300-215 Question #107: Real Exam Question with Answer & Explanation

Question

An incident response team is recommending changes after analyzing a recent compromise in which: - a large number of events and logs were involved; - team members were not able to identify the anomalous behavior and escalate it in a timely manner; - several network systems were affected as a result of the latency in detection; - security engineers were able to mitigate the threat and bring systems back to a stable state; and - the issue reoccurred shortly after and systems became unstable again because the correct information was not gathered during the initial identification phase. Which two recommendations should be made for improving the incident response process? (Choose two.)

Options

• AFormalize reporting requirements and responsibilities to update management and internal
• BImprove the mitigation phase to ensure causes can be quickly identified, and systems returned to
• CImplement an automated operation to pull systems events/logs and bring them into an
• DAllocate additional resources for the containment phase to stabilize systems in a timely manner
• EModify the incident handling playbook and checklist to ensure alignment and agreement on roles,

Explanation

The Cisco study material recommends integrating automation for log/event collection and contextual analysis to reduce detection delays and ensure rapid identification of anomalies. It also emphasizes the need for pre-defined roles and documented steps in an Incident Handling Playbook, following NIST SP 800-61 Rev.2 standards, to improve consistency and readiness during incidents.

No community discussion yet for this question.