D4: SECURITY ARCHITECTURE ANALYSIS

Question 1

Security operations architecture

Answer 1

Design of processes tools and data flows that support monitoring detection response and improvement of security controls

Question 2

Security operations center

Answer 2

Central team and facility that monitors security telemetry analyzes alerts and coordinates response to incidents

Question 3

Use case in detection

Answer 3

Documented scenario describing what malicious or risky behavior to detect which data sources to use and what logic to apply

Question 4

Security information and event management

Answer 4

Platform that collects normalizes correlates and analyzes events from many sources to support detection and reporting

Question 5

Log management

Answer 5

Processes and tools to collect store index and retain logs from systems applications and security devices

Question 6

Log source coverage

Answer 6

Extent to which critical systems cloud resources applications and network elements send logs into the central monitoring platform

Question 7

Baseline behavior

Answer 7

Model of typical activity patterns for users systems or networks used to identify deviations and anomalies

Question 8

Alert correlation

Answer 8

Technique of combining related events and alerts into a single incident or story to reduce noise and improve context

Question 9

Incident

Answer 9

Confirmed or reasonably suspected event that jeopardizes confidentiality integrity or availability of information or systems

Question 10

Event triage

Answer 10

Initial evaluation and prioritization of alerts to determine severity scope and whether further investigation is needed

Question 11

Incident response plan

Answer 11

Document that defines roles procedures communication and decision points for handling security incidents

Question 12

Incident response lifecycle

Answer 12

Phases such as preparation detection analysis containment eradication recovery and post incident lessons learned

Question 13

Containment strategy

Answer 13

Approach for limiting the impact of an incident such as isolating hosts disabling accounts or blocking network paths

Question 14

Eradication and recovery

Answer 14

Activities that remove the threat actor or malware and restore systems and data to trusted operation

Question 15

Post incident review

Answer 15

Structured analysis of an incident to identify root causes lessons and improvements for controls and processes

Question 16

Forensic readiness

Answer 16

Preparation of systems so they capture reliable evidence such as synchronized time detailed logs and chain of custody procedures

Question 17

Time synchronization

Answer 17

Use of consistent time sources so that events across different systems can be accurately correlated during investigations

Question 18

Vulnerability management

Answer 18

Continuous process of discovering assessing prioritizing and remediating vulnerabilities in systems and applications

Question 19

Patch management

Answer 19

Structured approach to evaluating testing and deploying updates to software and firmware within defined timeframes

Question 20

Configuration management

Answer 20

Definition and control of baseline configurations and changes to them to reduce misconfiguration risk

Question 21

Change control

Answer 21

Process to evaluate approve implement and document changes to systems and security controls to avoid unintended consequences

Question 22

Endpoint security monitoring

Answer 22

Collection and analysis of telemetry from servers workstations and mobile devices to detect malicious activity

Question 23

Endpoint detection and response

Answer 23

Tools that provide advanced endpoint visibility behavior analysis and remote response actions such as isolation

Question 24

Network security monitoring

Answer 24

Observation and analysis of network traffic metadata or packets to detect anomalies intrusions or policy violations

Question 25

Threat intelligence

Answer 25

Information about adversaries indicators tactics and vulnerabilities used to improve detection and response

Question 26

Use of threat intelligence feeds

Answer 26

Integration of external indicators into security tools such as firewalls proxies and SIEM to enhance detection

Question 27

Playbook or runbook

Answer 27

Detailed sequence of steps for analysts to follow when handling a specific incident type or operational task

Question 28

Security orchestration and automation

Answer 28

Automation of repetitive detection and response actions across tools to increase speed and consistency

Question 29

Case management

Answer 29

System for tracking investigations evidence decisions and status of incidents within security operations

Question 30

Key performance indicators for operations

Answer 30

Metrics such as mean time to detect mean time to respond false positive rate and coverage of critical assets

Question 31

Noise and false positive reduction

Answer 31

Tuning of detection rules and filters so that alerts are actionable and analysts are not overwhelmed

Question 32

Health monitoring of security tools

Answer 32

Continuous verification that sensors agents collectors and rules are functioning and sending expected data

Question 33

Data retention strategy

Answer 33

Decisions about how long to keep different types of logs and snapshots based on legal forensic and storage considerations

Question 34

Segregation of duties in operations

Answer 34

Ensuring that individuals who monitor activity are not the same people who administer critical systems they observe

Question 35

Operational runbook for maintenance

Answer 35

Documented procedures for recurring tasks such as log review backup verification and rule tuning

Question 36

Operational change windows

Answer 36

Planned periods when changes to security tools or monitoring are allowed with rollback plans if issues occur

Question 37

Red team and blue team

Answer 37

Exercise structure where attackers simulate adversaries and defenders operate detection and response to test capabilities

Question 38

Purple team

Answer 38

Collaborative approach where offensive and defensive teams work together to refine detection and response techniques

Question 39

Simulation and tabletop exercises

Answer 39

Practice activities where scenarios are walked through to test communications decision making and procedures

Question 40

Service level objectives for SOC

Answer 40

Agreed targets defining expected response times handling times and communication expectations for incidents

Question 41

Integration with business continuity

Answer 41

Alignment of incident response with continuity and disaster recovery plans so operations know when to fail over

Question 42

Monitoring of cloud environments

Answer 42

Collection of logs events and configuration data from cloud services using provider APIs and native tools

Question 43

Security monitoring in DevOps

Answer 43

Integration of monitoring and logging for new services into pipelines so that operations has visibility from day one

Question 44

Operational handoff between shifts

Answer 44

Structured communication of ongoing incidents changes and tool status to ensure continuity of coverage

Question 45

Threat hunting

Answer 45

Proactive analyst driven search through telemetry for indicators of threats that have evaded automated detection

Question 46

Data quality in telemetry

Answer 46

Ensuring events have consistent formats fields and reliability so analytics and correlation work correctly

Question 47

Third party managed security services

Answer 47

Use of external providers to perform some or all monitoring and response functions under defined contracts

Question 48

Escalation procedures

Answer 48

Rules and contact paths for moving incidents to higher expertise levels or management based on severity and impact

Question 49

Security operations documentation

Answer 49

Collection of playbooks architecture diagrams data flow descriptions and standard operating procedures for the operations function