To notify administrators when manual remediation is required on an endpoint, the administrator should set up a Single Risk Event notification in SEP, with the action specified as 'Left Alone'. This configuration allows SEP to alert administrators only when the system does not automatically handle a detected risk, indicating that further manual intervention is required.

Setting Up the Notification:

Navigate to Notifications in the SEP management console.

Select Single Risk Event as the notification type and specify 'Left Alone' for the action taken.

Enable options to log the notification and send an email alert to system administrators.

Rationale:

This approach ensures that administrators are only alerted when SEP detects a threat but cannot automatically remediate it, signaling a need for manual review and action.

Other options (e.g., System event notification, New risk detected) are broader and may trigger alerts unnecessarily, rather than focusing on cases needing manual attention.

In the Discovery phase of a cyber attack, attackers attempt to map the network, identify vulnerabilities, and gather information. Firewall and Intrusion Prevention System (IPS) are the most effective security controls to mitigate threats associated with this phase:

Firewall: The firewall restricts unauthorized network access, blocking suspicious or unexpected traffic that could be part of reconnaissance efforts.

IPS: Intrusion Prevention Systems detect and prevent suspicious traffic patterns that might indicate scanning or probing activity, which are common in the Discovery phase.

Together, these controls limit attackers' ability to explore the network and identify potential vulnerabilities.

Symantec Endpoint Detection and Response (EDR) provides an Endpoint activity recorder to monitor, log, and analyze behaviors on endpoints. This feature captures various endpoint activities such as process execution, file modifications, and network connections, which are essential for detecting and investigating potential security incidents.

Purpose of Endpoint Activity Recorder:

The endpoint activity recorder helps track specific actions and behaviors on endpoints, providing insights into potentially suspicious or malicious activity.

This data is valuable for incident response and for understanding how threats may have propagated across the network.

Why Other Options Are Not Suitable:

Virtual (Option A), Email (Option C), and Temporary (Option D) do not accurately represent the continuous and comprehensive nature of endpoint activity monitoring.

The Security Analyst Role in Symantec Endpoint Protection has permissions to search endpoints, trigger dumps, and get & quarantine files. These permissions allow security analysts to investigate potential threats, gather data for further analysis, and isolate malicious files as needed.

Capabilities of the Security Analyst Role:

Search Endpoints: Analysts can perform searches across endpoints to locate suspicious files or artifacts.

Trigger Dumps: This allows analysts to create memory dumps or other forensic data for in-depth investigation.

Get & Quarantine Files: Analysts can quarantine files directly from endpoints, thereby mitigating threats and preventing further spread.

Why Other Options Are Incorrect:

Enrolling new sites (Option A) and creating device groups or policies (Options C and D) are typically reserved for administrators with broader access rights rather than for security analysts.

In Symantec Endpoint Protection, the Discovery Agent designation is assigned to a computer responsible for identifying unmanaged devices within a network. This role is crucial for discovering endpoints that lack protection or are unmanaged, allowing the administrator to deploy agents or take appropriate action. Configuring a Discovery Agent facilitates continuous monitoring and helps ensure that all devices on the network are recognized and managed.