Summary

The provided content offers a comprehensive overview of Domain 7 of the CISSP certification, focusing on Security Operations, and details the essential concepts, processes, and tools required for effective security management in 2023–24.

Abstract

The article "CISSP: Domain 7 — Security Operations" serves as a study guide for professionals preparing for the CISSP certification exam. It outlines the key objectives within this domain, emphasizing the importance of understanding and complying with investigations, conducting logging and monitoring activities, and performing configuration management. The guide covers the significance of applying foundational security operations concepts, resource protection, incident management, and the operation and maintenance of detective and preventive measures. It also delves into the implementation and support of patch and vulnerability management, participation in change management processes, and the implementation of recovery strategies, including disaster recovery planning and business continuity exercises. The article highlights the necessity of physical security measures and provides insights into threat intelligence, problem management, and the differentiation between incident and problem management.

Opinions

The article positions EDRM as a systematic approach to collecting digital evidence, suggesting its significance in legal proceedings and litigation support.
The importance of maintaining a strict chain of custody and the practice of analyzing copies rather than original data during evidence handling are underscored as best practices in digital forensics.
The role of SIEM in providing real-time threat detection and incident response is presented as critical for organizations to recognize and address potential security threats.
DLP is emphasized as a crucial component of a company's security strategy, aimed at preventing data loss and ensuring compliance with data protection regulations.
The article conveys the view that effective patch management is essential for system performance and security, despite challenges such as interoperability and required downtime.
The author suggests that the threat intelligence lifecycle is an essential framework for managing and applying threat intelligence effectively.
The distinction between problem management, which focuses on preventing incidents, and incident management, which addresses real-time incidents, is highlighted to clarify the roles of each practice within security operations.
The article advocates for regular testing of disaster recovery plans and backup systems to ensure data integrity and organizational resilience.
Physical security measures, including CCTV and door locks, are recommended as integral to protecting an organization's physical assets and personnel.

CISSP: Domain 7 — Security Operations: Easy Notes to Pass CISSP Certification in 2023–24

OBJECTIVE

UNDERSTAND AND COMPY WITH INVESTIGATIONS CONDUCT LOGGING AND MONITORING ACTIVITIES PERFORM CONFIGURATION MANAGEMENT (e.g Provisioning, Baselining, Automation) APPLY FOUNDATIONA SECURITY OPERATIONS CONCEPT APPLY RESOURCE PROTECTION CONDUCT INCIDENT MANAGEMENT OPERATE AND MANITAIN DETECTIVE AND PREVENTIVE MEASURES IMPLEMENT AND SUPPORT PATCH AND VULNERABILITY MANAGEMENT UNDERSTAND AND PARTICIPATE IN CHANGE MANAGEMENT PROCESS IMPLEMENT RECOVERY STRATEGIES IMPLEMENT DISASTER RECOVERY (DR) PROCESS TEST DISASTER RECOVERY PLANS (DRP) PARTICIPATE IN BUSINESS CONTINUITY (BC) PLANNING AND EXCERCISE ADDRESS PERSONAL SAFETY AND CONCERNS

UNDERSTAND AND SUPPORT INVESTIGATIONS

1) Incident Scene 2) Evidence e.g EDRM (Electronic Discovery Reference Model) 3) Evidence Collection and Handling 4) Data Forensic Process

A. INCIDENT SCENE

Incident = Anything that compromise security

Incident scene is the environment where potential evidence may exist.

B. EVIDENCE

Data that is dynamic and exists in processes that disappear in a relatively short timeframe once the system is powered down

Locard Exchange Principle — When crime is committed, attacker leaves SOME EVIDENCE behind and take something with them.

General Guidelines

1.All procedural and general jurisprudential rules must be followed. 2. Digital evidence shall not be changed as a result of its seizure. 3. Training is required for everyone who accesses original digital evidence. 4. Complete documentation, preservation, and reviewability are required for all actions involving the acquisition, access, storage, or transfer of digital evidence. 5. A person is accountable for all activities while in possession of digital evidence.

EDRM (Electronic Discovery Reference Model) — Systematic way of collecting digital evidence.

Any question in exam having words such as below Answer = EDRM

Legal Proceeding Litigation Freedom of Information

C. EVIDENCE COLLECION AND HANDLING

All material associated with the incident could be pertinent to an investigation and used as evidence

1.Data that may have been compromised 2. System (HW or SW) that may have been compromised 3. Information from people about the knowledge of incident 4. Information about the incident scene

Common Practices for Handling Evidence for Security Professionals

1.Chain of Custody 2. Copies of all data 3. Analyze copies instead of originals 4. Appointing evidence custodian q 5. Document everything 6. Avoid modification 7. Collection is sensitive process

Chain of Custody

C. DATA FORENSIC PROCESS

ANALYSIS

NETWORK ANALYSIS

a) Firewall Logs b) IDS/IPS Logs c) Traffic logs / Path tracing.

2. MEDIA ANALYSIS

a) Recovery of Info / evidence from media (HDD,SDD etc) b) Disk imaging and timeline analysis. c) Slack space and shadow volume analysis.

3. SOFTWARE ANALYSIS

a) Malicious Source code analysis. b) Reverse engineering. c) Exploit review. b) Intellectual property disputes. c) Copyright issues.

4. HARDWARE ANALYSIS

a) Embedded OS, Virtualized S/W and Hypervisor analysis. b) Special tools and techniques are required to image embedded devices. c) Difficult to find vulnerabilities on the hardware.

UNDERSTAND REQUIREMENT FOR INVESTIGATION TYPES

TYPES OF INVESTIGATION

IDS / IPS

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) constantly watch your network, identifying possible incidents and logging information about them, stopping the incidents, and reporting them to security administrators.

SIEM (Security Information and Event Management)

SIEM, is a security solution that helps organizations recognize and address potential security threats and vulnerabilities before they have a chance to disrupt business operations.

Its is a solution that collects and analyzes security-related data from various sources to provide real-time threat detection and incident response. It helps organizations meet compliance requirements and improve their overall security posture by providing a single platform for monitoring, analyzing, and responding to security events.

DLP (Data Loss Prevention)

DLP is a part of a company’s overall security strategy that focuses on detecting and preventing the loss, leakage or misuse of data through breaches, ex-filtration transmissions and unauthorized use.

DLP GOAL: Protect Business Data and IP

Data loss prevention is an approach to data security that implements a set of processes, procedures, and tools to prevent the loss, misuse, or unauthorized access of sensitive information. Four types of data loss prevention are network DLP, endpoint DLP, cloud DLP and Email DLP.

DLP Rule Set

1.Signature Based 2. Pattern Matching — — — — → MOST EFFECTIVE 3. Labelling — — — — — — — — -> FASTEST

CONFIGURATION MANAGEMENT

a) Process for establishing a baseline of IT environment b) Provides uniformity c) CCM (Config and Change Mgmt) is a continuous process of controlling b) Purpose of CCM is to establish process to ensure integrity of assets

Configuration Management is the process of maintaining systems, such as computer hardware and software, in a desired state. Configuration Management (CM) is also a method of ensuring that systems perform in a manner consistent with expectations over time

CCB (Change Control Board) — — -→Handles changes within projects

CAB (Change Advisory Board) →Handles Emergency & Business impact changes

CHANGE MANAGEMENT PROCESS (DIRECTIVE CONTROL)

Change management is a systematic approach to dealing with the transition or transformation of an organization’s goals, processes or technologies. The purpose of change management is to implement strategies for effecting change, controlling change and helping people to adapt to change

PATCH MANAGEMENT PROCESS (CORRECTIVE CONTROL)

Patch management is the process of applying updates to software, drivers, and firmware to protect against vulnerabilities. Effective patch management also helps ensure the best operating performance of systems, boosting productivity.

Patching Challenges

1.Interoperability 2. Poorly crafted patches 3. Required downtime 4. Added expense 5. Virtualization — Specific concern 6. Timing

INCIDENT RESPONSE (CORRECTIVE CONTROL)

Incident response (IR) is the process by which an organization handles a data breach or cyberattack. It is an effort to quickly identify an attack, minimize its effects, contain damage, and remediate the cause to reduce the risk of future incidents.

THREAT INTELLIGENCE

The threat intelligence lifecycle is a methodical framework that aids in the efficient management and application of threat intelligence by organizations. It makes sure that information about potential threats is handled with care and offers organizations a set of guidelines they may use to stay informed about risks and take precautions against them. Organizations may gather information on risks with confidence thanks to this security intelligence lifecycle, evaluate it for accuracy and dependability, and take protective measures as a result.

By following this process, intelligence teams can build an efficient threat intelligence process.

The six steps in the intelligence lifecycle include:

Planning
Collection
Processing
Analysis and Production
Dissemination
Feedback and improvement

PROBLEM MANAGEMENT vs INCIDENT MANAGEMENT

Problem management is a practice focused on preventing incidents or reducing their impact.

Incident management is focused on addressing incidents in real time.

IMPLEMENT RECOVERY STRATEGIES

BACKUP TYPES

RAID

BACKUP AND RECOVERY SYSTEM

DISASTER RECOVERY

BCP/DR TESTING STRATEGIES

PHYSICAL SECURITY

Physical security is the protection of personnel, hardware, software, networks and data from physical actions and events that could cause serious loss or damage to an enterprise, agency or institution. This includes protection from fire, flood, natural disasters, burglary, theft, vandalism and terrorism.

CARD TYPES and CCTV

CCTV (closed-circuit television) is a TV system in which signals are not publicly distributed but are monitored, primarily for surveillance and security purposes. CCTV relies on strategic placement of cameras and private observation of the camera’s input on monitors.

DOOR LOCKS

Review below brief explanation of Domain 7for last minute overview — by Destination Certification

For Domain 6 Click here

For Domain 8 Click here