Exam 200-201 topic 1 question 128 discussion

"A" is correct Traditional intrusion detection system (IDS) and intrusion prevention system (IPS) devices need to be tuned to avoid false positives and false negatives. Next-generation IPSs do not need the same level of tuning compared to traditional IPSs. Also, you can obtain much deeper reports and functionality, including advanced malware protection and retrospective analysis to see what happened after an attack took place. Ref: Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide By Omar Santos

C - false positives and false negatives often result from poorly defined or outdated signature rules in intrusion detection systems (IDS). Redefining or tuning these signature rules helps reduce false positives (legitimate actions being flagged) and false negatives (malicious activity going unnoticed), improving the efficiency of the alert system.

Correct Answer is A

The correct answer is B. Design criteria for reviewing alerts. When a system is overwhelmed with alerts, indicating a high number of both false positives (incorrectly identifying benign events as threats) and false negatives (failing to detect actual threats), it is important to establish criteria for reviewing alerts. This allows for a more efficient and effective handling of the alerts and helps prioritize the investigation of genuine security incidents. Designing criteria for reviewing alerts involves creating rules or thresholds that filter and prioritize alerts based on their severity, likelihood of being true positives, or other relevant factors. By setting criteria, analysts can focus their efforts on alerts that have a higher probability of being legitimate threats, reducing the time and resources wasted on false positives and irrelevant alerts.

A. is correct answer Traditional intrusion detection system (IDS) and intrusion prevention system (IPS) devices need to be tuned to avoid false positives and false negatives.