Palo Alto Networks PSE Strata Exam Dumps & Practice Test Questions
Question 1
Within the realm of network threat detection—particularly systems designed to identify botnet activity—which of the following behaviors are commonly monitored and included in botnet activity reports? (Choose three)
A. Visiting domains that were created within the past month
B. Attempting to access URLs flagged as harmful
C. Initiating Peer-to-Peer (P2P) file sharing programs
D. Malware incidents detected in 60-minute timeframes
E. Interactions with external APIs initiated by applications
F. Traffic involving domains managed by dynamic DNS providers
Correct Answers:A, B, F
Explanation:
Botnets typically exhibit certain behaviors that can be detected through network traffic analysis and monitoring. Here’s a detailed look at the behaviors commonly associated with botnet activity:
A. Visiting domains that were created within the past month: This is a common indicator of botnet activity. Botnets often communicate with command-and-control (C2) servers that are frequently changing to avoid detection. Domains created recently (often within a short window of time, like the last month) are a strong indication of a botnet, as they may be used for malicious purposes like C2 infrastructure for the botnet.
B. Attempting to access URLs flagged as harmful: Botnets frequently access known malicious URLs for activities such as downloading malware, communicating with C2 servers, or exfiltrating data. Security systems track URLs that have been flagged as malicious or harmful, and any botnet-related traffic attempting to reach those URLs is closely monitored.
C. Initiating Peer-to-Peer (P2P) file sharing programs: While P2P file sharing can be used for legitimate purposes, many botnets use P2P networking protocols to communicate within the botnet, distribute commands, or share malicious files. However, this is not as universally applicable as other behaviors for botnet detection, which is why it is not included in the correct answers.
D. Malware incidents detected in 60-minute timeframes: This option is more related to the general detection of malware incidents, not specifically botnet activity. Botnets can cause malware incidents, but the exact time frame (like 60 minutes) is not a strong, consistent indicator of botnet behavior itself. Therefore, it’s less relevant here.
E. Interactions with external APIs initiated by applications: Botnets usually don’t rely on normal API calls initiated by legitimate applications; instead, they use C2 communication methods, DNS tunneling, or other covert techniques. While interactions with external APIs can occur, this is not typically the focus of botnet monitoring.
F. Traffic involving domains managed by dynamic DNS providers: Botnets often utilize domains managed by dynamic DNS providers because these domains allow them to constantly change IP addresses to avoid detection. These domains are used to make the botnet more resilient and difficult to track, making this behavior a classic indicator of botnet activity.
In summary, A, B, and F are commonly monitored behaviors in botnet activity detection, as they relate directly to the tactics and infrastructure commonly used by botnets to maintain control and evade detection.
Question 2
A security-focused client is looking for a comprehensive solution that can deeply analyze executable files such as PE (used in Windows systems) and ELF (common in Linux environments). They require real-time threat assessments and seamless collaboration with other security infrastructure to block threats proactively.
Which Palo Alto Networks capability provides in-depth file analysis, instant verdicts, and automated integration for threat prevention?
A. File Filtering Profile
B. Dynamic Binary Inspection
C. WildFire
D. DNS-Based Threat Defense
Correct Answer:C. WildFire
Explanation:
Palo Alto Networks offers WildFire as a key solution for providing in-depth file analysis and real-time threat assessments for executable files like PE (Portable Executable) used in Windows environments and ELF (Executable and Linkable Format) used in Linux systems. WildFire is a cloud-based malware analysis service that leverages advanced machine learning, dynamic analysis, and threat intelligence to identify and assess potential threats in files.
Here’s a breakdown of the options:
A. File Filtering Profile: This is a feature used in Palo Alto Networks firewalls to identify and control traffic based on file types. It helps manage file traffic, but it does not offer in-depth file analysis or threat prevention, especially for advanced threats like those found in executable files. This is not the best option for real-time, deep analysis of executables.
B. Dynamic Binary Inspection: While Palo Alto Networks has capabilities for inspecting executable files, Dynamic Binary Inspection is not the primary solution for automated threat prevention and verdicts. Instead, WildFire provides this in-depth analysis and integrates seamlessly with Palo Alto Networks' other security infrastructure.
C. WildFire: WildFire is Palo Alto Networks' flagship solution for deep file analysis and real-time threat assessment. It analyzes suspicious files, including PE and ELF, in a controlled environment to determine whether they are malicious or safe. The service generates instant verdicts, provides detailed reports, and can automatically block malicious files across all firewalls and endpoints that are connected to the system. It integrates with other Palo Alto Networks security products to provide proactive threat prevention.
D. DNS-Based Threat Defense: This solution focuses on blocking malicious DNS requests and preventing DNS-based attacks (like DNS tunneling and domain generation algorithm (DGA) attacks). It is not designed to analyze executable files such as PE or ELF files and is not suitable for the needs described in the question.
In conclusion, WildFire provides the comprehensive, in-depth analysis of executable files like PE and ELF, with real-time assessments and seamless integration into the broader security infrastructure, making it the best solution for proactive threat prevention.
Question 3
When using Cisco SD-WAN or similar monitoring tools to assess network device performance, how does the "Deviating Devices" dashboard function, and how are health baselines established?
A. Baseline health metrics are based on a 7-day performance average plus one standard deviation to set thresholds
B. This feature is accessible only with an active SD-WAN license
C. Administrators have the ability to define custom baseline metrics and manually input standard deviation values
D. Only physical firewall appliances can utilize this tab; cloud-based or virtual devices are not supported
Correct Answer:
A. Baseline health metrics are based on a 7-day performance average plus one standard deviation to set thresholds
Explanation:
In Cisco SD-WAN (and similar network monitoring tools), the "Deviating Devices" dashboard is designed to help administrators quickly identify devices that are not performing according to expected norms. The tool continuously monitors device performance and compares it to a baseline to detect any deviations. Here's a breakdown of how health baselines are established:
A. Baseline health metrics are based on a 7-day performance average plus one standard deviation to set thresholds: This is the correct method for establishing baselines. The system analyzes the network device's performance over a 7-day period, calculating the average performance for each metric. It then uses statistical analysis (specifically, standard deviation) to define thresholds. If a device’s performance deviates beyond a certain threshold (i.e., if it falls outside the range of the average performance plus or minus one standard deviation), it will be flagged as a "deviating" device. This ensures that the system automatically adapts to the usual performance patterns of devices and identifies outliers in real-time.
B. This feature is accessible only with an active SD-WAN license: While it's true that features like SD-WAN monitoring may require an active SD-WAN license, the question focuses more on the method of baseline establishment, not licensing. Therefore, this option is not relevant to the question’s focus.
C. Administrators have the ability to define custom baseline metrics and manually input standard deviation values: While Cisco SD-WAN and similar tools may allow for some custom configurations, the default method for establishing baselines does not require administrators to manually input standard deviation values. It is typically automated based on performance data over a set period (like 7 days), so this option is incorrect.
D. Only physical firewall appliances can utilize this tab; cloud-based or virtual devices are not supported: This option is incorrect because Cisco SD-WAN and its monitoring tools support both physical and virtual devices (including cloud-based devices). The "Deviating Devices" feature is not restricted to just physical firewall appliances.
In summary, the "Deviating Devices" dashboard utilizes performance averages over a 7-day period and applies standard deviation thresholds to detect outliers, making Option A the correct choice.
Question 4
To stay protected against newly emerging threats, including Command-and-Control (C2) channels used in cyberattacks, firewalls must frequently update their threat detection capabilities.
What is the ideal interval to configure threat signature updates on a Palo Alto Networks firewall to maximize protection?
A. Once every 60 minutes
B. Daily updates
C. Weekly schedule
D. Per-minute synchronization
Correct Answer:
A. Once every 60 minutes
Explanation:
In the context of maintaining effective cybersecurity, especially in preventing emerging threats such as Command-and-Control (C2) channels, it’s crucial that the firewall's threat detection capabilities remain up to date. Palo Alto Networks firewalls, like most modern security appliances, rely on frequent updates to their threat signatures and security intelligence to detect and mitigate new attack vectors.
Here’s why Option A is the correct choice:
A. Once every 60 minutes: This is the recommended interval for updating threat signatures on a Palo Alto Networks firewall. The reason for frequent updates (every 60 minutes) is that it ensures the firewall is quickly able to recognize and respond to new and evolving threats. Many new malware strains, including those used in C2 channels and other cyberattack mechanisms, emerge rapidly, and regular updates every hour allow the firewall to stay on top of emerging threats in real time.
B. Daily updates: While daily updates might seem sufficient, in practice, they are too infrequent to protect against fast-evolving threats. Attackers can use C2 channels and other methods that evolve within hours, making a daily update schedule a bit too slow to provide optimal protection. More frequent updates are needed for effective defense.
C. Weekly schedule: A weekly update schedule is far too infrequent to keep up with the constantly evolving landscape of cyber threats. This interval might miss critical updates and signatures that could be deployed within days or even hours of an attack.
D. Per-minute synchronization: While minute-by-minute updates would provide the most real-time protection, it is generally unnecessary and might lead to unnecessary resource consumption. The typical update interval of 60 minutes offers a practical balance between performance and security, ensuring that threat intelligence is regularly refreshed without overburdening the system with constant synchronization.
In conclusion, updating threat signatures once every 60 minutes provides the best protection for the firewall while balancing the system’s performance and responsiveness to new threats, making Option A the correct choice.
Question 5
In a Palo Alto Networks Active/Active High Availability configuration, which two actions are effective in reducing the risk of a split-brain condition, where both firewalls wrongly act as primary due to communication breakdown? (Select two)
A. Set up an auxiliary HA1 interface as a backup
B. Enable heartbeat backup to maintain redundancy
C. Assign a loopback IP and use it as the source for HA traffic
D. Add the management interface to an aggregated group
Correct Answers:
B. Enable heartbeat backup to maintain redundancy
C. Assign a loopback IP and use it as the source for HA traffic
Explanation:
In a Palo Alto Networks Active/Active High Availability (HA) configuration, preventing a split-brain condition is critical to maintaining the correct operation of the system. In this scenario, both firewalls might wrongly assume the primary role if there is a communication breakdown between them. To avoid this issue, certain configurations must be implemented to maintain redundancy and ensure reliable communication between the firewalls.
Here’s why B and C are the correct choices:
B. Enable heartbeat backup to maintain redundancy: Heartbeat communication between the firewalls is essential to determine which unit should assume the active role. In the event of a communication failure, enabling a heartbeat backup ensures that the firewalls have a secondary communication channel for transmitting status updates, reducing the risk of both firewalls mistakenly assuming the primary role. This setup helps in detecting failure early and mitigating the possibility of a split-brain situation.
C. Assign a loopback IP and use it as the source for HA traffic: A loopback IP address is a virtual address assigned to the firewall that does not rely on any physical interface. Using this loopback IP for HA traffic ensures that the HA communication is always available, even if there is a failure in physical interfaces. The loopback IP acts as a stable and reliable source for the HA traffic, which is crucial for preventing situations where both firewalls might think they are the active unit due to communication issues. It ensures that HA traffic is not impacted by physical link failures.
Now, let’s examine the incorrect options:
A. Set up an auxiliary HA1 interface as a backup: While it might seem logical to set up an auxiliary HA1 interface as a backup, this does not directly address the split-brain condition. The HA1 interface itself is the primary communication channel for synchronization between the firewalls, but the risk of a split-brain condition is better addressed by the backup heartbeat mechanism or using a loopback IP, which offer more effective redundancy.
D. Add the management interface to an aggregated group: Aggregating the management interface does not directly affect the HA heartbeat process or prevent a split-brain condition. The management interface is typically used for management traffic and does not play a crucial role in the HA synchronization or the decision-making process about which unit is primary or secondary. The focus should be on HA interfaces (HA1 and HA2) and reliable communication methods like the heartbeat backup and loopback IP.
In conclusion, the most effective actions to reduce the risk of a split-brain condition are enabling heartbeat backup and assigning a loopback IP for HA traffic, as these actions directly enhance redundancy and ensure reliable communication between the firewalls. Therefore, B and C are the correct choices.
Question 6:
With respect to WildFire, Palo Alto Networks' cloud-based threat analysis platform, which of the following scripting languages are analyzed during both static and dynamic threat assessment processes? (Pick three options)
A. JScript
B. PythonScript
C. PowerShell
D. VBScript
E. MonoScript
Correct Answers:
A. JScript
C. PowerShell
D. VBScript
Explanation:
Palo Alto Networks' WildFire is a cloud-based threat analysis platform that uses both static and dynamic techniques to detect and analyze potentially malicious files and activities. During these assessments, it specifically looks at scripts embedded in files, such as executables, PDFs, and Office documents, to determine if they exhibit malicious behavior.
Here’s why A, C, and D are the correct answers:
A. JScript: JScript is Microsoft's implementation of the ECMAScript standard and is commonly found in malicious files, especially in web-based threats. WildFire can analyze JScript for potentially harmful scripts that could exploit systems.
C. PowerShell: PowerShell is a powerful scripting language used extensively for automation tasks in Windows environments. Unfortunately, it's also commonly exploited in cyberattacks, and WildFire examines PowerShell scripts for malicious behavior, including malware delivery, lateral movement, and command execution.
D. VBScript: VBScript, another Microsoft scripting language, is used in various types of malicious software and attacks, particularly in legacy systems and malware propagation. WildFire also evaluates VBScript for potential threats, especially in files such as Office documents or web-based attacks.
Incorrect options:
B. PythonScript: While Python is commonly used in many modern software development environments and has seen an increase in use for malicious scripting, WildFire does not directly focus on Python scripts in the same way it focuses on legacy scripting languages like PowerShell, VBScript, and JScript. Python-based malware is usually analyzed through its compiled form (e.g., executables) rather than its raw script form.
E. MonoScript: MonoScript is typically associated with the Mono framework used for cross-platform .NET applications. While WildFire may analyze files that could involve MonoScript, it's less commonly associated with the typical scripting threats analyzed in WildFire. WildFire focuses more on widely used languages like JScript, PowerShell, and VBScript, which are more frequently exploited by attackers.
In conclusion, JScript, PowerShell, and VBScript are the scripting languages most commonly analyzed by WildFire in both its static and dynamic threat assessments. Therefore, A, C, and D are the correct answers.
Question 7:
In a dual firewall Active/Passive High Availability deployment, which of the following strategies is most reliable for avoiding a split-brain condition?
A. Use a standard data port as a fallback for HA2 state synchronization
B. Activate preemption on both members of the HA cluster
C. Configure the dedicated management port as an alternative HA1 control link
D. Allocate a regular data interface for HA3 traffic replication
Correct Answer: C. Configure the dedicated management port as an alternative HA1 control link
Explanation:
In a dual firewall Active/Passive High Availability (HA) deployment, the key objective is to ensure that both firewalls in the pair can maintain proper synchronization and prevent situations where both firewalls believe they are the primary, leading to a split-brain condition. Here's why C is the most reliable strategy:
C. Configure the dedicated management port as an alternative HA1 control link:
The HA1 link is the primary communication link for synchronization between the two firewalls in an HA pair. By default, this link typically uses a dedicated data interface or management interface. However, to ensure that the HA pair stays synchronized in the event of a failure of the primary HA1 link, it's recommended to configure an alternative control link, such as the dedicated management port, to act as a backup. This helps maintain the connection between the two firewalls, ensuring that they continue to communicate and preventing a split-brain situation even if the primary HA1 link fails.
Other Options:
A. Use a standard data port as a fallback for HA2 state synchronization:
HA2 is used for state synchronization (session sync) between the two firewalls. While this is important, it doesn't directly prevent a split-brain condition. The HA2 link is used for data synchronization, not the critical control link, so this is not the most reliable option to avoid split-brain situations.B. Activate preemption on both members of the HA cluster:
Preemption ensures that if the primary firewall comes back online after a failure, it can resume as the primary firewall. However, enabling preemption on both members could lead to an undesirable situation where both firewalls are trying to take over as primary, causing unnecessary failovers and potentially leading to instability. It doesn't directly address the split-brain issue, so this is not the most reliable strategy in this case.D. Allocate a regular data interface for HA3 traffic replication:
HA3 traffic is used for session sync and replication of traffic between the firewalls in the HA pair. While it's important for high availability and load balancing, using a regular data interface for this function doesn't help avoid a split-brain situation. The HA3 traffic itself doesn't handle control-plane synchronization or management, which are the crucial elements in preventing a split-brain condition.
In summary, C is the best option because it ensures that the critical HA1 control link remains available by configuring a dedicated management port as a backup, which helps avoid a split-brain condition and maintains seamless failover in a dual firewall Active/Passive HA deployment.
Question 8:
When setting up User-ID on a Palo Alto Networks firewall to map users to IPs, which best practices should be followed for optimal security and functionality? (Select three)
A. Clearly define IP ranges to include or exclude from user mapping
B. Activate User-ID in all zones, including public and untrusted segments
C. Use a minimal-privilege dedicated service account for User-ID operations
D. Limit the number of network hops between the User-ID agent and the firewall to a maximum of 15
E. Enable WMI probing across all network segments, regardless of sensitivity
Correct Answers:
A. Clearly define IP ranges to include or exclude from user mapping
C. Use a minimal-privilege dedicated service account for User-ID operations
D. Limit the number of network hops between the User-ID agent and the firewall to a maximum of 15
Explanation:
When configuring User-ID on Palo Alto Networks firewalls, best practices are essential for both security and functionality. Here’s why the selected options are correct:
A. Clearly define IP ranges to include or exclude from user mapping
Why it's important: Defining clear IP ranges ensures that User-ID is applied only to the specific networks where it's needed. This helps optimize performance and security by excluding irrelevant or untrusted networks, preventing unnecessary user-to-IP mappings in areas where they’re not needed. It also avoids potential risks if User-ID maps users to devices in untrusted or non-secure segments.
C. Use a minimal-privilege dedicated service account for User-ID operations
Why it's important: Using a dedicated service account with minimal privileges is a fundamental security best practice. This approach minimizes the attack surface by ensuring that the account used for User-ID operations has only the necessary permissions to perform the required tasks, reducing the risk of privilege escalation or unauthorized access.
D. Limit the number of network hops between the User-ID agent and the firewall to a maximum of 15
Why it's important: The User-ID agent needs to communicate with the firewall to provide user-to-IP mapping. Excessive network hops can introduce latency and connection reliability issues, which can degrade the functionality of User-ID. Keeping the number of network hops to a maximum of 15 helps ensure that the connection between the User-ID agent and the firewall remains efficient and reliable, ensuring better performance and real-time user identification.
Why the other options are not ideal:
B. Activate User-ID in all zones, including public and untrusted segments
Activating User-ID in untrusted or public segments is not recommended. This could expose sensitive user information to potential attackers or allow user mappings in insecure areas. Best practice is to restrict User-ID to trusted segments only, ensuring that user mapping occurs in secure zones, like internal networks, where user authentication is verified and trusted.
E. Enable WMI probing across all network segments, regardless of sensitivity
WMI probing (Windows Management Instrumentation) is often used to gather user information from Windows-based devices. However, enabling WMI probing on all network segments, especially sensitive or untrusted segments, can introduce unnecessary risks. WMI probes could provide attackers with more detailed information about network devices, leading to potential exploitation. It's better to limit WMI probes to trusted network segments where necessary.
The optimal practices for setting up User-ID are to define IP ranges for mapping, use a minimal-privilege dedicated account for operations, and limit the network hops between the User-ID agent and firewall. These measures help ensure security and performance while minimizing risk.
Question 9:
Prior to enabling SSL/TLS decryption policies on a next-generation firewall (NGFW), which of the following key factors should be evaluated? (Select three)
A. Decrypt all traffic indiscriminately, including sensitive categories
B. Understand that some websites may become inaccessible due to decryption
C. Consider excluding certain types of data, such as financial or health-related traffic
D. Implement decryption settings all at once for faster enforcement
E. Ensure the firewall can handle the increased resource demand from decryption
Correct Answers:
B. Understand that some websites may become inaccessible due to decryption
C. Consider excluding certain types of data, such as financial or health-related traffic
E. Ensure the firewall can handle the increased resource demand from decryption
Explanation:
When enabling SSL/TLS decryption policies on a next-generation firewall (NGFW), several key considerations must be evaluated to avoid negative impacts on network performance, security, and compliance:
B. Understand that some websites may become inaccessible due to decryption
Why it's important: SSL/TLS decryption can potentially break the functionality of some websites or applications, especially those that implement strict certificate validation or HTTP Strict Transport Security (HSTS). Websites may become inaccessible if the firewall cannot decrypt and re-encrypt the traffic in a way that meets the website’s security requirements. Therefore, it's important to evaluate the potential impact on website accessibility before enabling decryption.
C. Consider excluding certain types of data, such as financial or health-related traffic
Why it's important: Sensitive data such as financial or health-related information is often subject to regulatory compliance, such as HIPAA or PCI-DSS. Decrypting such traffic could expose sensitive information to unauthorized parties, potentially violating privacy regulations. Therefore, certain categories of traffic should be excluded from decryption, ensuring compliance with relevant laws and protecting privacy.
E. Ensure the firewall can handle the increased resource demand from decryption
Why it's important: SSL/TLS decryption is a resource-intensive process that requires significant CPU and memory resources. As traffic is decrypted and re-encrypted, the firewall's performance could degrade if it's not capable of handling the increased demand. Evaluating the firewall’s hardware and capacity to handle the additional load ensures that performance remains optimal and doesn't impact overall network speed.
Why the other options are less ideal:
A. Decrypt all traffic indiscriminately, including sensitive categories
Why it's not recommended: Decrypting all traffic indiscriminately, including sensitive traffic (like financial or health-related data), is not a good practice. This could violate privacy regulations (e.g., HIPAA or PCI-DSS) and expose sensitive information unnecessarily. The best practice is to carefully select the traffic that should be decrypted and apply exclusions where necessary.
D. Implement decryption settings all at once for faster enforcement
Why it's not recommended: Implementing decryption settings all at once may lead to overwhelming the firewall or network infrastructure. Instead, it's advisable to test decryption settings incrementally, starting with less sensitive traffic and gradually scaling up, ensuring that the firewall can handle the load and that critical services are not interrupted.
Before enabling SSL/TLS decryption, it's crucial to evaluate the potential impact on website accessibility, exclude sensitive traffic to remain compliant with privacy regulations, and ensure that the firewall can handle the increased resource demands. These measures help mitigate risks and ensure that the decryption process is effective without compromising performance or compliance.
Question 10:
In a Zero Trust network architecture, access to resources is strictly governed and continuously verified. Which of the following practices align with the principles of Zero Trust Security? (Select two)
A. Grant access based on device trust and user identity, not location
B. Permit internal traffic to move freely once it enters the corporate LAN
C. Continuously monitor and validate user behavior during sessions
D. Allow unmanaged personal devices to access sensitive resources after initial login
Correct Answers:
A. Grant access based on device trust and user identity, not location
C. Continuously monitor and validate user behavior during sessions
Explanation:
Zero Trust Security operates on the fundamental principle that no device or user, whether inside or outside the network, should be trusted by default. Instead, trust is continuously verified, and access is granted based on specific contextual factors such as the identity of the user, the trustworthiness of the device, and real-time behavioral analysis.
A. Grant access based on device trust and user identity, not location
Why it's correct: In a Zero Trust architecture, trust is not granted based on a device's location (e.g., whether it's inside or outside the corporate network). Instead, access decisions are made based on the identity of the user and the trustworthiness of the device. For example, even if a device is inside the corporate network, it may still need to pass checks on its security posture (e.g., whether the device is compliant or if it has any vulnerabilities) before being granted access to resources.
C. Continuously monitor and validate user behavior during sessions
Why it's correct: Zero Trust emphasizes continuous monitoring of both user behavior and device status. Access is not only validated at the initial point of login but is constantly re-assessed throughout the session to ensure that behavior remains consistent with expectations. If anything suspicious is detected (e.g., anomalous behavior, changes in access patterns), access can be revoked or limited in real time.
Why the other options are incorrect:
B. Permit internal traffic to move freely once it enters the corporate LAN
Why it's incorrect: Zero Trust does not assume that internal traffic can be trusted. Once inside the network, every piece of traffic, whether originating from the internal network or external sources, must be authenticated and authorized before being allowed to move freely. In a Zero Trust model, micro-segmentation is employed to ensure that access is restricted and only allowed to authorized users/devices, even within the internal network.
D. Allow unmanaged personal devices to access sensitive resources after initial login
Why it's incorrect: Allowing unmanaged personal devices to access sensitive resources violates Zero Trust principles, which require that every device be verified for security compliance before granting access. Unmanaged or non-compliant devices pose significant security risks. Zero Trust typically involves enforcing strict device compliance policies, requiring devices to meet specific security standards before being granted access to critical systems.
In a Zero Trust architecture, access is based on identity and device trust, and access is continuously validated throughout the session. These practices help reduce risks associated with insider threats, lateral movement, and exploits. The core tenets of Zero Trust are:
No device or user is trusted by default, regardless of location.
Continuous monitoring and verification of behavior and security posture.
