Exam CAS-005 topic 1 question 27 discussion

❌ Why the Others Are Less Suitable: A. FIM (File Integrity Monitoring) Monitors changes to files — good for detecting unauthorized modifications, but not sufficient for behavioral analysis or detecting unknown threats. B. SASE (Secure Access Service Edge) Network architecture concept combining networking and security — doesn’t directly address IoC detection. D. CSPM (Cloud Security Posture Management) Ensures cloud configurations comply with best practices — useful for preventative controls, not detection of novel attacks. E. EAP (Extensible Authentication Protocol) Authentication framework — not related to threat detection.

✅ C. UEBA (User and Entity Behavior Analytics) Explanation: The issue described — missed IoCs due to reliance on signature-based detection — highlights a gap in detecting unknown or novel threats. Signature-based systems only catch known threats, so behavioral-based detection is needed to address this shortcoming. UEBA (User and Entity Behavior Analytics): Uses machine learning and analytics to establish baselines of normal behavior. Detects anomalies and suspicious patterns (e.g., unusual logins, data exfiltration) that may indicate compromise — even if there’s no known signature. Excellent for catching insider threats, account compromise, and sophisticated attacks that evade traditional tools.

The best recommendation to address the shortcoming of missed IoCs is C. UEBA (User and Entity Behavior Analytics), as it provides advanced, behavioral-based detection that can identify suspicious activities, even those not matching known attack signatures.

Correct answer shows as "C", but there is no "C" option displayed. Just "A,B,D,E".