| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 17.2 - Implementing Detection & Preventive Measures (Part 4 of 5)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series continues Domain 7, Security Operations, by going deeper into how detection systems act and where they live. It covers passive and active responses, host-based versus network-based placement, the challenge of encrypted traffic, and the inline prevention systems that stop attacks before they land.
What this episode covers
- Passive response — logging the event and sending a notification by email, text, or report to an operations center.
- Active response — changing the environment to block activity, such as rewriting firewall rules, configured in advance.
- Host-based systems — monitoring one machine in fine detail, even pinpointing the exact files an attacker touched.
- Network-based systems — watching broad traffic with sensors at key points and centralized administration.
- Weighing the trade-offs — reserving costly host-based sensors for key servers while network-based sensors barely dent performance.
- The encrypted-traffic challenge — decryptors that inspect sessions but cannot open data encrypted on the host first.
- Network-based prevention — an inline active system that forwards or blocks each packet before it reaches the target.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
How does an intrusion detection system respond to an event?
Both signature and behavior systems trigger on an alert, then respond in one of two ways. A passive response logs the event and sends a notification by email, text, or a report, often on the big screens in a round-the-clock operations center. An active response goes further, changing the environment to block the activity, for example rewriting firewall rules to drop a flood from one address. Administrators configure these active responses in advance.
What separates a host-based from a network-based system?
It comes down to what each one watches. A host-based system monitors a single computer, inspecting its processes and its system, application, and firewall logs in fine detail, even pinpointing the exact files an attacker touched. A network-based system watches traffic across the whole network using sensors at key points like routers and switches. Host-based systems cost more per machine and can be disabled by an intruder on the box, so many organizations reserve them for key servers, while network-based systems centralize administration.
Why is encrypted traffic such a challenge for these systems?
Because most internet traffic is encrypted, and a detection system cannot inspect what it cannot read. A bad payload can ride inside an encrypted session, invisible to the monitor, and botnets often use encrypted channels to hide their check-ins. The common answer is a decryptor that intercepts the session, decrypts the traffic for inspection, then re-encrypts it. Its blind spot is data an attacker encrypts on the host before it ever enters that session, which the decryptor cannot open.
What exactly is a network-based prevention system?
It is a special kind of active detection system placed directly inline with the traffic. Because every packet must flow through it, it can analyze each one and choose what to forward and what to block, stopping an attack before it ever reaches the target. An active detection system that is not inline can only react after the traffic has already arrived, so it responds to an attack in progress rather than preventing it. The clear trend is to move detection inline and let it prevent.
Why does placement matter so much for these tools?
Knowing a tool exists is not the same as placing it well. Deciding whether to put sensors on every laptop, at the network core, or both is a design call that shapes whether monitoring actually works. Get the placement and response mode right and you see attacks early and stop them cleanly; get it wrong and you either drown in noise or miss the intrusion entirely, so place these tools well to give your network both eyes and reflexes.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 17.2 - Implementing Detection & Preventive Measures (Part 4 of 5).