Exam CS0-003 topic 1 question 130 discussion

Correct Improving the Mean Time to Detect (MTTD) is the most relevant technique to achieve the goal of reducing the time to prevent lateral movement and potential data exfiltration by malicious actors. MTTD measures the average time it takes for an organization to detect a security incident or malicious activity once it has occurred. By reducing MTTD, you can identify security threats more quickly, which allows for a faster response to contain the threat, prevent lateral movement, and potentially stop data exfiltration before it occurs.

Both A and B would reduce the time to prevent lateral movement and potential data exfiltration. If A was improved, the team would be able to act sooner If B was improved, the team would respond faster The CISO wants to improve "visibility and reporting of malicious actors". Only A addresses this. As with B, the reporting has already occurred. Given this, my answer is A.

So detection is good but it does nothing other then detect the the issue is more how fast you respond to the issue. its b

This was hard. I went with A because it asked "Which of the following techniques will best achieve the improvement?" The improvement was "visibility and reporting." If they would've asked "...best achieve the goal?" i would've chose B. This is gross.

concerned with improving visibility and reporting of malicious actors in the environment. Which of the following techniques will best achieve the improvement? Mean Time to Detect

Mean Time to Respond (MTTR): While this refers to the time it takes to respond to an incident after detection, improving MTTD is more crucial in this case because faster detection leads to earlier responses.

the question clearly states " Chief Information Security Officer is concerned with improving visibility and reporting of malicious actors in the environment" how can you respond if your detection systems are slow and the problem has traversed through the system already....

'Prevent' is a type of response

guys it can't be A. The goal is to reduce the time to prevent lateral movement and potential data exfiltration so it most be B. Because Detecting doesn't stop anything from happening.

Per CertMaster: Mean Time to Respond is "a metric that measure the average time it takes to respond to an incident. It measures the speed and efficiency of response activities related to a detected event." Mean Time to Detect "measures the average time between the initial appearance of a security incident and its detection." In this question, the CISO wants to prevent 'lateral movement and prevent data exfiltration" AFTER an event has been detected. So my answer is B Mean Time To Respond - that is, in order to prevent data exfiltration and lateral movement. To me that is a response that needs to be taken AFTER detection.

Security event already happened. Definitely MTTR

The question specifically mentions improving the visibility and reporting of malicious actors to reduce the time to prevent lateral movement and potential data exfiltration. Option B, "Mean time to respond," directly addresses the need to react swiftly once a security incident is detected.

Mean time to respond (MTTR) refers to the average time it takes an organization to respond to a security incident once it has been detected. By focusing on reducing the mean time to respond, the organization can improve its ability to react promptly to security incidents, thereby minimizing the window of opportunity for malicious actors to carry out lateral movement or data exfiltration. This involves establishing efficient incident response processes, including detection, analysis, containment, eradication, and recovery. Improving MTTR enhances the organization's overall security posture and helps in mitigating the impact of security incidents.

The question specifically mentions improving the visibility and reporting of malicious actors to reduce the time to prevent lateral movement and potential data exfiltration. Option B, "Mean time to respond," directly addresses the need to react swiftly once a security incident is detected.

When stuck between A and B I would compare the outcome with having one working well and one working poorly. If you know you'll detect it, it can eventually br resolved. If you never detect it or 6 months later?...

I go with A. Mean time to detect

My vote is for A. We have to address the concern, which is the reporting of vulnerabilities (MTTD). The goal, which is reducing the time to allow for traversal, etc. (MTTR) depends heavily on how quickly the vulnerability is detected and reported to the CSIO/CSIRT.