1.2 Defining the Security Operations Center
Types of Security Operations Centers Which two statements are true regarding a threat-centric SOC? (Choose two.)
A threat-centric SOC proactively hunts for malicious threats on networks. A threat-centric SOC focuses on addressing security across the entire attack continuum—before, during, and after an attack.
Types of Security Operations Centers Which two statements are true regarding an operational-based SOC? (Choose two.)
An operational-based SOC is an internally focused organization that monitors the security posture of an organization's internal network. An operational-based SOC is focused on the administration of firewall ACL rules, and so on.
Roles in a Security Operations Center Match the responsibilities of a security analyst to their tier2:
performs deep-dive incident analysis by correlating data from various sources, determines if a critical system or data set has been impacted; advises on remediation; provides support for new analytic methods for detecting threats
Roles in a Security Operations Center Match the responsibilities of a security analyst to their tier3:
possesses in-depth technical knowledge on the network, endpoint, threat intelligence, forensics and malware reverse engineering, as well as the functioning of specific applications or underlying IT infrastructure; acts as an incident "hunter," not waiting for escalated incidents; closely involved in developing, tuning, and implementing threat detection analytics
Types of Security Operations Centers Which two statements are true regarding a compliance-based SOC? (Choose two.)
A compliance-based SOC focuses on comparing the posture of network systems to reference configuration templates or standard system builds. A compliance-based SOC focuses on detecting unauthorized changes and existing configuration problems that could lead to a possible security breach.
Data Analytics Which statement is true regarding data analytics?
Data analytics is the science of examining and deciphering raw data with the purpose of drawing conclusions from it.
Data Analytics Which statement is true regarding dynamic analysis?
Dynamic analysis is the testing and evaluation of a program by executing the data in real time.
SOC Analyst Tools Which Security Onion component is used to query log data from the different sources?
ELSA
Data Analytics In log mining, which statement is true about sequencing?
Sequencing is the reconstruction or the following of the network traffic flow.
SOC Analyst Tools Which two of the following tools in Security Onion could be used for intrusion detection? (Choose two.)
Snort Suricata
Sufficient Staffing Necessary for an Effective Incident Response Team Which two statements are most correct about the SOC analyst job role? (Choose two.)
The SOC analyst job role heavily involves the use of the SIEM. The exact job role of the SOC analyst will vary among different organizations.
Sufficient Staffing Necessary for an Effective Incident Response Team Which job role in a SOC would most likely perform the initial triage of alerts that are received from SIEM?
Tier 1 security analys
Roles in a Security Operations Center Match the responsibilities of a security analyst to their tier 1:
continuously monitors the alert queue; triages security alerts; monitors health of security sensors and endpoints; collects data and context
Roles in a Security Operations Center Which two basic skills must Tier 1 security analysts possess to be effective at their jobs? (Select two.)
device configuration traffic capture
Develop Key Relationships with External Resources What are three typical requirements for a SOC? (Choose three.)
effective NSM tools security analysts with comprehensive technical backgrounds effective processes to support the SOC operations
Hybrid Installations: Automated Reports, Anomaly Alerts Which type of event should an analyst spend the least amount of time investigating?
false positive alerts
Hybrid Installations: Automated Reports, Anomaly Alerts Match the term to its correct explanation.
for tasks that are repetitive = SOC automation should not require a security analyst to intervene = false positive alerts can be volume- or feature-based = anomaly detection
