CCT 311: Practice CISSP Questions and AI In The SOC (Domain 3)

Ready to turn CISSP Domain 3.5 into practical moves you can deploy on Monday? We unpack how real SOC teams apply microsegmentation, identity-aware controls, and targeted inspection to crush lateral movement without dragging performance. Along the way, we demystify AI’s role: where detection engineering benefits from crisp use cases, how Tier 1 triage speeds up, and why models still need human oversight and rigorous validation to stay trustworthy.

We also step through common network design traps that drain budgets and weaken defenses. VLAN sprawl looks tidy on paper but collapses under hybrid cloud dynamics. Central chokepoints promise control yet introduce latency and single failure domains. The smarter path is selective inline inspection where risk is highest, strong encryption everywhere else, and host-based enforcement that understands identity and context after decryption. If you’ve been tempted to collapse controls into one “do-everything” appliance, we lay out the hidden cost: a fragile core that turns into a single point of failure when you need it most.

To ground the theory, we walk through scenario-style questions that mirror real decisions security leaders face: stopping east-west movement, balancing HA with inspection, drawing zero trust boundaries that don’t assume implicit trust, and enforcing policy on encrypted traffic. You’ll leave with patterns you can adapt immediately: start small, define use cases, validate outputs like code, and iterate with tight feedback loops. Whether you run a SOC, partner with an MSP, or are targeting a first-time CISSP pass, this conversation gives you a clear map from concept to control. If this helped, follow the show, share it with a teammate, and leave a quick review so others can find it too.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

SPEAKER_00: 0:00 

Welcome to the CISP Cyber Training. We provide C training and tools you need. CISP exam. Hi, my name is John Gerber. I'm your host. I provide the information you need. CISP exam. And roll your cyber checker in the light. Alright.

SPEAKER_01: 0:25 

Good morning, everybody. It's John Gerber with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today is CISSP question Thursday, and we are going to be talking about questions related to domain 3.5 of the CISSP exam. So yeah, I hope you all had a beautiful, wonderful Christmas. As you're listening to this podcast, it's after the Christmas holidays. And so I hope you all got exactly what you were looking for and not a lump of coal. And if you don't know what that is, is well, then I guess you've moved beyond the coal and you're into gas-fired electricity and heat for your home. So you don't have to worry about the coal. But hope you all had a great Christmas. Hope it was a very blessed time of year for you. It is for me and my family. We are, as Christians, we just love this time of year. It's an amazing part of our life, and we are so very, very thankful. Today we're going to be getting into domain three, as I mentioned a little bit earlier. But before we do, I wanted to kind of talk about an article that I saw in the Hacker News. And this is how to integrate AI into modern SOC, which is Security Operations Center, SOC, typically what it's called, SOC workflows. But I've been doing SOCS for many, many years and understand that how they work, at least in the past, things have that have changed, I think, are really it's really cool, honestly. I'm really excited about where that's actually going. Just because if you've worked in a SOC at any point in time, you can understand that the different types of triaging related to tier one through tier three kind of events can be a bit overwhelming. And honestly, it can be extremely laborious. So a lot of companies and a lot of different organizations are actually integrating AI as much as they possibly can within SOC. Now, this is out of this article, they had some uh 2025 SANS SOC survey that had come out and that they had questioned a lot of different organizations about where is their SOC and what is how are they implementing AI within it. 40% of SOCs will use AI or ML tools without making them a defined part of their operation. Uh really what it comes down to is they turn it on and hope it's all going to work. Uh and I've seen this because you know that's just the magic button of AI. Let's kick it in, let's just see what it does. Uh, 42% will rely on AI and ML tools out of the box with no customization, just kind of like I mentioned before. And then 69% of SOCs still rely on manual or mostly manual processes to report metrics. And it really comes down to this. In many of the stocks that I've dealt with, they are having a hard enough time just trying to keep their heads above water. Now you add another tool onto this, and what does that do to your organization? How does that all that add up? It can be overwhelming in many different ways. So, one of the areas that they talked about how AI can provide reliable SOC support is detection engineering. And again, this comes down to having high quality alerts from your for your SIM for basically your MDR pipeline. And it's designed specifically around creating testable proc classification problems, examining the first eight bytes of a pack of streams to detect anomalies. It's extremely accurate and it validates a lot of different things that you might be looking for. So, one thing is that AI cannot fix vaguely defined learning problems. If you don't have a very crisp and clean use cases that you have used for your SOC and your reporting, it's going to have a hard time with that, even just as it is. So you need to make sure that you have a good plan related to your SOC before you even start it going. And I would highly recommend that you have good use cases already well defined. Thread hunting, this will also research do research and development around capability for exploiting ideas and testing different assumptions. It really does help speed up early stages of analysis and it does compare the patterns and tests and test your hypothesis against them. It does help you with that. And again, this comes down to use case development that you really have truly thought about how are these attackers going to come in and go after you. It's a tool for exploration, not it's not the final authority, and this is why you need people. So many people are worried about AI that it will take over for their organization, but it really won't. It's just, I personally look at it, it's a new tier one type of tool that's going to make your tier one capabilities much, much easier. So you you but you have to define, it's like the human. The human understands what the tier one stuff is, and they've been doing it long enough. And even not, you get a new intern that comes in and starts working tier one events. It takes them time to try to understand what they're actually looking at. Well, now this AI tool will work at those tier one events and be able to, based on use case development, be able to roll through those extremely quickly. And that and that's what you really truly want is you want someone that's going to actually have the ability to roll through this stuff in a very quick manner. The other thing is that is it's gonna be help you with your software development and analysis. It can help write code for automation and host integration based on your SIM and what are the queries that your SIM will possibly need. Uh so this can define the existing code snippets, accelerates logic construction, reduces your mechanical overhead. All of those things can be done for you with the SIM. And it can be done in Python, PowerShell, or whatever SIM query language you may have specifically for your organization and for the type of tool that you're using. So it's very interesting around how that will work. And I can see a lot of value in that, especially since it takes a lot of brain bites to be able to do those things. The other one is automation and orchestration. Uh, you can design workflows for your SOAR, your MCP, or other orchestration platforms. Uh, if you have a SOAR platform, uh, this is your security orchestration and yeah, response, I think is what it is. Uh but bottom line is it's the tools that make the automation piece work for your SIM. Uh a lot of organizations will buy a SOAR tool, just hoping that it works right out of the box. Uh, I was working as a consultant for a company and they had a SOAR, actually, they had one SOAR tool and they had two SIMs, and they really weren't even using either SIM correctly. So the thing is, is it's it's all of these tools as they interact. What's in the past you've had to been required to buy or hire someone that can help coordinate these different orchestrations between them. Now you can actually have your AI help you with that in a way that is extremely effective for your company. But what it's gonna take is it's gonna take you as a, depending on if you're a security leader listening to this, it's gonna take you to be able to work with your company to set aside the amount of resources to work on it. If you don't set aside resources to work on these types of capabilities, it's just not gonna work out for you. So again, you're gonna have to carve out some people and some time to make that happen for you and your organization. The reporting and communication, this is a really an important part that I feel doesn't get done well already. Uh, but this is translating technical findings into clear, actionable communication. It can help improve the clarity, maybe take out some of the uh business wording and the business language that actually ends up making it more convoluted and and hard to understand. I've always struggled with that where people will write these big pontificated words that it's in almost incredibly impossible to even know what you're saying. Uh, this can help the AI can help with that aspect as well. So it I think there's really a lot of great things that you can utilize the AI pieces in this in this space, but you really have to kind of focus on some key principles around it. And they cut the article talks about some key principles being one, narrow the scope, apply AI to specific, well-bounded tasks. Tasks that you already know, that you've already bounded, you already know how the people are doing. And I would focus on your tier one task specifically. What are things that you know people have the ability to do, and that it's easily actionable and it's also easy verify, easily verifiable, that you can ensure that whatever AI you put in place, you can actually go back and verify that because you have a process already for your people to do those types of activities. So I think narrowing your scope is important. You can always increase the scope in the future, but narrowing at the beginning is really an important part. I also mentioned validating your output. You need to treat AI output with the same rigor as an engine any engineering effort. Do not just assume just because it came out of the AI bot that it is 100% right. And because it won't be, it's just not gonna be. Uh, clear review process, establish how your AI output should be validated. You should ensure that that's in place as well. And then determine which workflows are mature enough to benefit from the augmentation. So what you got to determine if you have your tier three or tier one folks, can it benefit from this specific AI augmentation that you have set up? Do you have checks and balances to ensure that it's done correctly? Maintain your accountability. Again, at the end of all of this, you have to have accountability around every aspect of this. And then finally, you need to have ensure continuous updates where you have ongoing validation and tuning for each of these. So, what I would recommend is you set aside a tier three tier one person and have them who likes to do AI stuff get into this. Have them dig into this and have them come back to you with some results. Uh, give them a time box which they should start and when they should end, and then have a minimum viable product that which they can use and focus on a couple processes. Have them come to you with just a couple processes on what you should do or and how what changes you should make, and then have them work on those. But again, give them a time box and tell them this is what your expectations are. So I think that's a really good way for you to be able to utilize AI, and it's probably in most of your tools right now as we speak, but I would look at ways that you can use AI within your company, utilizing resources you're already paying for and helping to get them more true attuned to what is actually going on. So I do feel it's a really great article around AI and how to integrate it into your SOC workflows. Start small. You can pay a lot of money to have people help you with this, but realistically, start small in a one area and then grow upon that for your tier one folks. If for some reason you don't have these capabilities and you're maybe relying on an MSP to do your SOC, I would actually challenge your MSP to ask them how are they doing this specifically for you? Now, if you are going directly with your like SOC providers such as Sentinel One and so forth, they probably already are doing this. But if you're going with an MSP that's providing this service, I would just question them on it. I would just ask them about it because it doesn't hurt to see what they're doing and how they're actually doing it. Okay, that's what that's the article. Again, the hacker news, how to integrate AI into modern sock workflows. Okay, so before we get into the questions for today, I want to just quit just a quick shout out for CISSP Cyber Training. Head on over to CISSP Cyber Training, check it out, go to the website, you've got my stories on there, how what happened with me, how did I end up getting into this, a little bit about my family, so you can understand a little bit about that, some of the resources that are available, all the free stuff. I've got podcasts, I've got exam prep content, I've got the training on YouTube, all that stuff is available to you as well. So everything is at CISSP Cyber Training if you're trying to study for your CISSP exam. In addition, I have content that is paid content that is available for you. This paid content will help you streamline your overall process. If you're going into 2026 and you're listening to this podcast, you want to take the CISSP. There's no question about it. Well, let me help you with that. You know what? When I took it the first time and I failed, it's because I didn't have this program in place. I have a blueprint that's set up specifically, specifically to help you pass this exam. It's going to walk you through step by step. I had an employee or an employee, I had a student ask me just, I was doing a conversation with her. Uh, she's in the UK area, and I had a conversation with her, actually in Germany, about this. And one thing that she said, I understand risk. I understand all parts of it, but this is really overwhelming. There's so much information here, and she's right, the CISSP is a challenging test, and it's expecting you to know a lot of information about a lot of different areas. Well, utilize the CISSP Cyber Training and utilize all the content that I have available to you to help you pass the CISSP the first time. You don't want to waste your time on trying to go back and take it again. You want to do it again. You want you want to make sure you pass it the first time and not have to go back and do it again. So go to CISSP Cyber Training, check it all out. Again, lots of free stuff, lots of good stuff there for you. All right, let's get into our questions today. Okay, so these are the doma three deep dive questions that are available for you on CISSP Cyber Training. You can get access to these and go over all of them. You can take the quiz and it'll see how you did. All right, let's get started on the first question. Question A global financial institution is redesigning its internal network after a breach. They revealed extensive lateral movement between the application tiers. The organization operates a hybrid environment which is on-prem and cloud and must support legacy systems that cannot easily be modified. I've seen this done that. Live the life. Which architectural approach best reduces lateral movement while maintaining operational flexibility? Okay, so let's see what they say. So again, financial institutions, so highly regulated. It's got an internal network after breach revealed that that had extensive lateral movement between application tiers, typically happens. The organization operates a hybrid environment which is on-prem and cloud and must support legacy systems that cannot be easily modified. Which architectural approach best reduces lateral movement while maintaining operational flexibility? Alright, so A. Deploy next generation firewalls at all perimeter ingress and egress locations. Okay, that's positive, but we'll see. B. Implement VLAN-based segmentation across the internal networks. C adopt micro segmentation enforced at workload and or host level. Or D indecrease IDS coverage for east and west traffic. Okay, so let's talk about that. So if you're looking at all of those have valid points within your organization, but not all of them are the best way to reduce lateral movement. So let's start with increase IDS coverage for east and west traffic. So typically east and west traffic is basically determined within your network. Okay, so north and south is in and out of the organization, east and west is within the organization. The IDS will improve a detection, but does not prevent lateral movement. So it's gonna tell you you've got a problem. Houston, we have a problem, but it's not going to do anything other than that. It's not gonna stop it, it's not gonna limit the lateral movement, it's just gonna tell you that we got things moving through your organization. Now, that also being said, I don't know how the IDSs today I don't know how much they're gonna actually give you. They're gonna may tell you you have an issue, and unless you have done a really good job tuning them, it may not be something that is gonna be providing a whole lot of value. I've seen it in places where they will have IDSs and IPSs in front of uh areas, VLANs that are maybe very sensitive, but short of that, I think it just creates noise myself. Uh implement VLAN-based segmentation across all internal networks. Now, VLAN segmentation is limited by network boundaries and does not scale well with a dynamic environment. What does that mean? Well, you've got a cloud environment that's dynamic. Uh, you most times your on-prem stuff's gonna be very static, very set in one place, but when you're dealing with the cloud, you're gonna have a very dynamic environment. So, as a dynamic environment, VLAN-based segmentation just adds more complexity. I went to uh one of the gentlemen that I looked at, he well, he was in my organization uh through a company we acquired and looked at what he created when after we met with him, and he had 32 VLANs within his company. I mean, it was absolute nightmare. And I and this was a very small location. This wasn't like multiple places, this was at one location. So all the VLANs were great, but they just added way too much complexity. And he he wasn't really fond of when I said, hey dude, this isn't gonna work so well. So um, yeah, that again, VLANs are good. I'm not saying they're not, but you need to use them with moderation. It's like salt. Don't use them on everything. Uh okay, then deploy next generation firewalls at the perimeter, ingress and egress points. Okay, so deploying firewalls at the perimeter does not control east and west traffic. Obviously, we talked about once attack attackers inside, then it's a soft GUI center, and they can get to whatever they need to. So again, firewalls are great, but not for all the stuff when people are migrating or doing lateral movement within your company. So the correct answer is C. Adopt micro-segmentation forced at the workload or host level. Microsegmentation doesn't force policies closest to the workload or the application, as it was mentioned, which is critical in a high-red or cloud environment. You really truly need to have some level of micro segmentation. Now, you may not do everything as it's segmented that way. You may just have parts of your organization that are that way. All right, the next question: an organization is deploying a high availability application that requires real-time data synchronization between data centers. Okay, so you got high availability, which can cause some challenges, uh, and which basically, for your lack of knowledge, you have two firewalls, and each firewall is has a traffic going through it. If one were to fail, the other one would pick up the slack, and therefore you have don't have to worry about an outage occurring when you have high availability in place. So they have an application that's high availability requiring real-time data synchronization between data centers. So there means there's more than one data center. Security leadership is concerned about performance degradation caused by inline security devices. Which network design choice most appropriately balances security and availability? Okay, so A. Implement security controls and network at network choke points only. B route all interdata center traffic through centralized firewalls. C use out-of-band monitoring instead of inline inspection, or D apply encryption with selective inline inspection where risk is highest. Okay, so high availability requires real-time data synchronization. They're worried about performance degradation caused by inline security devices. Okay, so let's talk about the ones that are not correct. Implement security controls at network choke points only. So by implementing a security control at your choke point, that's a very legacy type of activity. And it's only going to it's gonna ignore your east-west and your service-to-service traffic. So it's it's just basically everything coming in. It's it's a very hub and spoke kind of thought process. Uh, so it's not the best option. And a lot of it is that east-west traffic, the lateral movement, it's not gonna pick any of that up. Route all inner data center traffic through centralized firewalls. Again, that one is very old school. Centralized firewalls introduce latency and single points of failure. Had this happen in a previous life, uh, when I started uh with the company after I left the military, they had all central firewalls and it was a nightmare. It was an absolute nightmare because everything went through them and you had to have HA pairs, and then you had issues with one and you couldn't diagnose the aspects. It was just painful. It was truly painful. Uh use out of out-of-band monitoring instead of inline inspection. Okay, so out-of-band monitoring is good, but it's not the best because it doesn't prevent any sort of attacks. If it has the ability to block attacks, then that would be important. The last one, which is the right answer, is apply encryption, which we'll talk about. It really isn't part of this question, but it is. Apply encryption with selective inline inspection where the risk is highest. Okay, so if you encrypt the data, it's going to help encrypting internal data is an extremely important part for keeping the bad guys and girls from understanding what's going on. Now it can be bad in the fact that if you don't have good packet decryption capabilities, uh you're just basically now making yourself blind. But having encryption in place with specific inline inspections where your risk is highest would be your most valuable plan. So I would highly recommend that you kind of think about it that way. So there isn't, again, all of those are good, but some of them are better than others. But the best is applying encryption with selective inline inspection where your risk is highest. Next question a security architect is defining trust boundaries with zero trust aligned enterprises. Okay, so now you get zero trust, and you're looking at how do you deploy something like this? Which practice is least appropriate when defining network trust zones? Okay, so we're talking about network trust zones within your organization. And this is dealing with zero trust. So a in treating internal networks as untrusted by default. B enforcing authentication and authorization at zone boundaries. C logging and monitoring traffic across trust boundaries, or D allowing unrestricted communication within a security zone. Okay, so now the big thing here is least appropriate. So when you're looking at questions, you want to understand which question is actually something negative than what you're used to having from a security protection standpoint. So treating internal networks is untrusted by default. Well, that's part of zero trust, is that you're supposed to treat everything with uh that's not trusted. That's the goal. Then this, if you didn't do this, this actually conflicts with the zero trust principles. Enforcing authentication and authorizations at zone boundaries is what you want. That is an important part. So therefore, that is not appropriate in this actual question. And then logging and monitoring traffic crossing trust boundaries. This is an important part, especially when you're dealing with any sort of activity going across the various trusts. You want to log and monitor any traffic because you're looking for any east-west movement. So again, those are the ones that are positive. Those are the ones that are actually more appropriate than least appropriate. The least appropriate is allowing unrestricted communications within a security zone, right? Unrestricted cops within a security zone assumes that you have implicit trust, which contradicts the zero trust principles. So again, the correct answer, which is least appropriate, is allowing unrestricted communication within a security zone. All right, next question. Which component must is most effective at enforcing security policy for encrypted east-west traffic in a modern data center? Again, which component is most effective at enforcing security policy for encrypted east-west traffic in a modern data center? A network-based IDSs. B traditional layer three firewalls. C host-based firewall with identity aware rules, or D a passive network tap. Okay, so which is the most effective at enforcing security policy for encrypted east-west traffic in a modern data center? So the ones that are not correct, passive network taps. I love passive network taps. They work great, they're awesome. Uh they're they're of that bump in the line, but the thing is is they're allowing all traffic to go through and they're just kind of sniffing or smelling the traffic as it goes across. The problem is, is they don't really help you for enforcement. So if you're looking to enforce your security policy, the passive network tap was not the best choice. Your network-based IDS systems. Okay, so network-based IDS cannot inspect encrypted traffic without decrypting it. So again, it's not the most effective for enforcing your policy. So if you have some level of encryption, it's not going to really help you much at all. Traditional layer three firewalls. These lack application identity awareness. So therefore, they would fail in the fact they're just allowing traffic. They're the standard rules that you would have in place for your different types of rules. I mean, your any-any rules versus your one-to-any, all those types of activities within your firewalls, they will not have that ability to help you. So the correct answer is host-based firewalls with identity aware rules. Now, host-based firewalls can enforce policies after decryption and they incorporate identity and context into your overall plan. So the most effective is your host-based firewall with identity aware rules. Okay, last question. An enterprise plans to collapse multiple security layers to reduce cost by relying heavily on a single, highly capable security appliance. From a secure network architecture perspective, what is the primary risk of this approach? So again, they're collapsing multiple security layers. So it had they had originally had a lot of security layers in place, which is good, to reduce cost by relying heavily on a single, highly capable security appliance. So you're going from many different types of appliances to one. For a secure network architecture perspective, what is the primary risk of this approach? A increased administration overhead. B creation of a single point of failure. C reduced encryption strength, or D, inability to monitor network traffic. Okay, so the primary risk, primary, in air quotes, let's go with the ones that are not correct. Inability to monitor network traffic. So monitoring depends on configuration, not the overall architecture. So it it's not giving you the that's not really the best architecture plan of this. Uh, and it's not the primary risk behind it. It's just is it is it correctly configured or not? Reducing encryption strength, that really has nothing to do with this overall plan. So uh it's really not even a really risk around that. So the encryption is going to be what the encryption is going to be. And then a increased administrative overhead. That one is not a primary risk as well, because it will create overhead. There's no question about that, potentially. Now, I say it will and it will reduce it. It may end up creating more administrative overhead because now you're in one system and there might be a lot more bells and whistles you have to configure. In the old system that they had, obviously with multiple layers, that could have had a lot of overhead as well. But it's again, it's kind of like meh, it's not the primary risk in this situation. The primary risk in this situation is the creation of a single point of failure. So again, you have your security controls in place. If this device goes down, it could lead to catastrophic failure. So I mean, not knowing the full architecture and how it's all planned, there are pros and cons to both sides of this, but I would highly recommend that they would do a single point of failure type of situation, especially when you're reducing your security. You think you're saving money, but in reality, you're actually causing yourself a lot more pain. Or if you're the guy that's going to be leaving the organization, you know, you're the CISO and you're saying, hey, you know what? I'm going to do this to save some money so I look good and get a good bonus, and then I'll let Bob, who's my replacement, figure it out. Well, that, yeah, that's kicking the can down the road a little ways, and it's causing Bob to have some more challenges. But that's okay for Bob. Not and it's okay for you, right? All right, that's all I've got for you today. Head on over to CISSP Cyber Training. Check it out. There's a lot of great stuff for you. And hopefully, in this one, you get in this podcast, you guys don't catch from my edits because it's been an early morning and I was really tired. So hopefully, there's not any goofy edits in this as this thing goes out. All right, thanks again. Have a great day, and we'll talk to you all and catch you all on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube, and just head to my channel at CISSP Cyber Training, and you will find a plethora or a conocopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey.

SPEAKER_00: 28:32 

Thanks again for listening.