Skillset can help you prepare! Sign up for your free Skillset account and take the first steps towards your certification.
When tuning an anomaly based intrusion detection or prevention system you should do which of the following to reduce the number of false negatives and false positives?
Reduce the amount of signature updates which occur to raise the efficiency of detection
Ensure you retrain the system when a new application is brought into the production environment
Enable as many rules as possible to ensure nothing slips through
Edit rules to be as broad as possible
When tuning an IDS or IPS, you want to construct and edit your rule set so that it's as specific to your environment as possible. That may include turning off rules that dont apply to your production environment. For example, if you dont run IIS, then there's no reason to have IIS based rules. Anomaly based detection depends on knowing what normal traffic looks like. If you bring in a new application, you must retrain the IDS/IPS to recognize that new normal traffic looks like. Finally, for a signature based system to be effective, you must update it with signatures of new attacks as frequently as possible.**EDIT: The answer shows as "Edit rules to be as broad as possible", wouldn't the answer be "Edit rules to be as specific as possible"? Reasoning is that when tuning, you apply as closely to your environment as possible which is more specific as opposed to broad? While I do see the reasoning of using "as broad as possible", it is antithetical to the concept of making your rulesets "specific" to your environment which cuts down on false reports? Edit: shoudln't the correct answer be - ensure you retrain the system when you have a new app? You want to avoid false positives of the new app, no?
Train with Skillset and pass your certification exam. Faster. Guaranteed.
Study thousands of practice questions that organized by skills and ranked by difficulty.
Create a tailored training plan based on the knowledge you already possess.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.