To create a collection of use cases for detecting known threats and include them in a centralized library for use across multiple companies with different vendors, Sigma rules are the best option. Here's why:
* Vendor-Agnostic Format: Sigma rules are a generic and open standard for writing SIEM (Security Information and Event Management) rules. They can be translated to specific query languages of different SIEM systems, making them highly versatile and applicable across various platforms.
* Centralized Rule Management: By using Sigma rules, the cybersecurity architect can create a centralized library of detection rules that can be easily shared and implemented across different detection and monitoring systems used by the acquired companies. This ensures consistency in threat detection capabilities.
* Ease of Use and Flexibility: Sigma provides a structured and straightforward format for defining detection logic. It allows for the easy creation, modification, and sharing of rules, facilitating collaboration and standardization across the organization.

When users disconnect from Remote Desktop Protocol (RDP) sessions without properly logging off, their sessions remain active on the server. If their passwords are changed due to the 90-day rotation policy, these lingering sessions may attempt to reauthenticate using outdated credentials, leading to multiple failed login attempts and potential account lockouts.
Automating the logout of inactive sessions ensures that disconnected or idle sessions are terminated after a specified period, preventing stale sessions from causing authentication issues. This approach aligns with best practices for session management and helps maintain security compliance.
Reference: CompTIA SecurityX CAS-005 Exam Objectives, Domain 3.1: " Given a scenario, troubleshoot common issues with identity and access management (IAM) components in an enterprise environment. "

The hijacked administrator account was used across multiple ASNs (indicating different network locations) in a short time, despite MFA and SSO. This suggests a stolen session or token misuse. Let's analyze:
A). Token theft detection with lockouts:Useful for detecting stolen SSO tokens, but it's reactive and may not prevent initial misuse across networks.
B). Context-based authentication:This adds real-time checks (e.g., geolocation, IP changes) to verify login attempts. Given the rapid ASN changes, this proactively mitigates the issue by challenging suspicious logins, aligning with CAS-005's focus on adaptive security.
C). Decentralize accounts:This removes SSO, increasing complexity and weakening MFA enforcement, which isn't practical or secure.
Reference:CompTIA SecurityX (CAS-005) objectives, Domain 2: Security Operations, emphasizing context- aware authentication for SSO environments.

The best option is Mandatory Access Control (MAC). In MAC, access decisions are centrally controlled by the system or administrators, not by individual users. This ensures that healthcare staff who enter patient information cannot grant access to others, thereby preventing accidental or malicious disclosure. MAC enforces strict policies based on data sensitivity and user clearance, which aligns with compliance requirements like HIPAA.
Option A (rule-based) defines access through specific rules but is not as rigidly enforced as MAC. Option B (attribute-based) is flexible but could still allow dynamic grants of access. Option D (discretionary) explicitly allows users to assign access rights, which is exactly what must be avoided in this scenario.
CAS-005 stresses using centralized, non-discretionary controls when protecting sensitive medical data, making MAC the correct choice for hospitals.