ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
A security operations team cannot accurately correlate alerts because system, application, and security logs from the web and database tiers show events that are several minutes apart and use different time zones. Which action should be performed first to make cross-system event correlation reliable within the organization's continuous monitoring program?
Extend log retention from 30 days to six months to widen the forensic analysis window.
Increase all application logging to debug level to capture more detailed event information.
Enable TLS encryption on all log forwarding channels between servers and the SIEM.
Synchronize every host's clock with a trusted NTP server and record timestamps in Coordinated Universal Time (UTC).
For correlation analytics to work, every log entry from every host must share a consistent and accurate timeline. The most effective way to achieve this is to synchronize all hosts to a single, trusted time source-typically via Network Time Protocol (NTP)-and record times in a common standard such as UTC. Without this baseline, even detailed, encrypted, or long-retained logs cannot be ordered correctly, leading to missed or mis-sequenced security events. Increasing verbosity, encrypting transport, or extending retention improve other aspects of log management but do not resolve the fundamental timestamp discrepancy that prevents reliable correlation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is NTP and why is it important for synchronizing clocks?
Open an interactive chat with Bash
Why is Coordinated Universal Time (UTC) used for logging timestamps?
Open an interactive chat with Bash
How does synchronized logging improve event correlation in a SIEM system?
Open an interactive chat with Bash
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)