Security Incident Response (SIR)
True
(True or False) Customer perception is important in the definition of value
True
(True or False) Many organizations separate the Platform Administrator from the Security Incident Administrator
True
(True or False) Security Incident Response objectives are to increase the speed of: 1. Detection 2. Containment 3. Resolution
True
(True or False) The activities of the SIR application closely follows that of a standard incident management process
True
(True or False) The following are part of the SIR Setup Assistant: Security Incident Administrator Tasks: 1. SIR Administration 2. Email Settings 3. Playbook Settings 4. Integrations/Capability Configurations
True
(True or False) There are several methods in which security incidents can be raised, which broadly fit into one of two categories: 1. Manually Created 2. Automatically Created
No
(Yes or No) Are requests made through the Service Incident Catalog all automatically converted to Security Incidents?
Yes
(Yes or No) Are requests made through the Service Incident Catalog all handled by Record Producers that drive actions?
a
A violation of computer security policies, acceptable use policies, or standard computer practices is the definition of: a. A Security Incident b. A Security Incident Response c. Vulnerability Management d. Threat Intelligence
data sensitivity
Although the key focus of ll incident resolution processes is action, what distinguishes Security Incidents are levels of?
a b
Automatically created security incidents generally come from which of the following (select 2): a. email parsing rules b. integrations with 3rd party system c. Security Service Catalog d. Security Incident Form
c
Containment as soon as possibly by reducing the time required for security analysts to respond by getting the right information in front of the right eyes at the right time is the goal of what? a. Threat Intelligence b. Vulnerability Response c. Security Incident Response d. Request Fulfillment
b
Incident severity is influenced by the business value of the affected asset - either a _______________ or a Business Service a. Security Incident b. Configuration Item c. Vulnerability d. Record Producer
f
Key business assets and their________ must be recorded accurately? a. early containment b. Priorities c. Key business assets d. calculators e. analysis f. criticality
c d
Manually created security incidents generally come from which of the following (select 2): a. email parsing rules b. integrations with 3rd party system c. Security Service Catalog d. Security Incident Form
b
The action plan taken to mitigate security incidents and imminent security threats is the definition of: a. A Security Incident b. A Security Incident Response c. Vulnerability Management d. Threat Intelligence
e
The following are part of which step of the SIR Customer Adoption Journey - Modernize Maturity Level 1? 1. # of SIEM Ingestion integrations 2. # of SIR/SIT op & closed 3. Review work notes 4. Inspect assessment rules 5. # of trained analysts 6. Dedicated admin & manager 7. # of inbound email SI responded too a. Inventory b. Connect c. Configure d. Launch e. Measure f. Refine
a
The following are part of which step of the SIR Customer Adoption Journey - Modernize Maturity Level 1? 1. Authorized h/w & s/w 2. Services needing protection 3. Security Controls 4. Enforcement technologies 5. Response playbooks 6. Orchestration Endpoints a. Inventory b. Connect c. Configure d. Launch e. Measure f. Refine
f
The following are part of which step of the SIR Customer Adoption Journey - Modernize Maturity Level 1? 1. Basic Dashboarding (non PA) 2. Continued user experience improvements a. Inventory b. Connect c. Configure d. Launch e. Measure f. Refine
d
The following are part of which step of the SIR Customer Adoption Journey - Modernize Maturity Level 1? 1. Live 2. Journaling 3. Basic SIEM integration 4. Other manual SIRs/SIRTs 5. Documented Procedures 6. Manual Incident Progression 7. Email parsing or advanced phishing import a. Inventory b. Connect c. Configure d. Launch e. Measure f. Refine
b
The following are part of which step of the SIR Customer Adoption Journey - Modernize Maturity Level 1? 1. OOB SIEM Integration a. Inventory b. Connect c. Configure d. Launch e. Measure f. Refine
c
The following are part of which step of the SIR Customer Adoption Journey - Modernize Maturity Level 1? 1. Users/Groups/RBAC 2. Assignment Groups/queues 3. SLA Tuning, Notifications, Alerts 4. Severity/Risk/Impact Calculators 5. Tailoring Forms/Fields 6. Basic Dashboarding 7. Build Contextual KB or Workflow a. Inventory b. Connect c. Configure d. Launch e. Measure f. Refine
e
The following are part of which step of the SIR Customer Adoption Journey - Modernize Maturity Level 2? 1. # of workflow versions/contexts 2. # of configuration capability impls 3. # of SLA results making it or not 4. # of incidents closed + trend a. Inventory b. Connect c. Configure d. Launch e. Measure f. Refine
f
The following are part of which step of the SIR Customer Adoption Journey - Modernize Maturity Level 2? 1. Continued User Experience improvements a. Inventory b. Connect c. Configure d. Launch e. Measure f. Refine
c
The following are part of which step of the SIR Customer Adoption Journey - Modernize Maturity Level 2? 1. Implementation of TI IOC / enrichment sources 2. Workflow design /test 3. Config of OOB Enrichment 4. Event Mgmt Setup a. Inventory b. Connect c. Configure d. Launch e. Measure f. Refine
a
The following are part of which step of the SIR Customer Adoption Journey - Modernize Maturity Level 2? 1. Orchestration Endpoints a. Inventory b. Connect c. Configure d. Launch e. Measure f. Refine
b
The following are part of which step of the SIR Customer Adoption Journey - Modernize Maturity Level 2? 1. Orchestration Endpoints 2. TI IOC/Enrichment Sources a. Inventory b. Connect c. Configure d. Launch e. Measure f. Refine
d
The following are part of which step of the SIR Customer Adoption Journey - Modernize Maturity Level 2? 1. Workflow top 3 SIR playbooks 2. Deduplication of alerts 3. Enrichment automation 4. SOC performance monitoring 5. Threat Intel lookups a. Inventory b. Connect c. Configure d. Launch e. Measure f. Refine
e
The following describe which step of the SIR Customer Adoption Journey - Modernize Maturity Level 3? 1. % of workflow automated 2. % of configured capability impls 3. # of SLA results 4. Measuring MTTI/MTTR 5. # of custom integrations 6. # of closed incidents closed per analyst a. Inventory b. Connect c. Configure d. Launch e. Measure f. Refine
c
The following describe which step of the SIR Customer Adoption Journey - Modernize Maturity Level 3? 1. Config of OOB Queries 2. Creation of integration activities/workflows 3. Creation of custom threat sources 4. Advanced developer training a. Inventory b. Connect c. Configure d. Launch e. Measure f. Refine
f
The following describe which step of the SIR Customer Adoption Journey - Modernize Maturity Level 3? 1. Further playbook workflow creation/tuning a. Inventory b. Connect c. Configure d. Launch e. Measure f. Refine
d
The following describe which step of the SIR Customer Adoption Journey - Modernize Maturity Level 3? 1. Workflow top 7 SIR playbooks 2. Sightings Search 3. EDR Orchestration 4. Firewall Rule Orchestration 5. Ability to rapidly build custom integration 6. Advanced Threat Intel Program a. Inventory b. Connect c. Configure d. Launch e. Measure f. Refine
d
The objective of SIR is to increase the speed of which of the following: a. Detection b. Containment c. Resolution d. All of the above
c
The primary outcome is to get the right information in front of the right person so that they can address the right tasks to facilitate early ___________ a. early containment b. Priorities c. containment d. calculators e. analysis f. criticality
c
Time to ________ begins with time to detection a. notification b. training c. containment d. information
d
Time to containment begins with time to _______________ a. notification b. training c. information d. detection
5
Trusted Circles - Starter allows for how many queries per day in global circle only?
d
What are an organizations first line of defense? a. Record Producers b. Security Incident Catalog c. SIR Admins d. Vigilant Users
b c d
What are the 3 main customer perception types likely to be encountered? (Select 3) a. I want nothing b. I want everything c. I need this thing d. I know nothing
a c b
What are the 3 mindsets of the SIR Customer Journey Maturity Model and their order? a. Modernize b. Innovate c. Transform d. Understand
e
What are the Incident Response Lifecycle steps (follows NIST) a. Preparation b. Detection & Analysis c. Containment, Eradication & Recovery d. Post Incident Activity e. all of the above
d
What are used to influence the final assessment? a. early containment b. Priorities c. Key business assets d. calculators e. analysis
goals
What is crucial in the definition of value and achieving a successful SIR deployment? Understanding the customers _______
b
What is determined after proper analysis? a. early containment b. Priorities c. Key business assets d. calculators e. analysis
b
What is mainly a manual process but could also be automated to perform some number-crunching enrichment prior to manual decisions? a. detection b. analysis c. logging d. response
a
What is the 2nd step of the Incident Response Lifecycle? a. Detection & Analysis b. Preparation c. Post Incident Activity d. Containment, Eradication, & Recovery
d
What is the 2nd step of the SIR Customer Adoption Journey a. Inventory b. Refine c. Configure d. Connect e. Measure f. Launch
c
What is the 3rd step of the SIR Customer Adoption Journey a. Inventory b. Refine c. Configure d. Connect e. Measure f. Launch
f
What is the 4th step of the SIR Customer Adoption Journey a. Inventory b. Refine c. Configure d. Connect e. Measure f. Launch
e
What is the 5th step of the SIR Customer Adoption Journey a. Inventory b. Refine c. Configure d. Connect e. Measure f. Launch
b
What is the 6th step of the SIR Customer Adoption Journey a. Inventory b. Refine c. Configure d. Connect e. Measure f. Launch
b
What is the goal of any implementation consultant? _________ __________ through a successful deployment a. Customer Value b. Customer Satisfaction c. Incident Resolution d. Customer Requirements
action
What is the key focus of all incident resolution processes?
a c d b
What is the proper order of the Incident Response Lifecycle steps (follows NIST) a. Preparation b. Post Incident Activity c. Detection & Analysis d. Containment, Eradication & Recovery
a
What originates from tools such as firewalls, IDS's, logs of email or web gateways - but could also be raised through manual means? a. detection b. analysis c. logging d. response
b
What product tier provides limited Trusted Circle queries but adds Vulnerability Response and Threat Intelligence information to security incidents? a. Standard (SIR) b. Professional c. Enterprise
a
What product tier provides the customer with only limited Trusted Circles queries and no Performance Analytics for SecOps? a. Standard (SIR) b. Professional c. Enterprise
e
What should be based on financial factors such as business impact assessment, service criticality? a. early containment b. Priorities c. Key business assets d. calculators e. analysis
b
Which Incident Response Lifecycle phase encompasses detection from tools such as firewalls, IDS, email logs, etc.? a. Preparation b. Detection & Analysis c. Containment, Eradication, & Recovery d. Post Incident Activity
b
Which Incident Response Lifecycle phase is mainly a manual process (security analysts working the incident) a. Preparation b. Detection & Analysis c. Containment, Eradication, & Recovery d. Post Incident Activity
a
Which Incident Response Lifecycle phase is used to make sure the customer organization is appropriately trained with tools necessary to detect/respond to security incidents. Customers must define their business requirements for the implementation. a. Preparation b. Detection & Analysis c. Containment, Eradication, & Recovery d. Post Incident Activity
c
Which Incident Response Lifecycle step is described below: 1. Containment limits the impact of the security incident, preventing data loss or further malware contamination. 2. Eradication seeks to fix the problem based on the best COA 3. Recovery brings affected systems back to normal operation a. Preparation b. Detection & Analysis c. Containment, Eradication & Recovery d. Post Incident Activity
b
Which Incident Response Lifecycle step is described below: 1. Detection originates from tools such as firewalls, IDS, logs of email or email gateways 2. Analysis is mainly a manual process a. Preparation b. Detection & Analysis c. Containment, Eradication & Recovery d. Post Incident Activity
d
Which Incident Response Lifecycle step is described below: 1. Documentation of observations, along with action(s) taken to address the problem and proposed changes for future improvement. a. Preparation b. Detection & Analysis c. Containment, Eradication & Recovery d. Post Incident Activity
a
Which Incident Response Lifecycle step is described below: Making sure the customer organization is appropriately trained with tools necessary to detect/respond to security incidents. a. Preparation b. Detection & Analysis c. Containment, Eradication & Recovery d. Post Incident Activity
b
Which SIR Maturity Model includes the following: 1. Automated incident creation 2. Automation prioritization and assignment 3. Single system of record 4. Improved visibility a. Level 0: Manual Operations b. Level 1: Basic Operations c. Level 2: Automated Investigations d. Level 3: Orchestrated Remediation
d
Which SIR Maturity Model includes the following: 1. Playbooks for critical incident scenarios 2. Automated incident response 3. Integration with new tools easily 4. Continual Process Improvement 5. Enhanced analyst efficiency a. Level 0: Manual Operations b. Level 1: Basic Operations c. Level 2: Automated Investigations d. Level 3: Orchestrated Remediation
a
Which SIR Maturity Model includes the following: 1. Spreadsheets 2. Limited Visibility 3 .Long Response times a. Level 0: Manual Operations b. Level 1: Basic Operations c. Level 2: Automated Investigations d. Level 3: Orchestrated Remediation
c
Which SIR Maturity Model includes the following: 1. Threat intelligence correlation 2. Automated incident enrichment 3. Workflow driven consistent processes 4. Automated response 5. Better decision making a. Level 0: Manual Operations b. Level 1: Basic Operations c. Level 2: Automated Investigations d. Level 3: Orchestrated Remediation
c
Which SIR Product Tier includes the following: 1. Professional Offerings 2. Advanced investigation and containment use cases 3. Trusted Security Circles a. Standard (SIR) b. Professional c. Enterprise
a
Which SIR Product Tier includes the following: 1. Security Incident Response (SIR) 2. Security event ingestion 3. Trusted Circles - Starter 4. Basic Reporting a. Standard (SIR) b. Professional c. Enterprise
b
Which SIR Product Tier includes the following: 1. Standard offerings 2. Threat Intelligence and enrichment 3. Case Management 4. Event Management 5. Performance Analytics for advanced reporting a. Standard (SIR) b. Professional c. Enterprise
h
Which factors should be considered when building the SIR team? a. Skills b. Knowledge c. Goals d. Capabilities e. Tools f. Metrics g. Outcomes h. All the above
d
Which of the following are Security Incident Response objectives: a. Detection b. Containment c. Resolution d. all of the above
d
Which of the following are part of Security Incident Response: a. Collating and enriching incident information b. Investigation and analysis c. Identifying which Incident require urgent attention d. all of the above
e
Which of the following are regulatory compliance that drive requirements? (Select those that apply) a. GDPR b. HIPAA c. PCI-DSS d. SOX e. All the above
a
Which of the following is Step 1 of the SIR Customer Adoption Journey - Modernize Maturity Level 3? 1. Additional Orchestration Endpoints a. Inventory b. Connect c. Configure d. Launch e. Measure f. Refine
b
Which of the following is step 2 of the SIR Customer Adoption Journey - Modernize Maturity Level 3? 1. Additional Orchestration Endpoints a. Inventory b. Connect c. Configure d. Launch e. Measure f. Refine
c
Which one of these 5 is not one of the steps in the Incident Response LifeCycle? a. Preparation b. Detection & Analysis c. Analysis & Recovery d. Containment, Eradication, & Recovery e. Post Incident Activity
d
Which role creates and updates security incidents, requests, and tasks, as well as problems, changes, and outages related to their incident a. admin b. sn_si.admin c. sn_si.manager d. sn_si.analyst e. sn_si.basic
c
Which role has both read and write access to Security Incidents and inherits the sn_si.basic role by default? a. sn_si.read b. sn_si.external c. sn_si.ciso d. sn_si.knowledge_admin e. sn_si.integration_user
b
Which role has full control over all SIR data. Also configures Territories and Skills, as needed a. admin b. sn_si.admin c. sn_si.manager d. sn_si.analyst e. sn_si.basic
a
Which role has read-only access to security incidents, typically for reporting/monitoring? a. sn_si.read b. sn_si.external c. sn_si.ciso d. sn_si.knowledge_admin e. sn_si.integration_user
c
Which role has the same access as security agents, with the additional ability to adjust business criticality calculators and view the manager dashboards a. admin b. sn_si.admin c. sn_si.manager d. sn_si.analyst e. sn_si.basic
c
Which role is CISO? a. sn_si.read b. sn_si.external c. sn_si.ciso d. sn_si.knowledge_admin e. sn_si.integration_user
e
Which role is Integration User? a. sn_si.read b. sn_si.external c. sn_si.ciso d. sn_si.knowledge_admin e. sn_si.integration_user
d
Which role is Knowledge Admin? a. sn_si.read b. sn_si.external c. sn_si.ciso d. sn_si.knowledge_admin e. sn_si.integration_user
b
Which role is external? a. sn_si.read b. sn_si.external c. sn_si.ciso d. sn_si.knowledge_admin e. sn_si.integration_user
b
Which role is for external users to view and work tasks assigned to them? a. sn_si.read b. sn_si.external c. sn_si.ciso d. sn_si.knowledge_admin e. sn_si.integration_user
a
Which role is read? a. sn_si.read b. sn_si.external c. sn_si.ciso d. sn_si.knowledge_admin e. sn_si.integration_user
a
Which role is the Platform Admin? a. admin b. sn_si.admin c. sn_si.manager d. sn_si.analyst e. sn_si.basic
e
Which role is the Security Basic? a. admin b. sn_si.admin c. sn_si.manager d. sn_si.analyst e. sn_si.basic
b
Which role is the Security Incident Admin? a. admin b. sn_si.admin c. sn_si.manager d. sn_si.analyst e. sn_si.basic
d
Which role is the Security Incident Analyst? a. admin b. sn_si.admin c. sn_si.manager d. sn_si.analyst e. sn_si.basic
c
Which role is the Security Manager? a. admin b. sn_si.admin c. sn_si.manager d. sn_si.analyst e. sn_si.basic
e
Which role is the underlying role for basic security access? a. admin b. sn_si.admin c. sn_si.manager d. sn_si.analyst e. sn_si.basic
d
Which role manages the SI knowledge base, both content and configuration? a. sn_si.read b. sn_si.external c. sn_si.ciso d. sn_si.knowledge_admin e. sn_si.integration_user
e
Which role permits external tools to create/amend SI records? a. sn_si.read b. sn_si.external c. sn_si.ciso d. sn_si.knowledge_admin e. sn_si.integration_user
a
Which role should be removed from all Security Incident groups once the Security Incident Administrator Count is added? a. admin b. sn_vul.admin c.
a
Which step is the 1st step of the SIR Customer Adoption Journey a. Inventory b. Refine c. Configure d. Connect e. Measure f. Launch