300-745 Exam Dumps : Designing Cisco Security Infrastructure (300-745 SDSI) v1.0

A Security Operations Center (SOC) is often overwhelmed by thousands of alerts from various security tools. The primary tool used to aggregate, correlate, and—most importantly—prioritizethese incidents is theSecurity Information and Event Management (SIEM)system. According to the Cisco SDSI domain on Risk, Events, and Requirements, a SIEM acts as the central brain of the SOC.

A SIEM (such as Splunk or Cisco Secure Cloud Analytics) ingests logs from firewalls, endpoints, and cloud services. It uses correlation rules and risk-scoring algorithms to distinguish between low-priority "noise" and critical security incidents. For example, a single failed login might be ignored, but ten failed logins followed by a successful one and a large data transfer would be escalated as a high-priority incident.Endpoint Detection and Response (EDR)(Option B) andEndpoint Protection Platforms (EPP)(Option D) provide deep visibility and protection on individual hosts but lack the cross-platform correlation needed to prioritize organizational risk.CloudWatch(Option C) is a monitoring service for AWS resources but does not function as a multi-source security correlation engine. By using a SIEM, SOC analysts can focus their limited time on the most impactful threats, ensuring a more efficient and effective incident response process.

========

The scenario described—where high CPU utilization prevents administrators from accessing device management interfaces—is a classic indication that the device'sControl Planeis being overwhelmed by malicious or malformed traffic (such as a DoS attack or a routing loop). To protect the "brains" of the network device,Control Plane Policing (CoPP)must be implemented.

CoPP allows an engineer to define filter and rate-limit policies specifically for traffic destined for the CPU. By categorizing traffic into different classes (e.g., routing protocols, management traffic like SSH, and "catch-all" untrusted traffic), CoPP ensures that critical management and control traffic is prioritized while excessive or suspicious traffic is dropped before it can impact the device’s performance. This maintainsoperational efficiencyeven during a traffic spike or attack. WhileAAA(Option B) handles authentication andRBAC(Option D) manages permissions once a user is logged in, neither can prevent the CPU exhaustion that blocks the login attempt in the first place.SNMP(Option C) is used for monitoring but does not provide active traffic policing. Within the Cisco SDSI framework, CoPP is a fundamental "Self-Defending Network" feature required to ensure the availability and resilience of the core infrastructure.

========

In the scenario described, the healthcare organization fell victim to aransomware attack, where devices were encrypted to extort the organization. To mitigate such risks in the future,Endpoint Detection and Response (EDR)is the essential architectural component. According to the Cisco SDSI Secure Infrastructure domain, protecting endpoints requires more than just traditional antivirus; it necessitates a solution that provides deep visibility into file behavior and process execution.

A robust EDR solution, such asCisco Secure Endpoint, continuously monitors all activity on the device. When ransomware attempts to initiate its encryption process, the EDR can detect the malicious behavioral pattern in real-time. It can then take automated actions, such as isolating the infected host from the network and "stopping" the encryption process before it spreads. Furthermore, Cisco's EDR providesretrospective security, allowing administrators to see how the malware arrived and which other devices it touched. While Option A (Password Policies) helps prevent credential theft and Option C (DLP) prevents data theft, they do not stop the technical process of disk encryption. Only EDR provides the necessary detection and automated response capabilities to handle modern file-less and polymorphic malware threats effectively. This aligns with the Cisco SAFE goal of securing the endpoint layer against advanced persistent threats (APTs) and ransomware variants.

========