Back to Risk Identification, Monitoring and Analysis

Security baselines and anomalies

5 minutes 5 Questions

Security Baselines and Anomalies – SSCP Exam Guide

Why Security Baselines and Anomalies Matter

Security baselines and anomaly detection are foundational concepts in risk identification, monitoring, and analysis. They provide organizations with a reference point for what normal looks like in their environment, enabling them to detect deviations that could signal security incidents, misconfigurations, or policy violations. If you cannot define what is normal, you cannot identify what is abnormal — and that is why baselines are critical to any security program.

What Are Security Baselines?

A security baseline is a defined set of minimum security configurations and standards that a system, network, or application must meet. It serves as a benchmark against which the current state of a system can be compared. Security baselines can include:

- Configuration baselines: Standard settings for operating systems, applications, firewalls, routers, and other devices (e.g., CIS Benchmarks, DISA STIGs).
- Performance baselines: Normal operating metrics such as CPU usage, memory utilization, network throughput, and login frequency.
- Traffic baselines: Expected patterns of network traffic, including volume, protocols used, and typical source/destination pairs.
- Behavioral baselines: Typical user activity patterns, such as login times, accessed resources, and data transfer volumes.

Baselines are established through a process of monitoring, measuring, and documenting the normal state of systems and networks over a representative period of time.

What Are Anomalies?

An anomaly is any deviation from the established baseline. Anomalies may indicate:

- A security breach or attack in progress
- Malware activity
- Insider threats
- System misconfiguration or failure
- Policy violations
- Unauthorized changes to systems

Not all anomalies are malicious — some may be caused by legitimate changes, software updates, or seasonal variations in usage. The key is to investigate anomalies to determine their root cause.

How Security Baselines and Anomaly Detection Work

1. Establish the Baseline: Collect data over a sufficient period to capture normal operations. This includes system configurations, network traffic patterns, user behaviors, and performance metrics. Tools like network monitors, SIEM systems, and configuration management tools are used.

2. Document and Formalize: Record the baseline in organizational policies and standards. This becomes the reference point for future comparisons.

3. Continuous Monitoring: Use automated tools (IDS/IPS, SIEM, endpoint detection and response solutions, log management tools) to continuously compare current activity against the established baseline.

4. Detect Anomalies: When current activity deviates from the baseline beyond acceptable thresholds, an alert is generated. Anomaly-based detection systems use statistical models, machine learning, or rule-based thresholds to flag deviations.

5. Investigate and Respond: Security analysts review anomalies, correlate them with other data sources, and determine if the deviation represents a true security event or a benign change. If it is a legitimate new normal, the baseline may need to be updated.

6. Update Baselines: Baselines are not static. They must be periodically reviewed and updated to reflect changes in the environment, such as new systems, applications, or business processes.

Types of Detection Related to Baselines

- Anomaly-based detection (behavior-based): Compares current activity to a known baseline. Good at detecting previously unknown (zero-day) attacks but prone to false positives because legitimate changes can appear as anomalies.
- Signature-based detection: Compares activity to known attack patterns. Very accurate for known threats but cannot detect novel attacks. Has low false positive rates but higher false negative rates for new attacks.
- Heuristic-based detection: Uses rules and algorithms to detect suspicious behavior that may not match known signatures.

Key Concepts to Remember

- A baseline must be established before anomaly detection can be effective.
- Anomaly-based systems tend to generate more false positives than signature-based systems.
- Clipping levels (thresholds) define how much deviation from the baseline is acceptable before an alert is triggered.
- Baselines help with change management — any change that deviates from the baseline should be authorized and documented.
- Security baselines support compliance by ensuring systems meet minimum security requirements.
- Baselines are used in vulnerability assessments to identify systems that do not meet the required security posture.

Exam Tips: Answering Questions on Security Baselines and Anomalies

1. Know the difference between anomaly-based and signature-based detection: If a question asks about detecting unknown or new attacks, the answer is likely anomaly-based detection. If it asks about detecting known threats with high accuracy, think signature-based detection.

2. False positives vs. false negatives: Anomaly-based systems are associated with higher false positive rates. Signature-based systems are associated with higher false negative rates for new threats. Exam questions often test this distinction.

3. Baselines must be established first: If a question describes a scenario where an organization wants to detect unusual activity, the first step is to establish a baseline of normal activity.

4. Baselines require regular updates: If a question mentions environmental changes (new applications, infrastructure changes), recognize that baselines need to be re-evaluated and updated.

5. Clipping levels and thresholds: Understand that clipping levels define the point at which a deviation triggers an alert or action. Questions may describe a scenario where too many false alarms occur — the solution often involves adjusting the threshold or clipping level.

6. Think holistically: Baselines apply to configurations, performance, network traffic, and user behavior. Questions may reference any of these areas, so do not assume baselines only apply to one domain.

7. Configuration baselines and hardening: Questions about ensuring systems meet minimum security standards are referencing security baselines. Think of frameworks like CIS Benchmarks or organizational security policies.

8. Scenario-based questions: When presented with a scenario describing unusual network traffic, unexpected login times, or sudden spikes in resource usage, recognize these as anomalies detected by comparing current activity to an established baseline.

9. Correlation with other controls: Baselines work alongside SIEM systems, IDS/IPS, log management, and change management processes. Understand how these controls complement each other.

10. Eliminate extreme answers: On the exam, if one answer suggests that a single anomaly always indicates an attack, it is likely incorrect. Anomalies require investigation — they do not always mean a breach has occurred.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Unlock Premium Access

Systems Security Certified Practitioner

Access to ALL Certifications: Study for any certification on our platform with one subscription
5809 Superior-grade Systems Security Certified Practitioner practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
SSCP: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

More Security baselines and anomalies questions

30 questions (total)

Start 30 question test