Skip to content
Study CCNP

5.4.a Threat defense

3 min read ENCOR 350-401 v1.2

Aligned to Cisco's 350-401 ENCOR v1.2 exam topics.

On this page

Threat defense is the set of controls and operations that reduce the chance a threat becomes a business-impacting incident. It is not one box. It is prevention, detection, containment, and response working together.

The core idea

A good threat defense design does four things:

  1. Reduce exposure by removing unnecessary access.
  2. Detect bad behavior using logs, telemetry, signatures, analytics, and baselines.
  3. Contain damage with segmentation and least privilege.
  4. Support response with clear evidence and workflows.

Where the data comes from

Useful security telemetry often includes:

  • Firewall events.
  • IDS/IPS events.
  • NetFlow or flow records.
  • DNS and web logs.
  • Endpoint events.
  • Authentication logs.
  • Switch/router syslog.
  • Cloud and SaaS audit logs.

ENCOR does not expect you to build a full SOC. It does expect you to understand why network telemetry, identity, and enforcement points matter.

Design pattern

Prevent: ACLs, NGFW policy, segmentation, secure management, endpoint control
Detect: IPS, flow telemetry, endpoint alerts, syslog, authentication anomalies
Contain: TrustSec/SGACL, VLAN/VRF segmentation, firewall zones, quarantine VLANs
Respond: ticket, block rule, isolate endpoint, rotate credential, preserve evidence

Example: containing a suspected compromised host

A normal endpoint accesses web and internal apps. It suddenly scans many servers and attempts SSH. A layered design can respond like this:

  1. Flow telemetry detects unusual east-west scanning.
  2. Endpoint security flags suspicious behavior.
  3. Identity system maps the IP/MAC/user/device.
  4. Network access control changes the endpoint authorization.
  5. The switch moves the endpoint to a restricted VLAN or assigns a quarantine group.
  6. Firewall/SGACL policy limits access to remediation systems only.

The important exam skill is seeing how the pieces work together.

Helpful commands and checks

On network devices, threat defense often starts with visibility:

show logging
show ip access-lists
show policy-map control-plane
show flow monitor
show authentication sessions
show cts role-based permissions

Exact commands vary by feature and platform, but the pattern is the same: identify what happened, where it happened, who/what was involved, and what policy applied.

Lab

Goal: Simulate threat containment with basic tools.

Tasks:

  1. Create a users VLAN and servers VLAN.
  2. Permit only required application traffic using an ACL.
  3. Generate allowed traffic and verify counters.
  4. Generate disallowed scans or SSH attempts in a lab.
  5. Watch ACL/log counters.
  6. Move the test host to a quarantine VLAN or apply a stricter ACL.
  7. Document the before/after reachability.

Success criteria:

  • Normal app traffic still works.
  • Suspicious traffic is blocked and visible.
  • The containment step reduces access without shutting down the whole network.

Exam traps

  • Threat defense is not only prevention. Detection and response matter.
  • Logs are only useful if they have identity, time, and context.
  • Segmentation limits blast radius after prevention fails.
  • A firewall rule without a response process is not a complete threat defense design.