CISSP Question #182: Real Exam Question with Answer & Explanation

Question

Host-Based Intrusion Protection (HIPS) systems are often deployed in monitoring or learning mode during their initial implementation. What is the objective of starting in this mode?

Options

• AAutomatically create exceptions for specific actions or files
• BDetermine which files are unsafe to access and blacklist them
• CAutomatically whitelist actions or files known to the system
• DBuild a baseline of normal or safe system events for review

Explanation

When HIPS is deployed in monitoring/learning mode, it observes system activity to understand normal behavior and automatically generates exceptions (whitelisting rules) for legitimate actions, preventing false positives when enforcement mode is later enabled.

Common mistakes.

• B. Blacklisting unsafe files is a function of enforcement or protection mode, not monitoring/learning mode; learning mode is designed to identify and permit normal activity, not to flag or block suspicious files.
• C. While learning mode does result in whitelisting, the mechanism described here - automatically whitelisting files 'already known to the system' - describes a static signature or reputation-based approach, not the dynamic baseline-building process that monitoring mode performs.
• D. Building a baseline of normal system events is more characteristic of anomaly-based IDS/IPS or behavioral analytics tools; HIPS learning mode specifically focuses on generating exception rules (whitelists) from observed activity rather than simply recording a passive baseline for human review.

Concept tested. HIPS learning mode and automatic exception creation

Reference. https://docs.trendmicro.com/en-us/documentation/article/deep-security-20_0-about-intrusion-prevention

No community discussion yet for this question.