CompTIA Security+ (SY0-501) — Question 847

A penetration tester was able to connect to a company's internal network and perform scans and staged attacks for the duration of the testing period without being noticed. The SIEM did not alert the security team to the presence of the penetration tester's devices on the network. Which of the following would provide the security team with notification in a timely manner?

Answer options

• A. Implement rogue system detection and sensors
• B. Create a trigger on the IPS and alert the security team when unsuccessful logins occur
• C. Decrease the correlation threshold for alerts on the SIEM
• D. Run a credentialed vulnerability scan

Correct answer: A

Explanation

Implementing rogue system detection and sensors (Option A) is the best choice as it actively identifies unauthorized devices on the network, thereby alerting the security team to potential threats in real-time. The other options, while useful, either focus on specific events (B) or do not directly address the detection of unauthorized access (C and D).