XDR, EDR, XSOAR, SIEM, UEBA

Question 1

What does UEBA stand for?

Answer 1

User and Entity Behavior Analysis

Question 2

What is UEBA?

Answer 2

security analytics approach that focuses on detecting and analyzing abnormal or suspicious behavior exhibited by users and entities within an organization’s network or system

Question 3

What does UEBA combine to establish baseline behavior patterns of users and entities (devices, applications, servers, …) within an organization’s environment?

Answer 3

• machine learning
• statistical analysis
• behavioral modeling

Question 4

What is the benefit of combining UEBA with SIEM?

Answer 4

organizations can correlate behavioral anomalies with other security events and log data, providing a more comprehensive view of potential threats

Question 5

What are the three parts of UEBA?

Answer 5

• use cases
  
  • establishes what’s the normal behavior
• data sources
  
  • defines what to capture and what to watch for
• analytics
  
  • machine learning and AI compare the normal behavior to the current behavior of the entities in order to catch anything suspicious

Question 6

What does SOAR stand for?

Answer 6

Security Orchestration, Automation, and Response

Question 7

What is SOAR?

Answer 7

framework that combines security orchestration, security automation, and incident response into a unified approach

Question 8

What is the goal of SOAR?

Answer 8

improve the efficiency and effectiveness of security operations by automating repetitive tasks, orchestrating security processes, and enabling faster incident response and remediation

Question 9

What tasks are included in security automation in terms of SOAR? (8)

Stop and think

Answer 9

• Threat Intelligence Gathering and Enrichment
  
  • automatically collecting and aggregating threat intelligence from various sources
• Alert Triage and Prioritization
  
  • analyzing and filtering security alerts to identify false positives and prioritize real threats
• Incident Response and Remediation
  
  • executing predefined response procedures for common types of incidents
• Workflow and Process Automation
  
  • automating routine tasks and workflows to streamline security operations
• Vulnerability Management
  
  • automatically applying security policies across the network
• Phishing Response
  
  • automating the analysis and response to reported phishing emails
• Threat Hunting
  
  • automating the search for indicators of compromise or suspicious activities within the network
• Case Management
  
  • automatically generating incident reports and maintaining case logs

Question 10

In terms of purpose and focus, what are the differences between SIEM and SOAR?

Answer 10

• SIEM systems
  
  • primarily designed to collect, correlate, and analyze security event logs and data from various sources
  • real-time monitoring, threat detection, and incident response capabilities
• SOAR platforms
  
  • focus on automating and orchestrating security processes, including incident response, vulnerability management, and security operations

Question 11

What does EDR stand for?

Answer 11

Endpoint Detection and Response (EDR)

Question 12

What’s the goal of EDR?

Answer 12

detect abuses that are potentially more advanced than what can be detected by traditional antivirus or HIDSs, while optimizing the response time of incident response, discarding false positives, implementing blocking for advanced threats, and protecting against multiple threats occurring simultaneously and via various threat vectors

Question 13

What’s Managed Detection and Response (MDR)?

Answer 13

cybersecurity service model in which an external company or Managed Security Service Provider (MSSP) is responsible for monitoring an organization’s IT environment, detecting security threats and incidents, and responding to them on behalf of the organization

Question 14

What’s EDR?

Answer 14

• evolution of traditional antimalware products
• seeks to detect, record, evaluate, and respond to suspicious activities and events, which may be caused by problematic software or by valid and invalid users
• natural extension of continuous, monitoring focusing on both the endpoint device itself and network communications reaching the local interface
• some EDR solutions employ an on-device analysis engine whereas others report events back to a central analysis server or to a cloud solution

Question 15

What are common features of EDR solutions?

Answer 15

• auditing a device for common vulnerabilities
• proactively monitoring a device for suspicious activity such as unauthorized logins, brute-force attacks, or privilege escalations
• visualizing complex data and events into neat and trendy graphs
• recording a device’s normal operating behaviour to help with detecting anomalies

Question 16

What are the two basic log source types that SIEM handles?

Answer 16

• Host-Centric Log Sources
• Network-Centric Log Sources

Question 17

What are the key features provided by SIEM?

Answer 17

• correlation between events from different log sources
• provide visibility on both Host-centric and Network-centric activities
• search through the logs
• real-time log Ingestion
• alerting against abnormal activities
• protection against the latest threats through early detection
• hunt for threats that are not detected by the rules in place

Question 18

What are the different ways that SIEMs handle log ingestions from clients?

Answer 18

• Agent / Forwarder
  
  • lightweight tool called an agent that gets installed in the Endpoint
  • configured to capture all the important logs and send them to the SIEM server
• Direct Event Log Collection
  
  • using Windows native event forwarding
• Syslog
  
  • collect data from various systems like web servers, databases, etc., are sent real-time data to the centralized destination
• Manual Upload
  
  • users can ingest offline data for quick analysis
• Port-Forwarding
  
  • listen on a certain port, and then the endpoints forward the data to the SIEM instance on the listening port

Question 19

What are the responsibilities of SOC analysts?

Answer 19

• monitoring and Investigating
• identifying False positives
• tuning Rules which are causing the noise or False positives
• reporting and Compliance
• identifying blind spots in the network visibility and covering them

Question 20

How does SIEM look for unwanted behavior or suspicious pattern within the logs?

Answer 20

with the help of the conditions set in the rules by the analysts

Question 21

What are correlation rules in SIEM?

Answer 21

logical expressions set to be triggered under certain conditions

• if a User gets 5 failed Login Attempts in 10 seconds - Raise an alert for Multiple Failed Login Attempts
• if login is successful after multiple failed login attempts - Raise an alert for Successful Login After multiple Login Attempts

Question 22

What are some of the actions that are performed after an analysis in SIEM?

Answer 22

• Alert is False Alarm
  
  • may require tuning the rule to avoid similar False positives from occurring again
• Alert is True Positive
  
  • perform further investigation
  • contact the asset owner to inquire about the activity.
• Suspicious Activity Is Confirmed
  
  • isolate the infected host
  • block the suspicious IP

Question 23

What are some of the most common and popular SOAR solutions?

Answer 23

• Splunk Phantom
• IBM Security Resilient
• Palo Alto Networks Cortex XSOAR
• Rapid7 InsightConnect
• Siemplify (now part of Google Cloud)

Question 24

What is a playbook in SOAR?

Answer 24

a set of predefined procedures and workflows designed to automate and orchestrate the response to cybersecurity incidents

Question 25

What are the advantages of EDR over an antivirus solution?

Answer 25

• provides more comprehensive behavioral-based detection
• extensive response and remediation options
• continuous and detailed endpoint monitoring
• proactive threat hunting capabilities
• better integration within a larger cybersecurity infrastructure

Question 26

What is the difference in visibility between EDR and antivirus?

Answer 26

• EDR captures data such as process executions, network connections, and registry changes
• AV solutions generally have a narrower focus, primarily monitoring for file-based threats

Question 27

What does XDR stand for?

Answer 27

Extended Detection and Response (XDR)

Question 28

How does XDR differ from EDR in terms of scope and focus?

Answer 28

extends beyond endpoints to include network traffic, cloud environments, email systems, and servers - integrates data from various security layers, offering a more holistic view of an organization’s security posture

Question 29

How does XDR differ from EDR in terms of complexity and user experience?

Answer 29

XDR aims to simplify the security operation by providing a more integrated and automated approach

Question 30

What is the main advantage of an organization having a SOC team?

Answer 30

organizations can enhance their security incident handling through continuous monitoring and analysis

Question 31

What are the key SOC capabilities?

Answer 31

• Monitoring and Detection
• Incident Response
• Threat Intelligence
• Log Management
• Recovery and Remediation
• Security Process Improvement

Question 32

What are some of the log challenges?

Answer 32

• Alert fatigue
• Disparate tools
• Manual Processes
• Talent Shortage

Question 33

What is Security Orchestration?

Answer 33

• act of connecting and integrating security tools and systems into seamless workflows
• orchestration chains together individual security tools, tasks and processes to work together towards the same tune
• works in tandem with automation

Question 34

What is a security playbook?

also Standard Operating Procedure (SOP)

Answer 34

structured checklist of actions used to detect, respond and handle threat incidents

Question 35

How do security playbooks assist SOC teams?

Answer 35

having an end-to-end process of handling routine incidents and establishing repeatability and metrics for the response

Question 36

What are runbooks?

Answer 36

predefined procedures to achieve a specific outcome and have a high degree of automation

Question 37

What is the workflow of a SOAR?

Answer 37

• Detection
  
  • triggered and detected by an integrated security system (NIDS, SIEM …)
• Enrichment
  
  • TI gathered from feeds, reports and other sources to provide additional context about the event, such as TTPs
• Triage
  
  • SOAR analyse the event, determining its severity and potential impact on the organisation
• Response
  
  • automated actions are set in motion to contain the threat and mitigate any potential damage (block IP, remove attachments)
• Remediation
  
  • RCA of the event is done through the coordinating efforts of security analysts and incident responders
• Reporting
  
  • communication and reports about the incident and remediation are standardised to ensure a reliable and repeatable flow of information involving both internal and external stakeholders

Question 38

What does EDR monitor?

Answer 38

• Process Execution
• File Activity
• Network Activity
• Registry Changes
• Memory and Disk Access
• User Login Activity
• Application Activity
• Anomalies and Behavior Patterns

Question 39

Where does UEBA processing usually occur?

client vs server

Answer 39

typically, the processing occurs within the SIEM system (like QRadar) rather than on the client - requires analyzing a large volume of data and complex behavioral patterns, which is more efficiently handled at the server level where the SIEM system resides

Question 40

What is the primary factor that distinguishes XDR from EDR?

Answer 40

XDR extends beyond endpoints to provide a more holistic view of threats across the entire network and cloud environment - integrates data from endpoints, network, cloud, and email, offering broader visibility and context for threat detection and response

Question 41

Is there any way for an administrator to fine-tune learned UEBA profiles?

Answer 41

• yes, although the level of customization can vary between different solutions
• can adjust parameters such as risk scores, thresholds for anomalies, and specific behaviors to monitor more closely