CISSP Domain 7: Security Operations Guide

Created by A F M Bakabillah

CISSP Domain 7, "Security Operations," accounts for 13% of the CISSP exam. This domain focuses on the day-to-day activities required to maintain and improve the security posture of an organization. It covers incident management, logging and monitoring, vulnerability management, and the application of foundational security concepts in an operational context.

Key Areas of CISSP Domain 7: Security Operations

1. Investigate Incidents

This section covers the structured approach to handling security incidents and conducting forensic investigations.

1.1 Incident Handling Process

Preparation: Establishing policies, procedures, tools, and training.
Detection and Analysis: Identifying and understanding the scope and nature of an incident.
Containment: Limiting the damage and preventing further spread (e.g., isolating systems).
Eradication: Removing the root cause of the incident (e.g., patching vulnerabilities, removing malware).
Recovery: Restoring affected systems and data to normal operations.
Post-Incident Activity (Lessons Learned): Documenting the incident, reviewing the process, and implementing improvements.

1.2 Digital Forensics

Purpose: Scientifically collecting, preserving, analyzing, and presenting digital evidence.
Chain of Custody: Documenting the continuous possession and control of evidence from collection to presentation.
Types of Evidence: Best evidence (original), secondary evidence (copy), corroborative evidence (supports other evidence).
Forensic Tools: Imaging tools, analysis software (e.g., EnCase, FTK Imager).

Example: Upon detecting unusual outbound traffic, the security team initiates their incident handling process. They first contain the suspected compromised server by isolating it from the network. A forensic analyst then creates a bit-for-bit image of the server's hard drive, meticulously documenting the chain of custody for this digital evidence.

2. Operate and Maintain Detective and Preventative Measures

This involves the ongoing management of security controls that detect and prevent threats.

2.1 Vulnerability Management

Vulnerability Scanning: Regularly identifying known weaknesses in systems and applications.
Patch Management: Systematically applying software updates to fix vulnerabilities.
Configuration Management: Ensuring systems adhere to secure baseline configurations.
Zero-Day Vulnerability: A vulnerability that is unknown to the vendor and for which no patch exists.

2.2 Security Control Operations

Firewalls: Managing rules, logging, and performance.
IDS/IPS: Tuning rules, monitoring alerts, and responding to detections.
Antivirus/Anti-malware: Ensuring definitions are up-to-date, scans are running, and threats are quarantined.
Data Loss Prevention (DLP): Monitoring and blocking unauthorized transmission of sensitive data.
Endpoint Detection and Response (EDR): Advanced endpoint protection for detecting and investigating suspicious activities.

Example: The IT team performs weekly vulnerability scans across all servers and workstations. Discovered vulnerabilities are prioritized based on their severity, and critical patches are deployed as part of the patch management process within 48 hours. The DLP system is configured to prevent employees from emailing documents containing credit card numbers outside the company network.

3. Perform Logging and Monitoring Activities

This section covers the continuous collection and analysis of security-related data to detect anomalies and threats.

3.1 Log Management

Centralized Logging: Aggregating logs from various sources (servers, network devices, applications) into a central repository.
Log Retention: Storing logs for required periods based on compliance and forensic needs.
Secure Log Storage: Protecting logs from tampering and unauthorized access.

3.2 Security Information and Event Management (SIEM)

Purpose: Real-time collection, normalization, correlation, and analysis of security events and logs.
Alerting: Generating alerts for suspicious activities based on defined rules and anomalies.
Reporting: Providing dashboards and reports on security posture and incidents.

3.3 Continuous Monitoring

Definition: Ongoing surveillance and analysis of systems to ensure they remain secure and compliant.
Security Orchestration, Automation, and Response (SOAR): Automating security operations tasks, incident response, and threat intelligence management.

Example: The Security Operations Center (SOC) uses a SIEM system to ingest logs from firewalls, servers, and endpoints. The SIEM correlates a failed login attempt from an unusual IP address with a subsequent alert from the EDR solution on a user's workstation, triggering an automated alert to the incident response team. This is part of their continuous monitoring strategy.

4. Perform Configuration Management (CM)

This section covers the systematic management of system configurations to maintain security and integrity.

4.1 Baseline Configuration Management

Purpose: Establishing and maintaining a secure, standardized configuration for systems and applications.
Configuration Drift: Deviations from the established baseline, which can introduce vulnerabilities.

4.2 Change Management

Purpose: A formal process to manage changes to IT systems and configurations, minimizing negative impacts on security and availability.
Change Advisory Board (CAB): A group responsible for reviewing and approving proposed changes.
Rollback Plan: A plan to revert changes if they cause issues.

Example: Before deploying a new web server, the team ensures it adheres to the organization's "Web Server Security Baseline Configuration," which specifies disabled services, secure protocols, and logging levels. Any proposed changes to this configuration, such as opening a new port, must go through the formal change management process, including review by the Change Advisory Board (CAB).

5. Apply Foundational Security Operations Concepts

This section integrates broader security principles into the day-to-day operational environment.

5.1 Security Operations Center (SOC)

Purpose: Centralized function for continuous monitoring, detection, analysis, and response to cybersecurity incidents.
Roles: Tier 1 (alert triage), Tier 2 (incident investigation), Tier 3 (threat hunting, forensics).

5.2 Threat Intelligence

Definition: Information about current and emerging threats, including indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs) of adversaries.
Purpose: Proactive defense, improving detection capabilities, and informing risk assessments.

5.3 Resilience, Fault Tolerance, and Redundancy

Resilience: The ability of a system to withstand and recover from disruptions.
Fault Tolerance: The ability of a system to continue operating despite the failure of one or more components.
Redundancy: Duplication of critical components or functions to ensure availability in case of failure.

5.4 Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) Operations

Testing and Exercises: Regularly testing BCP/DRP plans (e.g., tabletop exercises, full-scale simulations).
Maintenance: Keeping plans updated with organizational changes.

Example: The organization's SOC team actively monitors incoming threat intelligence feeds to update their IPS rules and inform their threat hunting activities. To ensure high availability, their critical applications are deployed across multiple data centers with redundant servers and network paths, demonstrating fault tolerance and resilience. They conduct annual DRP exercises to validate their recovery capabilities.

Key Points to Remember (Exam Tips)

Incident Response Lifecycle: Memorize the steps (Preparation, Detection/Analysis, Containment, Eradication, Recovery, Post-Incident). Understand the order and purpose of each. (e.g., You *contain* a breach before you *eradicate* the malware to prevent further spread.)
Forensics and Chain of Custody: Emphasize the importance of preserving evidence and maintaining a strict chain of custody for legal admissibility. (e.g., Any time you handle digital evidence, document who had it, when, and what they did with it.)
Logging is Crucial: Understand that robust, centralized, and protected logging is the foundation for detection and incident investigation. SIEMs are key tools here. (e.g., Without proper logs, detecting an intrusion or investigating a breach becomes nearly impossible.)
Vulnerability vs. Patch Management: Vulnerability management identifies weaknesses; patch management fixes them. They are distinct but complementary. (e.g., A vulnerability scan might find a missing patch, but the patch management process is what actually applies it.)
IDS vs. IPS (Operational Context): Reinforce that IDS is passive (detects, alerts), while IPS is active (detects, prevents/blocks). In operations, IPS is often deployed inline. (e.g., An IPS might block a known malicious IP address automatically, whereas an IDS would just send an alert.)
Change Management Importance: Understand that a formal change management process (with a CAB) is vital to prevent unintended security impacts and maintain system stability. (e.g., Bypassing change management for a "quick fix" can introduce new vulnerabilities or break existing security controls.)
Resilience vs. Fault Tolerance vs. Redundancy: Know the subtle differences. Redundancy is the *mechanism* (duplicate component), Fault Tolerance is the *ability to withstand failure* due to redundancy, and Resilience is the *overall ability to recover* from any disruption. (e.g., Having two power supplies in a server is *redundancy*. The server continuing to run if one fails is *fault tolerance*. The entire data center surviving a regional power grid outage is *resilience*.)
SOC Tiers: Be familiar with the general roles of Tier 1 (triage), Tier 2 (investigation), and Tier 3 (advanced analysis/hunting) in a Security Operations Center. (e.g., A Tier 1 analyst would initially review an alert from the SIEM, escalating to Tier 2 if it's a confirmed incident.)
DRP/BCP Testing: Emphasize the importance of regular testing (tabletop, full-scale) and maintenance of these plans. An untested plan is a bad plan. (e.g., Conducting an annual tabletop exercise helps identify gaps in the DRP before a real disaster strikes.)
Proactive vs. Reactive: Security operations involve both. Threat intelligence (proactive) helps inform defensive measures, while incident response (reactive) deals with active threats.

Quiz Time!

Choose the best answer for each question.

Question 1: In the incident handling process, which phase involves taking steps to limit the scope and impact of a security incident?

A) Detection and Analysis B) Containment C) Eradication D) Recovery

Question 2: What is the primary purpose of maintaining a "Chain of Custody" during a digital forensic investigation?

A) To speed up the forensic analysis process. B) To ensure the admissibility and integrity of evidence in legal proceedings. C) To identify the type of malware involved in an incident. D) To recover lost data from compromised systems.

Question 3: Which of the following best describes a "Zero-Day Vulnerability"?

A) A vulnerability that has been patched within 24 hours of discovery. B) A vulnerability that is publicly known but has no available patch. C) A vulnerability that is unknown to the vendor and has no available patch. D) A vulnerability that affects only legacy systems.

Question 4: What is the key difference between an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) in terms of their operational capability?

A) IDS is software-based, while IPS is hardware-based. B) IDS monitors and alerts, while IPS monitors and actively blocks/prevents. C) IDS uses anomaly detection, while IPS uses signature detection. D) IDS is deployed at the network perimeter, while IPS is deployed internally.

Question 5: Which technology is designed to aggregate, normalize, correlate, and analyze security events and logs from various sources in real-time?

A) Data Loss Prevention (DLP) B) Endpoint Detection and Response (EDR) C) Security Information and Event Management (SIEM) D) Network Access Control (NAC)

Question 6: What is the primary purpose of a "Change Advisory Board (CAB)" in the change management process?

A) To implement approved changes directly. B) To review and approve proposed changes to IT systems. C) To develop new security policies and procedures. D) To conduct post-implementation reviews of changes.

Question 7: Which concept describes the ability of a system to continue operating despite the failure of one or more components?

A) Resilience B) Redundancy C) Fault Tolerance D) High Availability

Question 8: In a Security Operations Center (SOC), which tier of analyst is typically responsible for initial alert triage and basic incident validation?

A) Tier 1 Analyst B) Tier 2 Analyst C) Tier 3 Analyst D) SOC Manager

Question 9: What is the purpose of a "Rollback Plan" in the context of change management?

A) To automatically apply all approved changes. B) To revert a change if it causes unexpected issues or failures. C) To document all changes made to a system. D) To test the security impact of a proposed change.

Question 10: Which of the following is a proactive measure that involves collecting and analyzing information about current and emerging threats to improve defensive capabilities?

A) Incident Response B) Digital Forensics C) Threat Intelligence D) Vulnerability Scanning

Question 11: What is the primary goal of "Eradication" in the incident handling process?

A) To limit the spread of the incident. B) To restore affected systems to normal operation. C) To remove the root cause of the incident and eliminate the threat. D) To document lessons learned from the incident.

Question 12: Which type of digital evidence is considered the "original" and is given the highest priority in legal proceedings?

A) Secondary Evidence B) Corroborative Evidence C) Best Evidence D) Hearsay Evidence

Question 13: What is the primary goal of "Patch Management"?

A) To identify vulnerabilities in systems. B) To apply software updates to fix vulnerabilities and improve functionality. C) To monitor systems for suspicious activity. D) To secure system configurations.

Question 14: Which security technology is designed to prevent sensitive information from leaving the organization's control, often by inspecting outbound traffic?

A) Intrusion Prevention System (IPS) B) Security Information and Event Management (SIEM) C) Data Loss Prevention (DLP) D) Endpoint Detection and Response (EDR)

Question 15: What is the primary benefit of "Centralized Logging"?

A) It reduces the storage requirements for logs. B) It simplifies log analysis and correlation for security monitoring. C) It eliminates the need for individual system logging. D) It encrypts all log data automatically.

Question 16: What is "Configuration Drift" in the context of configuration management?

A) The process of securely backing up configurations. B) Deviations from the established secure baseline configuration. C) The initial setup of a system's configuration. D) The process of applying security patches.

Question 17: Which concept refers to the ability of a system to withstand and recover from various types of disruptions, including cyberattacks and natural disasters?

A) Fault Tolerance B) Redundancy C) Resilience D) Availability

Question 18: What is the primary benefit of "Security Orchestration, Automation, and Response (SOAR)" platforms?

A) To manually manage security alerts. B) To automate and streamline security operations tasks and incident response workflows. C) To collect logs from various security devices. D) To provide threat intelligence feeds.

Question 19: Which phase of incident handling involves removing the malware and fixing the exploited vulnerabilities?

A) Containment B) Recovery C) Eradication D) Analysis

Question 20: What is the primary purpose of conducting regular "tabletop exercises" for Business Continuity and Disaster Recovery Plans?

A) To physically test the recovery site with actual systems. B) To identify gaps and weaknesses in the plans in a low-stress environment. C) To train all employees on how to respond to a disaster. D) To validate the RTO and RPO metrics.

Question 21: Which type of evidence is a copy of original digital evidence, often used for analysis to preserve the original?

A) Best Evidence B) Secondary Evidence C) Corroborative Evidence D) Direct Evidence

Question 22: What is the primary objective of "Configuration Management" in security operations?

A) To develop new software applications securely. B) To manage changes to network topology. C) To establish and maintain secure, standardized configurations for systems. D) To perform real-time threat detection.

Question 23: Which of the following is a key characteristic of "Continuous Monitoring"?

A) It is performed only during annual security audits. B) It involves ongoing surveillance and analysis of systems to ensure security and compliance. C) It focuses solely on physical security controls. D) It is a reactive process initiated only after an incident.

Question 24: What is the primary role of a Tier 3 analyst in a Security Operations Center (SOC)?

A) Initial alert triage and basic incident validation. B) Detailed incident investigation and remediation. C) Threat hunting, malware analysis, and advanced forensics. D) Managing the SIEM system infrastructure.

Question 25: Which of the following best describes "Redundancy"?

A) The ability of a system to recover from a disaster. B) The duplication of critical components or functions to ensure availability. C) The process of eliminating single points of failure. D) The ability to withstand external attacks.

Question 26: What is the primary purpose of "Endpoint Detection and Response (EDR)" solutions?

A) To prevent network intrusions at the perimeter. B) To manage and distribute software patches. C) To detect, investigate, and respond to suspicious activities on endpoints. D) To centralize log collection from all network devices.

Question 27: Which of the following is a key aspect of "Secure Log Storage"?

A) Storing logs on local hard drives only. B) Ensuring logs are easily modifiable by administrators. C) Protecting logs from tampering and unauthorized access. D) Deleting logs immediately after analysis to save space.

Question 28: What is the primary objective of the "Recovery" phase in incident handling?

A) To identify the attack vector. B) To remove the malicious code. C) To restore affected systems and data to normal operations. D) To isolate the compromised system.

Question 29: Which of the following is a key benefit of integrating Threat Intelligence into security operations?

A) It reduces the need for human analysts in the SOC. B) It provides proactive insights to improve detection and defense capabilities. C) It automates all incident response actions. D) It replaces the need for vulnerability scanning.

Question 30: What is the purpose of "Post-Incident Activity" (Lessons Learned) in the incident handling process?

A) To assign blame for the incident. B) To quickly close the incident ticket. C) To document the incident, review the process, and implement improvements. D) To notify all affected parties immediately.

Quiz Answers:

Question 1:

B) Containment

Explanation: Containment is the phase focused on limiting the spread and impact of an incident, often by isolating affected systems or networks.

Question 2:

B) To ensure the admissibility and integrity of evidence in legal proceedings.

Explanation: The chain of custody provides a documented history of evidence handling, proving that the evidence has not been tampered with and is admissible in court.

Question 3:

C) A vulnerability that is unknown to the vendor and has no available patch.

Explanation: A zero-day vulnerability is a software flaw that is unknown to the vendor, meaning there is no patch available, and attackers may already be exploiting it.

Question 4:

B) IDS monitors and alerts, while IPS monitors and actively blocks/prevents.

Explanation: The key distinction is that an IDS is a passive detection tool, whereas an IPS is an active prevention tool that can automatically take action to stop threats.

Question 5:

C) Security Information and Event Management (SIEM)

Explanation: SIEM systems are designed to collect, aggregate, normalize, and correlate security events and logs from various sources to provide real-time threat detection and analysis.

Question 6:

B) To review and approve proposed changes to IT systems.

Explanation: The Change Advisory Board (CAB) is a formal body responsible for reviewing, assessing, and approving or rejecting proposed changes to IT systems to minimize risks and ensure alignment with business objectives.

Question 7:

C) Fault Tolerance

Explanation: Fault tolerance is the ability of a system to continue functioning without interruption even if one or more of its components fail, often achieved through redundancy. Resilience (A) is broader, encompassing recovery from various disruptions.

Question 8:

A) Tier 1 Analyst

Explanation: Tier 1 analysts in a SOC are typically responsible for the initial triage of security alerts, filtering out false positives, and escalating confirmed incidents to higher tiers.

Question 9:

B) To revert a change if it causes unexpected issues or failures.

Explanation: A rollback plan is a critical part of change management, outlining the steps to revert a system to its previous state if a new change introduces problems, ensuring business continuity.

Question 10:

C) Threat Intelligence

Explanation: Threat intelligence provides actionable information about current and emerging threats, enabling organizations to proactively enhance their defenses and detection capabilities.

Question 11:

C) To remove the root cause of the incident and eliminate the threat.

Explanation: Eradication focuses on eliminating the threat from the environment, which includes removing malware, patching vulnerabilities, and identifying and removing the root cause of the incident.

Question 12:

C) Best Evidence

Explanation: Best evidence refers to the original, unaltered digital evidence (e.g., the original hard drive image), which is preferred in legal proceedings to ensure accuracy and integrity.

Question 13:

B) To apply software updates to fix vulnerabilities and improve functionality.

Explanation: Patch management is the systematic process of acquiring, testing, and applying software patches or updates to address security vulnerabilities and improve system stability.

Question 14:

C) Data Loss Prevention (DLP)

Explanation: DLP solutions are specifically designed to identify, monitor, and protect sensitive data from unauthorized exfiltration, often by inspecting data in transit (e.g., email, cloud uploads).

Question 15:

B) It simplifies log analysis and correlation for security monitoring.

Explanation: Centralized logging consolidates logs from various sources into a single location, making it much easier for security analysts to search, analyze, and correlate events to detect threats.

Question 16:

B) Deviations from the established secure baseline configuration.

Explanation: Configuration drift occurs when a system's configuration deviates from its approved security baseline, potentially introducing vulnerabilities or weakening security controls.

Question 17:

C) Resilience

Explanation: Resilience is the overarching ability of an organization or system to anticipate, withstand, recover from, and adapt to disruptive events, including cyberattacks, natural disasters, or system failures.

Question 18:

B) To automate and streamline security operations tasks and incident response workflows.

Explanation: SOAR platforms integrate various security tools and automate repetitive tasks, enabling security teams to respond to incidents more quickly and efficiently.

Question 19:

C) Eradication

Explanation: Eradication is the phase where the identified threat is completely removed from the environment, including malware, backdoors, and the underlying vulnerabilities that were exploited.

Question 20:

B) To identify gaps and weaknesses in the plans in a low-stress environment.

Explanation: Tabletop exercises are discussion-based sessions used to walk through a BCP/DRP scenario, identify flaws in the plan, and improve team coordination without impacting live systems.

Question 21:

B) Secondary Evidence

Explanation: Secondary evidence is a copy of the original evidence (e.g., a forensic image of a hard drive). It is used for analysis to preserve the integrity of the best evidence (the original).

Question 22:

C) To establish and maintain secure, standardized configurations for systems.

Explanation: Configuration management ensures that systems are built and maintained according to predefined secure baselines, reducing vulnerabilities and ensuring consistent security posture.

Question 23:

B) It involves ongoing surveillance and analysis of systems to ensure security and compliance.

Explanation: Continuous monitoring is a proactive and ongoing process of collecting, analyzing, and reporting security-related information to maintain an up-to-date understanding of an organization's security posture.

Question 24:

C) Threat hunting, malware analysis, and advanced forensics.

Explanation: Tier 3 analysts are the most experienced in a SOC, responsible for advanced analysis, threat hunting, malware reverse engineering, and complex forensic investigations.

Question 25:

B) The duplication of critical components or functions to ensure availability.

Explanation: Redundancy involves having duplicate systems, components, or data to serve as backups in case the primary ones fail, thus ensuring continuous operation (availability).

Question 26:

C) To detect, investigate, and respond to suspicious activities on endpoints.

Explanation: EDR solutions provide continuous monitoring and collection of endpoint data, enabling security teams to detect and investigate advanced threats that might bypass traditional antivirus, and to respond quickly to incidents.

Question 27:

C) Protecting logs from tampering and unauthorized access.

Explanation: Secure log storage ensures the integrity and confidentiality of logs, making them reliable for forensic investigations and compliance audits. Logs should be protected from unauthorized modification or deletion.

Question 28:

C) To restore affected systems and data to normal operations.

Explanation: Recovery is the phase where systems and data are brought back online and returned to their normal operational state after an incident, ensuring business continuity.

Question 29:

B) It provides proactive insights to improve detection and defense capabilities.

Explanation: Threat intelligence helps organizations understand the adversary's tactics, techniques, and procedures (TTPs), enabling them to proactively strengthen their defenses, update detection rules, and anticipate future attacks.

Question 30:

C) To document the incident, review the process, and implement improvements.

Explanation: Post-incident activity, often called "lessons learned," is crucial for continuous improvement. It involves reviewing the entire incident response process to identify what worked well, what didn't, and what needs to be improved for future incidents.