1. Which personnel in a SOC is assigned the task of verifying whether an alert triggered by monitoring software represents a true security incident?

  • A. SOC Manager
  • B. Tier 2 personnel
  • C. Tier 3 personnel
  • D. Tier 1 personnel

In a SOC, the job of a Tier 1 Alert Analyst includes monitoring incoming alerts and verifying that a true security incident has occurred.

2. After a security incident is verified in a SOC, an incident responder reviews the incident but cannot identify the source of the incident and form an effective mitigation procedure. To whom should the incident ticket be escalated?

  • A. The SOC manager to ask for other personnel to be assigned
  • B. An alert analyst for further analysis
  • C. A SME for further investigation
  • D. A cyberoperations analyst for help

An incident responder is a Tier 2 security professional in a SOC. If the responder cannot resolve the incident ticket, the incident ticket should be escalated to the next tier support, a Tier 3.  A Tier 3 SME would further investigate the incident.

3. Which two services are provided by security operations centers? (Choose two.)

  • A. responding to data center physical break-ins
  • B. monitoring network security threats
  • C. managing comprehensive threat solutions
  • D. ensuring secure routing packet exchanges
  • E. providing secure Internet connections

Security operations centers (SOCs) can provide a broad range of services to defend against threats to information systems of an organization. These services include monitoring threats to network security and managing comprehensive solutions to fight against threats. Ensuring secure routing exchanges and providing secure Internet connections are tasks typically performed by a network operations center (NOC). Responding to facility break-ins is typically the function and responsibility of the local police department.

4. Which KPI metric does SOAR use to measure the time required to stop the spread of malware in the network?

  • A. MITR
  • B. Time to Control
  • C. MITC
  • D. MTTD

The common key performance indicator (KPI) metrics compiled by SOC managers are as follows:
• Dwell Time: the length of time that threat actors have access to a network before they are detected and the access of the threat actors stopped
• Mean Time to Detect (MTTD): the average time that it takes for the SOC personnel to identify that valid security incidents have occurred in the network
• Mean Time to Respond (MTTR): the average time that it takes to stop and remediate a security incident
• Mean Time to contain (MTTC): the time required to stop the incident from causing further damage to systems or data
• Time to Control the time required to stop the spread of malware in the network

5. If a SOC has a goal of 99.999% uptime, how many minutes of downtime a year would be considered within its goal?

  • A. Approximately 5 minutes per year
  • B. Approximately 10 minutes per year
  • C. Approximately 20 minutes per year
  • D. Approximately 30 minutes per year

Within a year, there are 365 days x 24 hours a day x 60 minutes per hour = 525,600 minutes. With the goal of uptime 99.999% of time, the downtime needs to be controlled under 525,600 x (1-0.99999) = 5.256 minutes a year.

6. Which organization offers the vendor-neutral CySA+ certification?

  • A. IEEE
  • B. CompTIA
  • C. (ISC)²
  • D. GIAC

The CompTIA Cybersecurity Analyst (CySA+) certification is a vendor-neutral security professional certification.

7. In the operation of a SOC, which system is frequently used to let an analyst select alerts from a pool to investigate?

  • A. syslog server
  • B. registration system
  • C. ticketing system
  • D. security alert knowledge-based system

In a SOC, a ticketing system is typically used for a work flow management system.

8. How can a security information and event management system in a SOC be used to help personnel fight against security threats?

  • A. By collecting and filtering data
  • B. By filtering network traffic
  • C. By authenticating users to network resources
  • D. By encrypting communications to remote sites

A security information and event management system (SIEM) combines data from multiple sources to help SOC personnel collect and filter data, detect and classify threats, analyze and investigate threats, and manage resources to implement preventive measures.

9. Which three technologies should be included in an SOC security information and event management system? (Choose three.)

  • A. Proxy service
  • B. User authentication
  • C. Threat intelligence
  • D. Security monitoring
  • E. Intrusion prevention
  • F. Event collection, correlation, and analysis

Technologies in a SOC should include the following:

  • Event collection, correlation, and analysis
  • Security monitoring
  • Security control
  • Log management
  • Vulnerability assessment
  • Vulnerability tracking
  • Threat intelligence

Firewall appliances, VPNs, and IPS are security devices deployed in the network infrastructure.

10. Which organization is an international nonprofit organization that offers the CISSP certification?

  • A. (ISC)2
  • B. IEEE
  • C. GIAC
  • D. CompTIA

(ISC)2 is an international nonprofit organization that offers the CISSP certification