-
This is a character string used by the application to access the protected Cytomic Orion resource(the API). The access token describes the scope of access, including the duration, and other relevant information. The tokens are opaque for the client application. They are emitted by, and only relevant for, the CAS server.
-
Protection module based on conventional technologies (firmware files, heuristic analysis, anti-exploit, etc.) which detects and removes computer viruses and other threats.
-
Third-party development to be integrated with Cytomic Orion by means of the integration API.
-
Set of strategies implemented by hackers designed to infect a client’s network using several infectious vectors in tandem in order to go unnoticed by conventional antivirus systems for long periods of time. Their main objective is financial (theft of confidential company information for blackmailing, theft of intellectual property, etc.) or political.
-
Set of resources developed by Mitre Corp. to describe and classify cyber-criminals’ dangerous behavior based on observations from all over the world. ATT&CK is an organized list of attackers’ known behaviors divided into tactics and techniques; it is expressed in a matrix and also through STIX and TAXII. As this list is a complete representation of behavior that hackers use to infiltrate corporate networks, it is a useful resource for organizations when developing defensive, preventive, and problem-solving mechanisms.
-
System that creates and validates the third-party account credentials of the application using the integration API.Cytomic Orion delegates validation of the username and password credentials to the IdP server ( Identity Provider).
-
Server with which the application using the integration API interacts to request access to a protected resource.Cytomic Orion delegates this task to the CAS (Authorization Server).
-
Authorization server used in the Integration API. Refer to “Authorization server (with respect to the Integration API)” for more details.
-
Minimum unit of a notebook. It consists of a multi-line text box hosting a code in a language compatible with the notebook’s kernel and the results of its execution.
-
In 2011, Lockheed-Martin Corporation described a new framework or model to defend computer networks, detailing that cyber-attacks occur in phases and that each one of them can be interrupted through established controls. Since then, the Cyber Kill Chain has been adopted by data security organizations to define cyber-attack phases. These phases begin with remote reconnaissance of the target’s assets and extend to data exfiltration.
-
The identifier and password assigned to the Cytomic Orion client. To get a client_id and client_secret contact the Cytomic sales department.
-
This term is used to describe a global network of inter-connected servers that operate as a single ecosystem and designed to store and manage data, run applications, or deliver content or services (video streaming, webmail, office software, security services, etc.). Instead of accessing files and data from a personal or local computer, the user accesses them online from any device connected to the Internet. In short, the information is available wherever you go whenever you need it.
-
Vulnerable processes that have been affected by an exploit and that can compromise a computer’s security.
-
This is an open platform for exchanging cyber-security information, and which monitors, collects and analyzes potential cyber-threats targeting organizations, thereby enabling the design of defensive and remedial actions.
-
Information defined and stored by Mitre Corp. about known security vulnerabilities. Each entry has a unique identification number, offering a common nomenclature for public knowledge of these types of problems, thus facilitating the sharing of data about such vulnerabilities.
-
Search engine implemented in Cytomic Orion that uses the events lake formed by telemetry collected from computers and the hunting rules describing TTPs (Tactics, Techniques, and Procedures) employed by hackers. When the cyber-attack radar detects a TTP, it generates an indicator.
-
Service that translates domain names with several types of information, usually IP addresses.
-
Time that a threat has remained undetected on a network computer.
-
EDR is the answer to the fact that conventional antivirus will never be able to avoid all cyber-attacks. EDR assumes threats will avoid prevention defenses, so it focuses on monitoring computers in order to detect behavior indicating malicious activity and capture data for security research. The majority of EDR has some level of automated response, but depending on the time the threat is exposed before it is discovered, it may be necessary to employ manual resolution initiatives. Like NGAV, EDR solutions use ML (Machine Learning) techniques and AI (Artificial Intelligence) to extrapolate and determine whether a behavior is malicious based on continuously-updating big data sets.
-
Each relevant action monitored byCytomic EDR or Cytomic EPDR and performed by processes on workstations and servers generates an event which is enriched and sent to Cytomic Orion‘s platform. It is stored so the analyst can later investigate it individually or together with the rest of the events.
-
Collection of all the telemetry generated by processes performed on desktops and servers, and stored in Cytomic Orion‘s servers, where the analyst can run searches in order to complete their analysis.
-
Generally speaking, an exploit is a data sequence especially designed to provoke a controlled error when running a vulnerable program. After provoking the error, the compromised process will mistakenly interpret part of the data sequence as executable code, thus triggering actions which are dangerous to the computer’s security.
-
This technology blocks network traffic which coincides with patterns defined by the administrator through rules. This way it restricts or blocks communications by certain applications running on the computer, thereby reducing the attack surface.
-
Regulation regarding data protection for European Union residents.
-
Positioning a device on a map according to its coordinates.
-
File classified as legitimate and safe after examination.
-
A notebook that uses the telemetry flow generated by the client’s IT infrastructure as source of information and provides a graphical representation of the logged entities and their relationships, making them easier for analysts to interpret.
-
Description of a TTP (Tactics, Techniques, and Procedures) recognized by Cytomic Orion, and used by the cyber-attack radar to search the events lake for execution patterns suspected of belonging to a cyber-attack.
-
File containing patterns that an antivirus uses to detect threats.
-
Authentication server used by Cytomic Orion in the integration API. Refer to “Telemetry” for more details.
-
Hypothesis generated by Cytomic Orion. It warns the Tier 1 analyst from MSSP/MDR/SOC about the detection of a TTP pattern described in a hunting rule.
-
System of checks developed by MPPS/MDR/SOC Tier 1 technicians to filter alerts generated by Cytomic Orion and thus delivering to Tier 2 only those cases with the highest likelihood of being a cyber-attack. The indicator triage removes false positives, thereby reducing the workload at SOC Tier 2.
-
Means of entry or procedure used by malware to infect a computer. Common infection vectors include Web browsing, email, and pendrives.
-
REST APIs which Cytomic Orion deploys to allow integration with third-party tools or applications developed in the SOC.
-
Repository of shared data created by MSSP/MDR/SOC Tier 1 analysts and contributed to by Tier 2 and Tier 3 analysts with findings produced during an investigation.
-
Industry standard for describing conditions that can compromise the security of organizations. As it is a similar concept to the signature file used by malware protection tools, its format is open, allowing it to be shared and exchanged and enabling an administrator to easily extend the detection capacity of the security solution installed on network computers.
-
Number that logically and hierarchically identifies the network interface of a device (usually a computer) inside a network using IP protocol.
-
Operations performed by hackers inside a corporate network through which they intend to gain an advantageous position in order to reach their targets. It usually implies the spread of malware to other computers within the network, installation of backdoors facilitating the access to several corporate subnets, etc.
-
General term used for programs with malicious codes (MALicious softWARE), such as viruses, Trojans, worms, or any other threat affecting the security and integrity of computer systems. Malware infiltrates and damages a computer with several objectives and without the owner’s knowledge.
-
Cryptographic reduction algorithm that gets a 128-bit signature (hash or digest) uniquely representing a sequence or string. The MD5 hash calculated on a file is useful for its unequivocal identification or for confirming that it has not been tampered with or changed.
-
A new class of security service that groups experts, proprietary technology, and the practical knowledge necessary to overcome deficiencies in the MSSP model by pro-actively and rapidly searching for, investigating, and solving cyber-threats.
-
Non-profit company operating multiple federally-financed research and development sites dedicated to addressing security-related issues. It offers practical solutions in defense and intelligence, aviation, civilian systems, national security, judiciary, health, and cyber-security. It is the creator of the ATT&CK framework. It is the creator of the ATT&CK framework.
-
Companies offering managed security services for those organizations wishing to outsource them.
-
Character string used by Cytomic Orion to uniquely identify each of the client's workstations and servers.
-
Unlike conventional antivirus solutions, which fundamentally base their detection capacities on firmware files stored on a local drive, in the cloud, or a combination of both, NGAV uses advanced techniques to detect malware. It can include self-learning techniques (Machine Learning), exploit detection, use of IOCs (Indicators of Compromise), metadata analysis, and other techniques to search for the TTPs used by attackers.
-
The natural evolution of firewalls to which advanced functionalities of malware detection, content filtering, Web traffic filtering, VPN services, remote network access, and intrusion detection systems, among others, are added.
-
Web representation of all the input and output that occurred over time regarding one or several code fragments run interactively, including explanations in text format, images, and more elaborate object representations.
-
Sends the indicators detected on one or more clients’ computers to one or more email accounts to prevent analysts from recurrently accessing the analysis console in order to check the status of the IT network of the clients they investigate.
-
An open and widely used industry standard for allowing delegated access to protected resources. The main scenario for which OAuth was designed was that of a user that needs to grant permission to access protected information on websites or third-party applications, but without having to share login credentials. OAuth therefore provides secure delegated access to the owner's resources under the owner’s name, and specifies the processes required for the owner to authorize third-party access without having to share credentials.
-
An attempt to illegally obtain confidential user information through deception. Usually, the target information includes passwords, credit card details, bank account numbers, or information that may be used to enable remote access to the organization’s network.
-
Programs that are invisibly or discreetly introduced on the computer, taking advantage of the installation of another program which is the one the user intended to install.
-
Multi-paradigm, interpreted, and multi-platform programming language whose philosophy emphasizes code readability. It has an open source license compatible with the GNU General Public License from version 2.1.1.
-
Independent, small blocks of code which solve particular issues and which analysts can incorporate in notebooks in order to speed up research automation.
-
When the application accesses the resource for the first time it is given an access token and a refresh token. When the access token expires, the application requests a new one by using the refresh token and without having to go back through the authentication and authorization process.
-
Set of techniques which allow the development of Web pages which automatically adapt to the size and resolution of the device used to view them.
-
A specific set of permissions applied to one or more user accounts which authorizes viewing or editing certain console resources.
-
Network devices operating transparently to offer safe Internet content to users of a corporate network. They include network antivirus systems, firewall, intruder detection/prevention systems (IDS/IPS), Web filtering systems, antispam protection, etc.
-
Tools that combine the management of the information and security events generated on the client's IT infrastructure, providing real-time analysis of security alerts generated by the applications and hardware.on the network.
-
Company department which monitors, and controls security in the company’s IT infrastructure and prevents attacks.
-
Standard and interactive programming language used to gather information from a database and to update it. Though SQL is both an ANSI and an ISO standard, many database products support SQL with extensions belonging to standard language. Queries take the form of command language which allows selection, inserting, updating, and determining the data location, among other operations.
-
Program which after being analyzed on a computer, is considered as having a strong chance of being malware.
-
Information retrieved from desktops and servers which is sent to Cytomic Orion‘s infrastructure stored in the cloud to feed the events lake. Telemetry is the result of the enrichment of information obtained from monitoring processes with data provided by the advanced protection solution installed on the computer.
-
Notebook used by analysts as the basis for automating research. As each new investigation does not start from scratch, templates speed up the creation of notebooks and enable them to be reused and shared.
-
Analyst specialized in investigating indicators within companies’ IT infrastructure activities, which can result in discovering computer attacks that go undetected by conventional security solutions installed on computers.
-
Set of specialized technologies and human resources allowing the detection of lateral movements and other early threat indicators before they run actions which are harmful for a company.
-
Python library implemented in Cytomic Orion and used by analysts in notebooks to enhance the automation of their investigations.
-
Tools that ensure that any indicators of threats are correctly managed. Cases are created, assigned and followed until they are closed. KPIs are collected to show the degree of compliance of the SOC security service.
-
Internal division of technical staff in a SOC/MSSP/MDR based on several criteria, such as technical knowledge of client infrastructure, communication skills, programming knowledge, etc.
-
A TTP describes the tactical approach used during a cyber-attack. It is used to analyze the attack and to profile the source of the threat.
‘Tactics’ describes how an attacker decides to execute the attack from beginning to end. ‘Techniques’ describes the technological approach to achieve intermediate results during the attack. ‘Procedures’ define the organizational approach of the attack.
Knowing the enemy’s tactics helps to predict future attacks and to detect them in the early phases. Understanding the techniques used during an attack allows for the identification of blind spots in the organization and the implementation of countermeasures. Finally, analysis of the procedures used by attackers can help to understand what they are looking for inside the targeted infrastructure.
-
Resource formed by a set of information that Cytomic Orion uses to control administrators’ access to the Web console and to set which actions they can perform on the network’s computers.
-
Company workers using computers to do their job.
-
Network devices with multiple features related to security, such as network antivirus systems, firewall, intrusion detection/prevention systems (IDS/IPS), web filtering systems, anti-spam protection, etc. UTM devices are designed to protect entire networks of desktops and servers, and they can integrate other services related to security, such as endpoints in private networks, proxy services, etc.
-
Virtualization desktop solution which consists of hosting virtual machines in a data center which users can access from a remote terminal. The purpose is to centralize and streamline management and to reduce maintenance costs. There are two types of VDI environments:
Persistent: storage space assigned to each user is maintained between restarts, including installed software, data, and operating system updates.
Non-persistent: storage space assigned to each user is eliminated when the VDI restarts, returning to the initial state and eliminating all changes.
-
Programs which are not capable of successfully interpreting data received from other processes due to programming errors. When receiving a specially-designed data sequence (exploit), hackers can provoke a process malfunction, which leads to the execution of code that compromises computer security.
-
Panel formed by a configurable diagram representing a particular aspect of the security of the client's network. The set of widgets forms Cytomic Orion‘s dashboard.
-
Time elapsed between when the first computer in the world was infected by a new strain of malware until the moment it has been analyzed and incorporated into antivirus firmware files in order to protect computers against infection. During this time, malware can infect computers without conventional antivirus systems being aware of its existence. Its detection and containment depends on advanced protection systems and threat hunters.