200-201 Question #525: Real Exam Question with Answer & Explanation

Question

How does the approach of a behavioral detection system to identifying security threats compare to that of a rule-based detection system?

Options

• ARule-based detection is effective with fewer false positives, and behavioral adapts over time.
• BBehavioral detection is easier to deploy without rules, and rule-based needs historical data.
• CBehavioral detection is adaptive to deviations, and rule-based detection uses static rules.
• DRule-based detection excels at APT hunts with updates, and behavioral focuses on anomalies.

Explanation

Behavioral detection systems identify threats by adaptively learning baselines and flagging deviations from normal activity, while rule-based detection systems rely on static, predefined rules to identify known threat patterns.

Common mistakes.

• A. Rule-based systems can often generate many false positives if rules are not finely tuned, and while behavioral systems adapt, they can also have false positives initially.
• B. Behavioral detection often requires historical data to build a baseline of normal behavior, and rule-based systems are deployed with predefined rules, not necessarily needing historical data themselves for their core function.
• D. While behavioral detection does focus on anomalies, rule-based detection, particularly signature-based, struggles with advanced persistent threats (APTs) that often employ novel techniques, unlike what's implied by "excels at APT hunts with updates."

Concept tested. Behavioral vs. Rule-based detection systems

Reference. https://learn.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities

No community discussion yet for this question.