Exam CISM topic 1 question 67 discussion

C. Deploying a security information and event management system (SIEM) would have BEST provided timely identification of this incident. SIEM systems collect and analyze log data from various security devices, such as firewalls, intrusion detection systems, and servers, and can identify and alert on suspicious or anomalous activity. In this scenario, a SIEM would have been able to detect the changes to the firewall and potentially the data exfiltration, and alert the security team in real-time or near real-time.

I selected B, because a SIEMs detection capability is heavily dependent on the data sources. IDS/IPS systems are common data sources for SIEMS, hence without IDS/IPS as a log source, there would not be any detection capabilities for SIEMs.

C is best answer. IPS will not provide timely alert on this

A Security Information and Event Management (SIEM) system is designed to provide real-time analysis of security alerts generated by various hardware and software systems. It can help in the timely detection of security incidents by monitoring and analyzing network and system logs. SIEM systems are effective in correlating and analyzing data from different sources, providing a comprehensive view of the security landscape and enabling organizations to respond quickly to potential security threats.

A security information and event management (SIEM) system is designed to collect, analyze, and correlate log and event data from various sources across an organization's network. It can detect anomalies, suspicious activities, and security events that may indicate a security incident. In the described scenario, a SIEM could have identified the unauthorized changes to the firewall rules and raised alerts for further investigation. While data loss prevention (DLP) suites (option A) focus on preventing unauthorized data exfiltration, an intrusion prevention system (IPS) (option B) is designed to block or detect and respond to known and unknown threats. Regular system administrator awareness training (option D) is essential but may not have immediately identified the specific incident described. SIEM, with its ability to analyze network activities and events, is well-suited for detecting and responding to such incidents.

Im pretty sure the final and correct answer is C but what about BEST TIMELY IDENTIFICATION? Woudn't that makes the best option B, IPS device,? SIEM would take longer time to the detection process.

C. Deploying a security information and event management system (SIEM)

C. Deploying a security information and event management system (SIEM)

The keyword here is "timely identification"