During a review of incident response protocols, you are evaluating methods for collecting indicators of compromise (IoCs) that could signal a data exfiltration attempt on a heterogeneous network containing a mix of legacy and modern systems. The goal is to ensure minimal performance impact while maintaining comprehensive surveillance. Which collection method would provide the best balance between low system overhead and effective capture of potential IoCs?
Implementing a centralized logging solution with log correlation
Deploying network-based anomaly detection systems on all network segments
Enabling full packet capture on all network traffic
Configuring endpoint detection and response (EDR) on all systems
Centralized logging solutions are designed to minimize the performance impact on individual systems while providing a comprehensive collection point for logs containing potential IoCs. They can effectively process and store logs from a variety of systems, both legacy and modern. Network-based anomaly detection could miss subtle signs contained in the logs of individual systems, and relying solely on endpoint detection could be resource-intensive for legacy systems. Full packet capture is comprehensive but often has significant performance and storage implications, making it less suitable for continuous collection on a network with diverse systems.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are indicators of compromise (IoCs) and why are they important?
Open an interactive chat with Bash
What is a centralized logging solution and how does it work?
Open an interactive chat with Bash
What are the challenges of using full packet capture for monitoring?