ST0-085 - Symantec Security Information Manager 4.7 Technical Assessment
Go back to Symantec
Which two default administrative user accounts are created during the installation of Symantec Security Information Manager? (Select two.)
Which menu options do you select in the user interface to shut down or reboot the Symantec Security Information Manager (SSIM) appliance?
SSIM --> Configure Appliance --> Shutdown/Restart
Which Correlation Rule type does the Correlation Manager use?
Multiple Event Rules (looks for a pattern of events)
What information is necessary to properly size a deployment?
events per second, geographic locations and event-to-incident ratio
Where is information about the health and performance of the Symantec Security Information Manager appliance found? - /
When are the effective privileges of the SES Administrator role and Domain Administrator role equivalent?
when there is only one domain in the system
What information must be obtained prior to product deployment and configuration of the Symantec Security Information Manager appliance?
the number of security events per day the appliance will handle
Which three need to be collected as part of pre-deployment planning?
host operating systems
number of events per second
event-to-incident ratio under normal and peak conditions
Which statement about the capabilities of the Event Archive Viewer is true?
Based on a histogram, you can select a time period for viewing.
How do you install a valid DeepSight Integration License?
On the appliance, place the license in the /opt/Symantec/license folder. D. Use the Install License Wizard.
After installation, where would you go to purge the database?
Symantec Security Information Manager --> Configure Appliance --> Database Utilities tab
For which three does Symantec Security Information Manager automatically create values when you manually create a new incident?
Incident ID number
The Symantec Security Information Manager includes a(n) _____ feature that allows the security administrator to instantly access a customized view of major security indicators.
On which three operating systems can the Symantec Security Information Manager Agent 2.5 be installed?
Red Hat 3
What type of data that comes from DeepSight is mapped to vulnerability, exposure, malicious code, and safeguard mitigation strategies?
normalized event signatures
Which third-party software components support LDAP for users, roles, and configurations? - /
IBM Directory Server 6.0
What is the purpose of normalization?
to standardize events across multiple devices for the Correlation Manager to compare all events equally
You are troubleshooting performance problems on your Symantec Security Information Manager Which console utility should you use to view the number of dropped packets on the network interface?
How can you determine which ports are potentially vulnerable on a given host in the Assets Table?
by looking at the Services tab on the asset
When installing the Symantec Security Information Manager Agent and Collector on a Windows platform, which command shows that the agent is installed and running?
When configuring the Event Archive settings of an Information Manager appliance, which two options can be configured? (Select two.)
Max Archive Quota
Free disk space
You are troubleshooting your Symantec Security Information Manager (SSIM) system. You issue information does the "status" command display?
# of times started
Where do Symantec Security Information Manager collectors send events?
Which source is used by Symantec Security Information Manager to create incidents?
From the Information Manager Console, the _____ feature allows you to prioritize remediation efforts on critical network devices.
You are designing a new Symantec Security Information Manager (SSIM) solution for your company. When designing the structure of your SSIM domain, computers are separated into logical groups called _____.
What are the specified minimum hardware requirements for installing and running the Symantec Security Information Manager Console?
512 MB RAM and 103 MB disk space
For which two does Symantec Security Information Manager automatically create values when you manually create a new incident? (Select two.)
Which LDAP port is used by the security directory?
Symantec Security Information Manager ____ Series provides dynamic correlation and centralized management of large, distributed enterprise deployments.
Which condition needs to be met for a rule to be triggered on the Symantec Security Information Manager Conditions tab?
After setting up the Symantec Security Information Manager (SSIM) appliance, where are network settings changed? - /
SSIM Start Page --> Settings--> Network Settings
Which statement about Symantec Security Information Manager domains is true?
A domain can be a group of a single correlation system and multiple collection systems.
What information is reported by the Nessus scanner when it scans a range of network addresses?
all devices found on the networks scanned
ulnerabilities of discovered network devices
What is the unique identifier that normalization provides for each type of event?
adds Correlation Manager-specific data to the translated event
Which type of database backup is performed during the Symantec Security Information Manager installation?
a full, offline backup
Which statement is true about rules in a Symantec Security Information Manager solution?
Rules can be created that escalate events to incidents, based on policies defined on each asset.
When should a Symantec Security Information Manager database be restored? - /
when there is a hardware failure
You manage the Symantec Security Information Manager(SSIM) solution for your company. You need to configure the Cisco PIX collector to process events from a Cisco PIX firewall. What must you do on the PIX firewall to accomplish this?
configure it to send syslog messages to the SSIM appliance
Which of the following are all on-box collectors?
Checkpoint, Snort and PIX
When an event is received by the Symantec Security Information Manager (SSIM), the Event Logger component inserts events into the archive without doing other processing. This is the default behavior. Depending on the configuration and the components installed on the SSIM, how can the inserted events be processed?
Which two are commonly used to view archived events?
Information Manager Event Viewer
Which three user actions can be executed by the Information Manager Event Viewer?
Which of the following vendor hardware is recommended to use with Symantec Security Information Manager (SSIM)?
What does a conclusion that is untrackable to an existing incident become?
an occurring incident
On which two operating systems can the Symantec Security Information Manager Agent be installed? (Select two.)
Which three statements about Symantec Security Information Manager domains are true?
Domains allow logical grouping of appliances.
Each domain must have its own model 9650 appliance.
A domain can include many model 9630 appliances.
How can an organization connect to the Integrated Global Security Intelligence to receive updates?
by licensing the DeepSight Security feature
Which types of rules does Symantec Security Information Manager use? - /
Filtering and Correlation
Symantec Security Information Manager Series Appliance installs which operating system by default?