During a review of incident response protocols, you are evaluating methods for collecting indicators of compromise (IoCs) that could signal a data exfiltration attempt on a heterogeneous network containing a mix of legacy and modern systems. The goal is to ensure minimal performance impact while maintaining comprehensive surveillance. Which collection method would provide the best balance between low system overhead and effective capture of potential IoCs?
Deploying network-based anomaly detection systems on all network segments
Enabling full packet capture on all network traffic
Implementing a centralized logging solution with log correlation
Configuring endpoint detection and response (EDR) on all systems
Centralized logging solutions are designed to minimize the performance impact on individual systems while providing a comprehensive collection point for logs containing potential IoCs. They can effectively process and store logs from a variety of systems, both legacy and modern. Network-based anomaly detection could miss subtle signs contained in the logs of individual systems, and relying solely on endpoint detection could be resource-intensive for legacy systems. Full packet capture is comprehensive but often has significant performance and storage implications, making it less suitable for continuous collection on a network with diverse systems.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an IoC (Indicator of Compromise)?
Open an interactive chat with Bash
How does a centralized logging solution work?
Open an interactive chat with Bash
Why is full packet capture not ideal for ongoing monitoring?