1. Which personnel in a SOC is assigned the task of verifying whether an alert triggered by monitoring software represents a true security incident?
- Tier 3 personnel
- SOC Manager
- Tier 2 personnel
- Tier 1 personnel
Explanation: In a SOC, the job of a Tier 1 Alert Analyst includes monitoring incoming alerts and verifying that a true security incident has occurred.
2. After a security incident is verified in a SOC, an incident responder reviews the incident but cannot identify the source of the incident and form an effective mitigation procedure. To whom should the incident ticket be escalated?
- an alert analyst for further analysis
- the SOC manager to ask for other personnel to be assigned
- a cyberoperations analyst for help
- a SME for further investigation
Explanation: An incident responder is a Tier 2 security professional in a SOC. If the responder cannot resolve the incident ticket, the incident ticket should be escalated to the next tier support, a Tier 3. A Tier 3 SME would further investigate the incident.
3. Which two services are provided by security operations centers? (Choose two.)
- providing secure Internet connections
- responding to data center physical break-ins
- monitoring network security threats
- managing comprehensive threat solutions
- ensuring secure routing packet exchanges
Explanation: Security operations centers (SOCs) can provide a broad range of services to defend against threats to information systems of an organization. These services include monitoring threats to network security and managing comprehensive solutions to fight against threats. Ensuring secure routing exchanges and providing secure Internet connections are tasks typically performed by a network operations center (NOC). Responding to facility break-ins is typically the function and responsibility of the local police department.
4. Which metric is used in SOCs to evaluate the average time that it takes to identify that valid security incidents have occurred in the network?
- Dwell Time
Explanation: SOCs use many metrics as performance indicators of how long it takes personnel to locate, stop, and remediate security incidents.
- Dwell Time
- Mean Time to Detect (MTTD)
- Mean Time to Respond (MTTR)
- Mean Time to Contain (MTTC)
- Time to Control
5. Which KPI metric does SOAR use to measure the length of time that threat actors have access to a network before they are detected and the access of the threat actors stopped?
- Dwell Time
Explanation: The common key performance indicator (KPI) metrics compiled by SOC managers are as follows:
- Dwell Time: the length of time that threat actors have access to a network before they are detected and the access of the threat actors stopped
- Mean Time to Detect (MTTD): the average time that it takes for the SOC personnel to identify valid security incidents have occurred in the network
- Mean Time to Respond (MTTR): the average time that it takes to stop and remediate a security incident
- Mean Time to Contain (MTTC): the time required to stop the incident from causing further damage to systems or data
6. What is the role of SIEM?
- to analyze all the network packets for any malware signatures and synchronize the signatures with the Federal Government databases
- to analyze all the data that firewalls, network appliances, intrusion detection systems, and other devices generate and institute preventive measures
- to analyze all the network packets for any malware signatures and update the vulnerabilities database
- to analyze any OS vulnerabilities and apply security patches to secure the operating systems
Explanation: A security information and event management system (SIEM) makes sense of all of the data that firewalls, network appliances, intrusion detection systems, and other devices generate. SIEMs are used for collecting and filtering data, detecting and classifying threats, and analyzing and investigating threats. SIEM systems may also manage resources to implement preventive measures and address future threats.
7. What is a characteristic of the SOAR security platform?
- to provide a user friendly interface that uses the Python programming language to manage security threats
- to provide a means to synchronize the vulnerabilities database
- to interact with the Federal Government security sites and update all vulnerability platforms
- to include predefined playbooks that enable automatic response to specific threats
Explanation: SOAR security platforms offer the following features:
- Gather alarm data from each component of the system
- Provide tools that enable cases to be researched, assessed, and investigated
- Emphasize integration as a means of automating complex incident response workflows that enable more rapid response and adaptive defense strategies
- Include predefined playbooks that enable automatic response to specific threats
8. A network security professional has applied for a Tier 2 position in a SOC. What is a typical job function that would be assigned to a new employee?
- further investigating security incidents
- monitoring incoming alerts and verifying that a true security incident has occurred
- serving as the point of contact for a customer
- hunting for potential security threats and implementing threat detection tools
Explanation: In a typical SOC, the job of a Tier 2 incident responder involves deep investigation of security incidents.
9. If a SOC has a goal of 99.99% uptime, how many minutes of downtime a year would be considered within its goal?
Explanation: Within a year, there are 365 days x 24 hours a day x 60 minutes per hour = 525,600 minutes. With the goal of uptime 99.99% of time, the downtime needs to be controlled under 525,600 x (1-0.9999) = 52.56 minutes a year.
10. Which organization offers the vendor-neutral CySA+ certification?
Explanation: The CompTIA Cybersecurity Analyst (CySA+) certification is a vendor-neutral security professional certification.
11. In the operation of a SOC, which system is frequently used to let an analyst select alerts from a pool to investigate?
- syslog server
- security alert knowledge-based system
- registration system
- ticketing system
Explanation: In a SOC, a ticketing system is typically used for a work flow management system.
12. How can a security information and event management system in a SOC be used to help personnel fight against security threats?
- by collecting and filtering data
- by authenticating users to network resources
- by filtering network traffic
- by encrypting communications to remote sites
Explanation: A security information and event management system (SIEM) combines data from multiple sources to help SOC personnel collect and filter data, detect and classify threats, analyze and investigate threats, and manage resources to implement preventive measures.
13. Which three technologies should be included in a security information and event management system in a SOC? (Choose three.)
- vulnerability tracking
- security monitoring
- VPN connection
- firewall appliance
- intrusion prevention
- threat intelligence
Explanation: Technologies in a SOC should include the following:
- Event collection, correlation, and analysis
- Security monitoring
- Security control
- Log management
- Vulnerability assessment
- Vulnerability tracking
- Threat intelligence
Firewall appliances, VPNs, and IPS are security devices deployed in the network infrastructure.