Exam CISSP topic 1 question 373 discussion

Agree with D.

Its between HIDS and EDR. But I take HIDS, The questions states ' monitors devices and records the information' it does not ask for any response or action. Thus B meets this criteria better.

there is no central database for host based or endpoint.

D. Endpoint detection and response (EDR) Endpoint detection and response (EDR) tools are designed to monitor endpoint devices (e.g., computers, servers, mobile devices) and record information about their activities. This information is typically stored in a central database for analysis.

"Security orchestration, automation and response, or SOAR, is a stack of compatible software programs that enables an organization to collect data about security threats and respond to security events with little or no human assistance"

In real-world, you don't install EDR or a central database (which is usually a server). Because EDR is intended for endpoints (Desktops and Laptops that run client OSs). ! However, I will go with Option D, because Option C (SOAR) is not used for further analysis, but for response.

One approach that’s becoming increasingly popular is endpoint detection and response (EDR). As a product category rather than a defined standard, EDR software varies in its features. Most solutions focus on gathering all sorts of behaviors on individual hosts and across the network, then using them to investigate suspicious activities. Each host with EDR installed runs an agent that monitors processes, configuration changes, network connections, and file system activity. Then it’s all gathered into a centralized reporting system you can use to analyze host health and trends, including, but not limited to, signs of attack or other security risks.

If B and D are central database, A is not that purpose, I vote C

From official study guide page 9th edition - page 558 Some EDR solutions employ an on-device analysis engine whereas others report events back to a central analysis server or to a cloud solution. The goal of EDR is to detect abuses that are potentially more advanced than what can be detected by traditional antivirus programs or HIDSs

EDR – Endpoint Detection and Response EDR (endpoint detection and response) continuously monitors endpoints (desktops, laptops, mobile devices, servers, or any device connected to an organization’s network) to detect malicious behavior.

Much like a home security system, HIDS software logs the suspicious activity and reports it to the administrators managing the devices or networks. https://www.dnsstuff.com/host-based-intrusion-detection-systems Not the defacto source of information but we are monitoring and reporting. Doesn't say taking action.

It is D

Endpoint detection and response (EDR) is the right answer. SOAR does not do the analysis later, it actually analyzes the data. EDR is the one that sends the information to a database or SIEM or SOAR for later analysis.