ISSAP - Information Systems Security Architecture Professional Security Operations Architecture Questions and Answers

Question 1

A global corporation with major offices in North America, Europe, and Asia needs to establish a 24/7 security monitoring capability. The goal is to handle common alerts locally within each region for efficiency, while escalating complex, novel, or widespread threats to a central team of highly skilled experts for in-depth analysis and coordination. Which Security Operations Center (SOC) model BEST fits this architectural requirement?

Accepted Answer

A tiered or hierarchical SOC with regional Tier 1/2 teams and a central Tier 3 command SOC.

Answer

A tiered or hierarchical SOC model is the most suitable architecture. It allows regional teams (Tier 1/2) to handle the high volume of routine alerts and perform initial triage, providing rapid response within their respective time zones. [15] Complex, severe, or cross-regional incidents are escalated to a central command SOC (Tier 3) staffed with senior analysts, threat hunters, and forensic experts who can perform deeper analysis and coordinate a global response. [6] This balances local efficiency with centralized expertise.

Question 2

An architect is designing a Security Information and Event Management (SIEM) architecture for a large enterprise. A primary requirement is to process high-volume log data from thousands of diverse sources, including firewalls, servers, and custom applications, each with a unique format. Which SIEM component is fundamentally responsible for parsing these varied log formats into a standardized, common schema before they are sent to the correlation engine?

Accepted Answer

The data collection and normalization layer.

Answer

The data collection and normalization layer is the core component responsible for this function. [5] Collectors or agents gather raw logs from various sources. [1, 3] The normalization process then parses the different log formats, extracts key fields, and transforms them into a common, standardized format (schema). This step is critical because the correlation engine requires a consistent data structure to apply rules and detect patterns across disparate data sources effectively. [3]

Question 3

A Security Operations Center (SOC) is consistently overwhelmed by the high volume of phishing alerts. Analysts perform the same manual steps for each alert: analyze the email headers, detonate suspicious URLs in a sandbox, check indicators against threat intelligence feeds, and, if malicious, block the indicators and isolate the host. A security architect wants to implement a solution to automate this entire workflow. Which technology is specifically designed for this purpose?

Accepted Answer

Security Orchestration, Automation, and Response (SOAR)

Answer

A Security Orchestration, Automation, and Response (SOAR) platform is designed to address this exact use case. [11] Orchestration connects disparate security tools (sandbox, TIP, EDR, firewall), while automation executes predefined workflows, known as playbooks, to perform response actions without manual intervention. [32, 34] This allows the SOC to automate the repetitive tasks associated with phishing response, freeing up analysts to focus on more complex threats. [11]

Question 4

A security architect is establishing a proactive threat hunting program. The primary goal is to search for previously unknown or undetected threats that have bypassed existing security controls. Which of the following is the MOST critical architectural prerequisite for enabling effective, hypothesis-driven threat hunting?

Accepted Answer

A centralized, long-term repository of searchable endpoint, network, and log data.

Answer

Effective threat hunting is fundamentally dependent on having access to rich, historical data. [21] A centralized and searchable repository (often a data lake or advanced SIEM) containing endpoint process logs, network flow data, DNS queries, and other telemetry is essential. [8] This allows hunters to form a hypothesis (e.g., "an attacker is using DNS for command and control") and then query the historical data to find anomalies and patterns that would not trigger a traditional alert. [21, 23]

Question 5

To enhance its security operations, an organization wants to operationalize threat intelligence. The architect's design calls for a central system that can ingest threat data from multiple feeds (e.g., open-source, commercial, ISACs), deduplicate and normalize the data, enrich it with context, and then share actionable indicators with other security tools like the SIEM, firewalls, and EDR. Which type of platform BEST describes this central system?

Accepted Answer

A Threat Intelligence Platform (TIP).

Answer

This describes the core function of a Threat Intelligence Platform (TIP). A TIP is a technology solution designed to aggregate, process, and analyze threat data from multiple sources. [22, 18] It manages the intelligence lifecycle by normalizing data, enriching it with context, and integrating with other security controls to operationalize the intelligence for detection and prevention. [7, 25]

ISSAP - Information Systems Security Architecture Professional Practice Test

ISSAP - Information Systems Security Architecture Professional Practice Test

ISSAP - Information Systems Security Architecture Professional Security Operations Architecture Questions and Answers