A company recently migrated all its workloads to the cloud and implemented a transit VPC with a managed firewall. The cloud infrastructure implements a 10.0.0.0/16 network, and the firewall implements the following ACLs:
The Chief Information Security Officer wants to monitor relevant traffic for signs of data exfiltration. Which of the following should the organization place in its monitoring tool to BEST detect data exfiltration while reducing log size and the time to search logs?
To best detect data exfiltration, the organization should monitor all outbound traffic from the trusted network to the untrusted network. This would include any IP traffic regardless of the protocol or port number, providing comprehensive coverage for detecting potential data exfiltration activities. Although this may generate larger log sizes, it ensures that no potential data exfiltration traffic is missed. Therefore, the option 'FROM IP 10.0.0.0/16 ANY TO 0.0.0.0/0 ANY' is the most effective choice for monitoring signs of data exfiltration.
I'm conflicted here. The question asks for the answer that "BEST detects data exfiltration" so I would go with D because this covers ALL outbound ports that could be used for data exfil. But it also says "while reducing log size and the time to search logs" That would make me go with B. This answer narrows the scope because it only looks at TCP port 80 and 443(Two of the known ports for data Exfil). This would give you a lot fewer logs than option D. I'll stick with the most secure option and go with D.
I agree with gunwo below...is not D already implemented in the FW? That being the case, I think B is the right answer.
organization place in its monitoring tool... not about FW
agree, B would not cover insiders and that darn port 22 I think the "while reducing logs" is meant in comparison to other answers such as E, which would also cover all exfils but there would be much more logging involved
Still D but ignore that comment about port 22, brainfart
It's B - you'd typically want to see any TCP traffic originating from 10.0.0.0/16 on ports 80/443 to any other address out there.
This is the opposite of reducing logged data.
B is the correct answer as it is the only one which pertains to outbound traffic. C is inbound traffic and not a concern for DLP
The best option to detect data exfiltration while reducing log size and the time to search logs would be Option D: FROM IP 10.0.0.0/16 ANY TO 0.0.0.0/0 ANY. This is because data exfiltration typically involves data being sent from the trusted network (10.0.0.0/16) to an untrusted network (0.0.0.0/0). Monitoring all IP traffic (both TCP and UDP) from the trusted to the untrusted network would provide the most comprehensive coverage for detecting potential data exfiltration. So, in summary, this rule monitors all IP traffic (both TCP and UDP), regardless of the port number, originating from the IP address range 10.0.0.0 to 10.0.255.255 and destined for any IP address. This would include all outbound traffic from the trusted network to any destination, which is why it’s useful for detecting potential data exfiltration.
This option would be great, if it wouldn't be implemented already on FW. Cus of this I lean towards B
Has to be D Let's look at the permitted ingress traffic traffic: - HTTP/S traffic from any IP - SSH (maybe SCP or SFTP) traffic from a different internal network to 10.0.10.0/24 There is that risk of a malicious insider/admin to SSH into the VPC and exfiltrate data with various methods. So the most comprehensive option here is D - From the VPC to any. While the log size will be large, it's the only option that covers all possible data exfiltration ways.
C. FROM TCP 0.0.0.0/0 ANY TO 10.0.0.0/16 80,443,22
D. the ACL from trust to untrust