT |
Zero Trust Network Access | ZTNA | Zero Trust Network Access is an element of Gartner’s original SASE concept. What makes it challenging to clarify here is that there is no official industry technical definition for this much-used term or its specific functions (this includes NIST 800-215). Latterly, Gartner has written its “marketing definition” (not agreed in all circles due to it’s further use of undefined terms!) as “products and services that create an identity and context-based, logical-access boundary that encompasses an enterprise user and an internally hosted application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a collection of named entities, which limits lateral movement within a network.” The MEF’s proposes a more technical definition: “MEF defines Zero Trust Network Access (ZTNA) as access from any Subject Actor at any location, any time, and under any circumstance to any Target Actor at any location, any time, and under any circumstance.” In the industry, ZTNA has come to mean/be the Zero Trust replacement to virtual private networks (VPNs) in that ZTNA grants access only between specific services, data or applications, based on access control, where VPNs grant access to an entire network. It would have more sense to this author if ZTNA had been termed ZTAA – Zero Trust Application Access. ZTNA is an obvious solution to distributed workforce security. However, this use case is just one that could be seen as part of a Zero Trust strategy and termed ZTNA. In recent developments the term Universal ZTNA (UZTNA) has come to mean the use of ZTNA for on-premises and from remote locations. Given that ZTNA has only come to be known as a VPN replacement, this new interpretation adds little that is new other than legitimize ZTNA marketing. | Marketing | ZT |