Which two elements are crucial for a successful SOC? (Choose two.

)
Highly skilled security analysts
Rapid threat containment
Security automation and orchestration technologies
In-house malware development

What is the main goal of Security Operations (SecOps)?

Improve the security posture of the business, its products, and services by
introducing security as a shared responsibility
Reduce the time required to contain a breach
Detect, analyze, and respond to cybersecurity incidents
Connect different security technologies through standardized and automated
workflows

What is the primary function of a Security Operations Center (SOC)?

Detect, analyze, and respond to cybersecurity incidents
Develop a security strategy
Design a security architecture
Implement protective measures

Which three aspects are essential when setting up a SOC? (Choose three.)
Careful planning
Physical safety
Rapid threat containment
Functional layout
In-house malware development

Who are the typical team members of a SOC?

Security architects
Security analysts
Malware developers
Security strategists
Which three steps are part of the daily SOC processes for analysts? (Choose three.)
Review summary data
Threat intel data
Network security maintenance
Situational awareness update
Endpoint security configuration

What is one of the main challenges faced by SOC analysts during their daily work?
Pivoting from security console to security console to gather investigative clues
Lack of security tools
Inability to prioritize threats
Limited access to network traffic analysis

In a typical alert investigation, what is the first step for a SOC analyst?
Review Active Directory logs
An organization forwards high-level security alerts to its SIEM
Pivot to the network traffic analysis tool
Review processes running on the endpoint

According to a survey of security professionals, what percentage of alerts can organizations

investigate?
0.5
0.7
Less than 7%
More than 90%

Which two limitations do current security tools have for SOC analysts? (Choose two.)
Difficulty in prioritizing alerts for review
Too few alerts
Lack of full context for investigations
Automated threat prioritization
Which phase of the incident response lifecycle involves creating an incident response plan and
providing the necessary tools to the incident response team?

Preparation
Detection and analysis
Containment, eradication, and recovery
Post-incident activity

What are three main functions of the incident lifecycle? (Choose three.)
Identify
Investigate
Mitigate
Preparation
Recovery

In the containment, eradication, and recovery phase of the incident response lifecycle, what actions
might organizations take to remove adversaries from the impacted network? (Choose three.)
Use an anti-malware-based response tool
Delete, zero, or re-install machine hard drives
Analyze running memory
Reset or delete affected user accounts
Collect evidence from log files

During which phase of the incident response lifecycle do organizations review all activities and steps
followed in previous phases and complete a written report?
Detection and analysis
Containment, eradication, and recovery
Preparation
Post-incident activity
What is the difference between an adverse event and a security incident?
Adverse events have negative consequences, while security incidents are policy
violations or threats.
Adverse events are any events with negative consequences, while security
incidents are violations or threats to cybersecurity policies or best practices.
Adverse events are policy violations or threats, while security incidents have
negative consequences.
Adverse events are violations or threats to cybersecurity policies or best practices,
while security incidents are any events with negative consequences.

Which framework provides standardized guidelines that can enable

federal agencies to evaluate cyber threats and risks to their
different infrastructure platforms, cloud-based services, and
software solutions?
NIST Special Publication 800-61
FedRAMP
MITRE ATT&CK
FISMA

Which cybersecurity framework provides a step-by-step guide for incident response teams to create
an effective incident response policy and plan, and recommends a review of each incident with post-
incident activity?
NIST Cybersecurity Framework
NIST Special Publication 800-61
FedRAMP
FISMA

Which cybersecurity framework is designed to help organizations assess and improve their security
posture regarding cyberattacks and is based on existing standards, guidelines, and practices?
NIST Cybersecurity Framework
NIST Special Publication 800-61
 FedRAMP
FISMA

Which two components of the NIST Cybersecurity Framework help organizations provide an
organizational view for cybersecurity risk management and strengthen their existing processes or
implement new processes? (Choose two.)
Core
Implementation Tiers
Profiles
Tactics

What are the three main goals of the FedRAMP program? (Choose
three.)
Promote the security brought about by air-gapping systems
Improve confidence in cloud security
Ensure consistent application of existing security policies
Increase automation for near real-time data with continuous monitoring
Categorize information with respect to security levels

Datum FinTech analysts face many challenges in performing their duties. Pick two challenges
analysts face using their current tools. (Choose two).
Require individual logins for analysts, and do not allow them to share access.
Do not allow teams to prioritize alerts for review.
They have difficult user-interfaces which do not allow analysts to quickly identify high value
information.
Do not provide all the context required for investigations.
Do not allow analysts to remain logged in long enough, wasting valuable time.
Datum FinTech uses a standard definition for a cybersecurity Incident. Which of the following fits that
definition?
Any alert generated, at any priority, by the triggering of a SIEM correlation rule.
The presence of unauthorized individuals within a company’s physical infrastructure.
The execution of code on information systems controlled by the company.
Adverse events or the threat of adverse events occurring in a computing system,
network, or application.

Datum FinTech wants it’s analysts to understand their responsibilities. Which of the following
describes the Security Operations Center the analysts will work in?
Monitoring and analyzing activity on networks, servers, and other systems.
Protecting the company’s physical property from theft, vandalism, and damage.
Ensuring that financial transactions are processed according to legal procedures
and protections.
Ensuring that IT systems can communicate with one another.

Which tool should analysts turn to at Datum FinTech to identify high-value alerts?
Firewall
Application Whitelister
SIEM
File Integrity Monitor

In the “investigate” step of Incident Response, what is the primary goal of the analyst during this
phase?
Examine the incident for the root cause and its impact
Process and classify alerts according to their severity
Stop the attack and respond to it
Explore the procedures required for quality improvement
Datum FinTech requires it’s analysts to understand the mission they are required to perform. Which
of the following best describes the mission of the Security Operations Center?
Build and deploy novel cybersecurity products and services
Acquire and implement protective measures in cybersecurity
Design and architect the cybersecurity strategy
Identify, analyze, and respond to cybersecurity incidents

Datum FinTech has suffered multiple cybersecurity incidents recently. Which two scenarios would
classify as cybersecurity incidents? (Choose two).
A user accidentally deleting a file of high value to the company
A denial-of-service event against a web service.
The use of a keylogger on an administrator’s computer to acquire passwords.
A power outage leading to a network outage.

Recently, Datum FinTech has adopted the NIST standard. What is the NIST standard?
A program to protect information systems used in federal government agencies.
An act to modernize IT through a move away from outdated technology.
A program to help organizations improve their security posture regarding cyber
attacks.
A framework and knowledge base of tactics and techniques used by attackers.

Datum FinTech has adopted the Mitre ATT&CK framework to aid it in combating cyber crime. What
is one example of a tactic from the ATT&CK framework?
Privilege escalation
Denial of service
Reconnaissance
Extortion
Datum FinTech has adopted the Mitre ATT&CK framework to aid it in combating cyber crime. What
is one example of a tactic from the ATT&CK framework?
Privilege escalation
Denial of service
Reconnaissance
Extortion

Which of the following standards should Datum FinTech adopt to stay current with information
security, digital evidence, and incident handling and response?
FISMA NIST FedRAMP ISO

Which three steps are part of the risk management process in cybersecurity? (Choose three.)
Identify risks
Perform risk analysis
Assign security roles
Determine security controls
Monitor network traffic

Which two control types can be applied after a risk is identified, analyzed, and classified in the risk
management process? (Choose two.)
Mitigate
Transfer
Eliminate
Measure
Predict

What is the primary purpose of a Security Operations Center (SOC)?

To monitor and analyze activity on networks, servers, endpoints, databases,
applications, websites, and other systems
To manage the company's overall IT infrastructure
To provide technical support for end users
 To develop and implement new software applications

In the risk management process, what is the purpose of monitoring the controls?

In the risk management process, what is the purpose of monitoring the controls?
To ensure compliance with laws and regulations
To evaluate the effectiveness of control measures and make necessary adjustments
To identify new risks and threats in real-time
To train employees on security best practice

What is the main difference between a SOC mission statement and its goals?
The mission statement is a high-level strategy document, while goals are the
instruments to reach the main aims.
While the mission statement is a high-level strategy document, goals are specific
objectives.
The mission statement focuses on technology, while goals focus on people and
processes.
While the mission statement is a general overview of the SOC's purpose, goals are
specific objectives.
Which stage of the incident lifecycle involves determining the best response method, such as
quarantine, avoid, or restore?
Identify Investigate Mitigate Continuous Improvement

In the continuous improvement stage, what is the main goal of tuning alerting procedures?
To improve the visibility of security incidents
To increase the speed of incident response
To reduce false positives and low-fidelity alerts
To prevent future security incidents

What are the four main stages of the incident lifecycle?

Identify, investigate, mitigate, and continuously improve
Monitor, investigate, respond, and prevent
Alert, analyze, mitigate, and report
Detect, assess, respond, and review

Which two types of data provide the information needed to perform investigations and validate
breaches? (Choose two.)
Telemetry Log data Forensics (Raw) Incident reports Network traffic

What is the primary role of a SOC analyst?

To provide remote monitoring, telephone support, and remote support for security
teams globally To manage the company's overall IT infrastructure To develop and
implement new software applications To create and maintain alerting profiles
Which two statements apply to HIPAA? (Choose two.)
Implement mechanisms for recording and examining ePHI activity. Review audit logs,
access reports, and security incident reports regularly. Hire a data protection officer and educate
all employees about best data practices as per SOC. Define roles and restrict data access to
specific employees as per SOC.

What does compliance help create for analysts managing risks and meeting compliance
requirements?
Adhering to industry standards Fulfilling customer needs Achieving
organizational goals Improving security posture

Which three are requirements for GDPR compliance? (Choose three.)

Report any security incidents (such as vulnerabilities and personal data breaches) within 72
hours; must be able to detect potential security breaches Apply computer forensics investigation
and response policies to all investigations Implement procedures for login monitoring Record
IT activities Define roles and restrict data access to specific employees as per SOC

Which three are requirements for GDPR compliance? (Choose three.)

Report any security incidents (such as vulnerabilities and personal data breaches) within 72
hours; must be able to detect potential security breaches Apply computer forensics investigation
and response policies to all investigations Implement procedures for login monitoring Record
IT activities Define roles and restrict data access to specific employees as per SOC

Which requirement is unrelated to SOC compliance requirements?

PCI DSS HIPAA ISO 22000 ISO 27000
Which three tools and technologies do SOC analysts use to address compliance needs? (Choose
three.)
Security Information and Event Management (SIEM) Vulnerability Management Tool
Security Policy Email tools SMS gateway integrations

What are the three types of information that a data loss prevention solution should collect and
aggregate to make informed data protection decisions? (Choose three.)
Content Context Character Connection speed Encryption method

What is the primary purpose of a data loss protection solution?

Prevent intruders or malware from entering a network Monitor and stop unsafe
data movement and sharing Block all unauthorized access to sensitive information
Encrypt data in transit

How does a machine learning-driven data protection system help with data protection decisions?
It replaces the need for human involvement in data protection It suggests
compliance regulations to adhere to and enables the right data protection policies It
automatically blocks all suspicious activities It detects and removes malware from
sensitive data

Why is it difficult to identify sensitive data in an organization?

All data is encrypted, making it hard to analyze Sensitive data is always stored
on secure servers Distinguishing sensitive data patterns is challenging, and false
positives may occur Sensitive data is automatically deleted after a certain period of
time

Which two features are essential for a data loss protection solution? (Choose two.)
 Apply protective rigor to organizations' intellectual property Protect sensitive data from
malicious insiders Control data access based on employee seniority Provide real-time threat
intelligence updates

Which of the following is a benefit of using a security orchestration, automation, and response
(SOAR) solution?
Centralized log management Improved threat detection Reduced false
positives Automated incident response

Which of the following is a key component of a security operations center (SOC)?

Security information and event management (SIEM) Security orchestration,
automation, and response (SOAR) Threat intelligence Incident response
Vulnerability management

What is the purpose of an incident report?

To identify the sources and channels where the incident occurred, as well as details
about the incident To ensure analysts are using the correct template to document
incidents To evaluate data to ensure a follow-up is performed To learn where
reports are coming from and how they were delivered

Which three of the following are types of security incidents? (Choose three)
Denial of service (DoS) attacks Malware infections Phishing attacks Insider threats
Misconfigurations

Which two pieces of information should be included in the SOC weekly reports? (Choose two.)
Number of open/closed cases Incident owner Time to resolution Threat hunting
activities Timelines

Which two factors are improved by security orchestration in an organization's security posture?
(Choose two.)
Consistency Efficiency Complexity Vulnerability
What are the three main functions of security orchestration tools in the security landscape? (Choose
three.)
Collect and correlate data from multiple security products Eliminate the need for human
intervention in security operations Execute actions across products Provide a platform to
document analyst actions, comments, and incident evidence Replace all existing security tools
with a single solution

What is the main purpose of using playbooks in Security Orchestration, Automation, and Response
(SOAR) systems?
To standardize processes and provide a consistent set of well-designed steps for
incident response To manually perform all tasks in security operations To solely
rely on human expertise for threat identification To eliminate the need for security
orchestration tools

Which scenario best fits the usage of manual tasks in a playbook?

The playbook may run into an edge case where it is too nuanced for automation
The playbook needs to address a repetitive task that is easy for an analyst to resolve
The task needs to gather a specific value within the incident details The task
requires an email to be sent to the end-user with incident details

NextGen Technologies needs a data protection and monitoring solution that explicitly addresses the
risk of data breaches and stops unsafe data movement. Which of the following products would
address this need?
Application whitelisting File integrity monitoring Drive encryption Data loss
protection

After integrating automation into the SOC, NextGen Technologies hopes to alleviate a number of
problems. Which two problems are addressed with automation? (Choose two).
Threat classification Root cause analysis Incident deduplication Zero day exploit
prevention Threat hunting
NextGen Technologies is required to submit material for its annual compliance review. Which of the
following would the Security Operations Center be responsible for submitting?
Employee training and awareness requirements. Data storage requirements.
Breach disclosure requirements. Log normalization requirements.

NextGen Technologies is required to submit material for its annual compliance review. Which of the
following would the Security Operations Center be responsible for submitting?
Employee training and awareness requirements. Data storage requirements.
Breach disclosure requirements. Log normalization requirements.

NextGen Technologies wants to determine what to do about various risks to its business model.
Which of the following is a response to risk based upon adopting security controls?
Mitigate Ablate Evade Control

Now that NextGen Technologies has installed Security Orchestration into their SOC, they will be
adopting playbooks into their processes. What role does a playbook serve?
Standardize processes and provide a consistent set of steps that all analysts can
use. Analyze situations to react in unexpected situations. Establish encrypted
communications between various security products. Normalize log data to allow
correlation rules to run on them.

Which of the following items describes the activity of consistently gathered electronic and real time
data.
Forensics Telemetry Logging An Event

The Security Operations Center at NextGen Technologies has recently standardized their incident
report process. What is the purpose of writing incident reports?
To identify the sources where the incident occurred, as well as details about the
incident. To justify security control decisions that have already been made. To
satisfy regulatory requirements without actually addressing the root cause of the
incident. To blame individuals and organizations responsible for vulnerabilities that
were exploited in the course of the incident.
NextGen Technologies has generally been pleased with the integration of automation bringing
benefits such as alert fatigue reduction and quicker triage. What is one additional bonus that
automation brings to a SOC?
Increased talent acquisition. Improved parsing. Simplified data lake
configuration. Simplified playbook creation.

NextGen Technologies is training its analysts in the Incident Lifecycle. While investigating an
incident, what is the most impactful adversary item an analyst should look for?
Motive Physical location Resource Objective

NextGen Technologies is training its employees on Data Protection. To better make informed
decisions, which two items are essential for making decisions around data protection? (Choose two).
Change-control Content Context Category Criticality