Exam SY0-601 topic 1 question 109 discussion

I think that SIEM correlation would be the best way to detect an attacker in this case. The initial compromise was a malicious request on a web server. Moments later the token created with SSO was used on another service, the question does not specify what type of service. Deploying a WAF on the web server will detect the attacker but only on that server. If the attacker issues the same malicious request to get another SSO token correlating that event with using that SSO token in other services would allows to detect the malicious activity. Correct me if I am wrong

The best option to detect a malicious actor in this scenario would be A. Utilizing SIEM correlation engines. SIEM (Security Information and Event Management) systems provide real-time analysis of security alerts generated by applications and network hardware. They have correlation engines that can aggregate data from various sources, identify normal and abnormal activity, and detect potential security incidents such as unauthorized access or token reuse.

It looks like a CSRF attack. The SIEM detected the attack and notified the user. If the question asked what would be the BEST to "protect" as opposed to "detect", I would have selected, D WAF. Since is asking what would be BEST to detect, I pick A.

The question mentions about Web Application! A WAF protects your web apps by filtering, monitoring, and blocking any malicious HTTP/S traffic traveling to the web application, and prevents any unauthorized data from leaving the app.

Utilizing SIEM (Security Information and Event Management) correlation engines would be the best way to detect a malicious actor in this scenario. SIEM systems collect and analyze log data from various sources, including web applications and network devices. By using correlation rules, the SIEM can identify patterns of behavior and detect abnormal or malicious activities that might not be apparent when analyzing each event in isolation. In the given scenario, the SIEM can correlate the alerts from the two different services that detected the subsequent token reuse. This correlation would help identify the abnormal behavior and raise an alert for further investigation by the cybersecurity analyst. SIEM systems play a crucial role in identifying complex and sophisticated attack patterns and improving incident detection and response capabilities.

SIEM (Security Information and Event Management) correlation engines are designed to collect, analyze, and correlate data from various sources across an organization's IT infrastructure. By using SIEM correlation rules, the cybersecurity analyst can identify patterns and relationships between events and data from different systems and applications. In the given scenario, the SIEM correlation engine can detect the subsequent token reuse moments after the initial malicious request on one web application. This correlation can help identify the presence of a malicious actor attempting to exploit the single sign-on method and potentially moving laterally to other services.

. Utilizing SIEM correlation engines would BEST detect a malicious actor. SIEM correlation engines can be used to analyze and correlate events from different systems and applications. In this case, the cybersecurity analyst can use a SIEM correlation engine to correlate the request on the web application and the subsequent token reuse on a different service. This can help to identify the malicious actor and take appropriate actions to prevent further attacks. B. Deploying Netflow at the network border can help to monitor network traffic and identify anomalies, but it may not provide enough context to detect the malicious actor in this scenario. C. Disabling session tokens for all sites is not a recommended solution as it can have negative impacts on legitimate user access. D. Deploying a WAF for the web server can help to detect and block attacks on the web application, but it may not provide enough visibility to detect the subsequent token reuse on a different service.

Answer is D. A waf looks specifically at session / token use, as well as monitoring all traffic between web / user. You can deploy a waf to protect ALL web apps behind it. Answer is clearly D, its exactly what a WAF is designed to do.

SIEM correlation dashboards. From google: "It aggregates and analyzes log data from across your network applications, systems, and devices, making it possible to discover security threats and malicious patterns of behaviors that otherwise go unnoticed and can lead to compromise or data loss." Web application firewall is a good candidate, except that it will log both events into separate log files. Which can go unnoticed by security administrators, and will require additional tools to automate the process of alerting the correlated events together. Such as a SIEM.

SIEM i think correct

The software analyzes the log entries to identify signs of malicious activity. In addition, since the system gathers events from different sources across the network, it can recreate the timeline of an attack, enabling a company to determine the nature of the attack and its impact on the business. https://www.techtarget.com/searchsecurity/definition/security-information-and-event-management-SIEM I thought D but key word is differint devices.. so SIEM correlation i think