Exam SY0-601 topic 1 question 691 discussion

We have reached the zone of no comments

D. EDR

C. DLP (Data Loss Prevention) DLP solutions can monitor and control data transfers, including those from removable media, to prevent unauthorized or malicious content from entering the network. EDR (Endpoint Detection and Response) is indeed relevant for detecting and responding to threats on endpoints, but it doesn’t specifically prevent malware from being installed via removable media. EDR focuses on monitoring and analyzing endpoint activity

my understanding is, DLP will only protect anything going via network, say PII in an email, or file transfer via internet; but EDR is a suit setup in your local device(PC, laptop etc) and protect everything in this endpoint (including USB in/out).

The Q asks what would best help prevent the malware from pers owned removable media devices from being installed on the corporate computers. That's DLP. A network solution is required, not just an endpoint solution. Rephrasing the Q properly helps answer it.

After going through 690 questions I think it's EDR, not DLP. Here the focus is to prevent the malware, not the data exfiltration.

DLP it is

EDR is endpoint protection only, DLP is network protection – that can centrally manage via settings to block removable drives at endpoints. That prevents malware being installed on the computers.

D is the answer. From help of ChatGPT: EDR solutions are designed to provide real-time monitoring and response capabilities on endpoints. They can detect suspicious activities, such as the insertion of unauthorized USB devices, and respond to them in near real-time. This allows EDR solutions to potentially block or quarantine the USB device and prevent any malicious activity from occurring before it has a chance to trigger a DLP policy. DLP solutions, while effective at monitoring and controlling data transfers, may not always detect the presence of unauthorized USB devices immediately. They typically focus on monitoring data transfers and applying policies based on predefined rules. If a USB device is inserted and data transfer occurs before the DLP solution detects it, there may be a window of time during which sensitive data could be at risk. In comparison to DLP, EDR can identify unauthorized USB devices earlier, enabling quicker responses or prevention measures. This is my conclusion.

I'm going with: C. DLP (Data Loss Prevention) You are trying to "prevent" something from happening. EDR monitors and responds to threats. That is not necessarily preventing something from happening.

edr it is

key word: prevention.. Thus I choose C. DLP

DLP solutions are designed to monitor, detect, and prevent unauthorized data transfers and actions that could lead to data breaches or malware infections. In this scenario, a DLP solution can be configured to block or restrict the use of personally owned removable media devices, such as USB drives, from being connected to corporate computers. This would effectively mitigate the risk of malware incidents caused by users plugging in such devices.

After reviewing CompTIA's lessons, i'm leaning towards either NGFW (B) or DLP (C). Any insight is welcomed: B: There were 2 sections in CompTIA's lessons that made me consider NGFW as correct. Section 12A: "Hosts should always be configured to prevent autorun when USB devices are attached. USB ports can be blocked altogether using most types of Host Intrusion Prevention Systems (HIPS)." Section 10B: "[NGFWs] combined application-aware filtering with user account-based filtering and the ability to act as an intrusion prevention system (IPS)." C: Obviously DLP prevents the exfiltration of data, but I could not confirm in CompTIA's lessons that it also prevented infiltration of malware. Even in describing the remediation DLP solutions take, nothing is stated regarding the prevention of malware execution, hence my confusion. Section 16B: "The transfer of content TO removable media, such as USB devices, or by email, instant messaging, or even social media, can then be blocked if it does not conform to a predefined policy. "

According to Messer, USB blocking is part of DLP. EDR does not block, its used to detect and response after malware is found.

DLR or data loss prevention, despite the name, prevents data from leaving or entering a system based on rules set. So if the company set a rule to disallow data from removeable devices, such as usb sticks, to be put on devices, it would prevent any malware from entering the device and network. A. is only hoping that everyone follows the rules. D. will only detect the malware after it is in the system. The only correct answer is C.

EDR can help prevent malware infections by blocking unauthorized processes, quarantining infected files, alerting security teams, and providing forensic analysis.