Enterprise Security Architecture and Framework Design Questions
Designing comprehensive security architecture and enterprise scale security frameworks for large organizations. Topics include layered security and defense in depth applied at enterprise scale, zero trust and microsegmentation strategies, identity and access management at scale, network segmentation and secure network architecture, encryption strategies for data at rest and in transit, secrets and key management, audit logging and telemetry placement, incident response integration, backup and disaster recovery planning, and platform and infrastructure hardening. Candidates should demonstrate how to align security architecture with business goals, translate an architectural vision into a prioritized roadmap and governance model, reason about scalability and interoperability, justify trade offs between security and developer velocity, and design automation and orchestration to enable secure operations at scale.
HardSystem Design
57 practiced
Design a SOAR-driven incident orchestration system that targets an MTTD (Mean Time To Detect) of 5 minutes and MTTR (Mean Time To Remediate) of 30 minutes for medium-severity incidents. Explain playbook architecture, telemetry thresholds, escalation paths, human-in-the-loop checkpoints, rollbacks and remediation safety measures, and the metrics and dashboards you would use to validate targets.
Sample Answer
**Clarify scope & targets**Design SOAR for medium-severity incidents with MTTD ≤ 5 min and MTTR ≤ 30 min. Assume enterprise logs (SIEM), EDR, cloud telemetry, ticketing, and identity systems integrated.**High-level architecture**- SIEM/streaming ingestion -> detection rules / ML anomaly engine -> SOAR orchestration -> tooling integrations (EDR, NGFW, CASB, IAM, CMDB, ITSM) -> dashboards/alerting.- Playbooks are modular, parameterized, role-based, and stored in version control with testing harness.**Playbook architecture**- Layers: detection -> validation -> enrichment -> automated remediation -> human-in-loop -> post-action validation -> close & lessons.- Use idempotent, reversible actions and feature flags. Each step has timeout, retries, and circuit-breaker.**Telemetry & thresholds**- Deterministic rules: e.g., 3 failed logins + new geo within 2 min -> trigger. Thresholds tuned per asset risk score from CMDB.- Anomaly scoring: score ≥ 70 triggers automated enrichment and pre-approval remediation; 70–90 requires human approval for impactful actions.- Health checks: ingestion lag < 60s; alert-to-playbook < 2 min.**Escalation paths & human checkpoints**- Auto-enrichment with context (user, asset, business impact). If remediation risk = low -> automated. If medium (affects business functions) -> notify on-call secops via push + ephemeral approval in SOAR within 5 min. High-confidence blocking actions require Tier-2 approval.- Escalation matrix integrated with on-call schedules and Slack/MS Teams.**Rollback & safety**- Actions are reversible: firewall rules tagged for revert, EDR rollback snapshots, IAM changes applied via temporary access tokens with TTL.- Pre-checks: dependency map from CMDB, change simulation (dry-run) for critical systems, and consensus requirement for cross-domain impacts.- Rate-limit and throttle actions; implement kill-switch to stop playbooks.**Metrics & dashboards**- Real-time dashboard: MTTD (median & P95), MTTR, playbook success rate, human-approval latency, false positive rate, detection-to-playbook time.- Drilldowns: per playbook, asset class, team, time-of-day.- SLO alerts: if median MTTD > 5m or MTTR > 30m for rolling 7d -> run root-cause playbook.**Validation & continuous improvement**- Run chaos exercises and simulated incidents weekly to validate thresholds and rollback paths. Use post-incident reviews and automated tuning pipeline to update detection thresholds and playbook remediation confidence.
MediumSystem Design
55 practiced
Design the enterprise logging architecture to satisfy both security detection needs and regulatory compliance such as PCI or SOX. Include which log sources to collect, collection agents, centralized storage and indexing, retention tiers, tamper-evident storage, alerting thresholds, and the chain-of-custody practices to support legal investigations.
Sample Answer
**Clarify goals & constraints**- Meet PCI DSS (retain logs 1 year, 3 months online access) and SOX records policy (commonly 7 years for financial evidence). Balance security detection (near real-time) with regulatory retention and legal admissibility.**High-level architecture**- Agents → Secure collectors → Centralized SIEM/Index → Retention tiers (hot/warm/cold/immutable) → Forensic export & legal hold**Log sources to collect**- Network: firewalls, routers, NGFW logs, IDS/IPS, proxy, VPN- Hosts: Windows Event Logs, Linux syslog, EDR telemetry, osquery- Identity: AD/Okta/Azure AD, IAM, MFA logs, privileged access (PAM)- Applications: payment applications (PAN redaction), web/app servers, DB audit logs- Cloud: CloudTrail, VPC Flow Logs, CloudWatch, GCP/Azure equivalents- Services: SIEM admin, change management, build/deploy pipelines, backup logs**Collection agents & transport**- Agents: Winlogbeat/Wazuh/OSQuery/NXLog/Fluentd/Beats for host-level; cloud-native collectors (CloudTrail, Kinesis Firehose)- Transport: TLS-mutual auth to collectors, syslog over TLS, Kafka for buffering- Collector layer: hardened aggregator appliances (stateless), network TAP/span for immutable capture of network devices**Centralized storage & indexing**- SIEM (Splunk/QRadar/Elastic Security/Chronicle) with indexed hot store for 90 days- Metadata index + cold object store (S3 with Object Lock/Governance) for long-term- Use time-series index for detection and compressed object store for compliance**Retention tiers & immutability**- Hot: 0–90 days — fast queries, active detection- Warm: 90–365 days — slower queries- Cold/Archive: 1–7+ years — immutable WORM (S3 Object Lock in Compliance mode, on-prem WORM appliances)- PCI: ensure 1 year retention with 3 months quickly accessible- SOX: preserve relevant financial logs 7 years (apply legal hold)**Tamper-evidence & integrity**- Append-only ingest pipeline; server-side immutability (WORM); write-through only buckets- Cryptographic hashing of batches on ingest; store hashes in separate ledger (blockchain-style or HSM-backed key)- Periodic integrity checks and signed manifests; alert on hash mismatches**Alerting thresholds & detection**- Baseline normal behavior per asset; use statistical thresholds + risk scoring- Examples: - >50 failed logins across org in 5m → medium - Privileged account creation outside change window → high - Access to PAN outside PCI enclave → critical- Use ML/UEBA to reduce false positives; tune thresholds by false-positive tracking and SOC feedback**Chain-of-custody & legal support**- Forensic pipeline: automated export with metadata, signed hash, timestamp, and access log- Separation of duties: only authorized forensic roles can initiate legal hold/export- Audit trail: immutable access logs for SIEM, collectors, and storage; retain admin actions- Evidence package: signed manifest, original logs (WORM), hash chain, analyst notes, export logs- Preservation: implement legal hold that removes normal deletion/retention policies- Documentation: SOPs for collection, imaging, analyst handling, and court-admissibility checklist**Operational controls & governance**- RBAC, MFA, dedicated audit accounts, quarterly review of retention and alerts, tabletop exercises- Regular testing: integrity verification, restore-from-archive drills, legal-hold execution testsThis design balances real-time detection needs with compliance retention and provides tamper-evidence plus a defensible chain-of-custody for investigations.
HardSystem Design
59 practiced
Design an enterprise telemetry and detection architecture focused on detecting lateral movement and advanced persistent threats (APTs). Describe telemetry collection (endpoint, network, identity), enrichment and correlation, detection analytics (rules, baselines, ML), storage architecture to support investigations, and a tuning approach that reduces false positives while maintaining high recall for sophisticated attacks.
Sample Answer
**Situation & goal (brief)** I’d design an enterprise telemetry and detection architecture to reliably surface lateral movement and APT behavior while keeping analyst workload manageable and minimizing false positives.**Telemetry collection (endpoint, network, identity)** - Endpoint: EDR agents collecting process trees, file writes, autoruns, SMB/WinRM/RPC activity, credential theft indicators (LSASS dumps, token use), and syscall-level events where possible. - Network: TAP/SPAN + inline IDS for flow, TLS metadata (JA3/JA3S), DNS logs, NetFlow/PCAP sampling, SMB/LSARPC auditing, and network segmentation telemetry. - Identity: Authentication logs (AD, Azure AD), conditional access events, privileged session recordings, service account usage, and risky authentication signals (improbable travel, impossible travel, MFA bypass).**Enrichment & correlation** - Normalize to ECS/CEF. Enrich with asset criticality, vulnerability context (CMDB, vuln scanner), user risk scores, cloud metadata, threat intel (IOCs, TTPs, ATT&CK mappings), and process/hash reputation. - Use message bus (Kafka) and stream processors to attach context in near-real-time.**Detection analytics** - Rules: ATT&CK-mapped deterministic rules (pass-the-hash, Lateral SMB exec). - Baselines: Entity-behavior baselines per user/host for volume, access patterns, and process ancestry. Alert on deviations (new lateral protocol to critical subnet). - ML: Unsupervised (clustering/autoencoders) for novel lateral chains and supervised models for scored risks (graph-based anomaly detection to identify unusual hop sequences). Combine scores in risk engine and model explainability hooks.**Storage & investigations** - Hot store: Indexed SIEM (Elasticsearch/Databricks Delta + hot indices) for 30–90 days; warm/cold object store (S3, Glacier) for 1–7 years. - Graph store (Neo4j or Neptune) for entity relationships and attack path reconstruction. - Packet store for targeted pcaps. Immutable, access-audited archives for forensics.**Tuning & feedback loop** - Label alerts with analyst verdicts; use feedback to retrain models and prune rule thresholds. - ROC-driven thresholding to maintain high recall for high-risk detections while tuning precision for noisy signals. - Contextual suppression: suppress low-risk alerts on sandboxed/test hosts, whitelist approved automation, and apply adaptive thresholds by asset risk. - Continuous red-team/ purple-team exercises to validate detection coverage and calibrate baselines.**Trade-offs & metrics** - Trade compute/cost vs. detection fidelity: sample PCAPs, prioritize telemetry from critical assets. Key metrics: mean time to detect, false-positive rate, recall on adversary emulations, analyst time per alert.This architecture emphasizes layered telemetry, contextual enrichment, combined rule/behavior/ML detection, graph-backed investigations, and an analyst-driven tuning loop to catch sophisticated lateral movement with manageable noise.
MediumTechnical
76 practiced
Design an enterprise identity architecture to support 200k users across multiple business units and external partners. Include SSO using SAML/OIDC, SCIM provisioning, lifecycle automation, MFA strategy, role and group design, delegated administration, and auditability. Explain how you would enforce least privilege and scale governance.
Sample Answer
**Clarify requirements**- 200k users, multiple BUs + external partners, cloud + on‑prem apps, regulatory audits, high availability, 99.99% SSO uptime, integration with HR system as source of truth.**High-level architecture**- Central Identity Provider (IdP) cluster (primary/secondary across AZs) supporting SAML 2.0 & OIDC +Adaptive Auth.- SCIM gateway for provisioning/deprovisioning to SPs and partner directories.- Identity Governance & Administration (IGA) for roles, access reviews, entitlement catalog, and delegated admin.- Audit log pipeline (immutable store → SIEM) and analytics.**SSO / Protocols**- Expose SAML for legacy SPs; OIDC for modern apps. Use standard claims mappings and signed/encrypted assertions. Centralized client registry with per-client scopes, token lifetimes, and refresh policies.**SCIM provisioning & lifecycle**- HRMS as authoritative source triggers SCIM create/update/terminate flows via Message Bus (events → provisioning service).- Staged provisioning: create account stub for partners, full activation after verification. Automated deprovision with access revocation and entitlement recertification.**MFA strategy**- Risk-based MFA: device posture, geolocation, user risk score. Phases: hardware tokens for privileged ops, TOTP/Push + phishing-resistant WebAuthn for workforce, FIDO2 for partners where feasible.**Roles, groups & least privilege**- Role-based access taxonomy: Job Roles (broad), Functional Roles (narrow), Entitlements (fine-grained). Implement role-to-entitlement mappings in IGA; enforce least privilege via just-in-time (JIT) elevation and time-bound entitlements.**Delegated administration**- Scoped admin roles in IGA/IdP with OU/BU constraints, approval workflows, and break-glass escalation requiring multi-party approval and MFA.**Auditability & monitoring**- Centralized immutable logs (AuthN/AuthZ/SCIM/IGA) forwarded to SIEM, with alerting for anomalous provisioning, privilege escalations, and failed MFA spikes. Retain per-regulation.**Governance & scale**- Automated certification campaigns, risk-based access reviews, entitlement lifecycle policies, KPI dashboards. Use policy-as-code for consistency and CI/CD for identity config. Quarterly policy reviews and annual attestation.This architecture enforces least privilege through authoritative source of truth, role-to-entitlement mapping, JIT elevation, automated deprovisioning, and continuous certification — all observable via centralized auditing and SIEM.
HardTechnical
117 practiced
Draft a migration strategy for an enterprise to achieve cryptographic agility and migrate from RSA-2048 to a post-quantum hybrid scheme over five years. Include inventorying crypto usage, compatibility testing approaches, rollout sequencing, interoperability with partners, key and certificate management changes, fallback strategies, and plans for validating cryptographic transitions.
Sample Answer
**Overview & goals**As Security Architect I’d deliver a 5‑year phased migration from RSA‑2048 to a PQC+classical hybrid (e.g., X25519 + Kyber/CRYSTALS) achieving cryptographic agility, minimal service disruption, and compliance.**Year 0 — Discovery & risk baseline**- Inventory all crypto usage: TLS endpoints, code libraries, HSMs, VPNs, S/MIME, code signing, databases, tokens, devices, partner integrations. Use automated scanners (network, code), PKI logs, asset CMDB.- Classify by risk/impact, data sensitivity, and lifespan of assets.**Year 1 — Lab & compatibility testing**- Stand up test PKI and HSM lab with hybrid key support. Test vectors: handshake timing, session resumption, certificate chains, signature verification.- Compatibility approaches: client‑side canary builds, simulated handshake matrices (server/client/proxy versions), fuzz tests.- Vendor engagement: collect firmware/stack timelines; certify vendor PQ support.**Years 2–3 — Pilot & staged rollout**- Pilot low‑risk services (internal APIs, noncritical TLS) with dual‑certificates supporting RSA and hybrid keys. Use TLS SNI routing to route pilot traffic.- Sequence: internal tooling → internal services → customer‑facing web → IAM/OAuth → code signing & firmware.- Update SDKs and CI/CD pipelines to accept hybrid keys; instrument telemetry for failures.**Interoperability with partners**- Publish migration roadmap, supported cipher suites, and test endpoints. Offer partner sandbox and mutual test harness. Use dual‑stack negotiation (RSA + hybrid) during transition.**Key and certificate management**- PKI changes: support multi‑algorithm certificates, new templates, CA key transitions, cross‑certification. HSMs: firmware/upgrades for PQ crypto or migrate to hybrid‑capable HSMs.- Rotation: set shorter lifetimes during transition; automate provisioning via ACME/established enrollment.**Fallback & contingency**- Maintain RSA trust path for legacy-only endpoints. Use feature flags and traffic splitting for rapid rollback. Create runbooks for certificate revocation, emergency reissuance, and incident playbooks if verification failures occur.**Validation & metrics**- Define success metrics: handshake success rate ≥ 99.9%, latency delta ≤ 5%, no critical compatibility regressions. Continuous validation: certificate transparency logs, automated cryptotests in CI, external pentests, and third‑party audits.**Governance**- Steering committee, quarterly milestones, compliance checkpoints, and update of policies/SDLC requirements to enforce crypto agility going forward.
Unlock Full Question Bank
Get access to hundreds of Enterprise Security Architecture and Framework Design interview questions and detailed answers.