Exam CISM topic 1 question 257 discussion

B. Vulnerability scans dont show you Advance Persistent Threats they simply give you the vulnerable components that can be exploited by an APT.

I used work in SOC previously. SIEM is the most important to identify all those zero days virus and persistent attack because it is a day to day monitoring. Vulnerabilities scanning usually run by another team and it was perform on a period basis, eg. monthly, quarterly. With APT, scanning monthly will be too late.

A doesnt sound right, as APT is mostly exploiting zero day vulnerabilities.

Looking at ISACA review manual. Detection of APT cut across different data source and event. SIEM is the best tool here.

I would say D but this is one where common sense over the book answer probably prevails. The reason the are called APTs is due in part to their ability to go undetected by existing tools like SIEM but that is probably what they are looking for here.

D. IPS

Answer B. SIEM

B. Security information and event management system (SIEM)

Vulnerability scanning is typically focused on identifying known vulnerabilities and exploits that are publicly available. It may not be able to detect APTs that use new or unknown exploits, or that have been specifically designed to evade detection by security tools. APTs often use advanced evasion techniques, such as encryption, code obfuscation, and anti-virus avoidance techniques, to avoid detection by security tools.

SIEM is correct

C. Internet gateway filtering aka firewalls are the best means to guard against APTs

Correct answer is B. Vuln. scanning is mostly based on known threats. Whereas a SIEM can detect anomalies in system detection mechanisms

Agreed

SIEM/XSOAR systems can detect APT. Correct answer: B

SIEM/XSOAR systems can detect APT. Correct answer: B