CISSP Domain 7 Refresh: Security Operations
Even before the April 2018 revision by (ISC)^2, Domain 7: Security Operations has been one of the broadest and most dynamic of the Common Book of Knowledge. Covering topics that range from how security professionals can support forensic investigations and set-up incident detection tools to conducting incident management and preparing for disaster recovery, Domain 7 can be a challenge for both aspiring and veteran CISSP holders. With that as a backdrop, this Domain 7: Security Operations refresh will help professionals to remain vigilant in their fight and stay current on the new areas of emphasis from (ISC)^2.
A fundamental aspect of any security posture, administrative security is all about making sure that organizational data, staff, and systems have the proper controls in place to prevent compromise – accidental or intentional – to confidentiality, integrity, or availability. This often means starting with the concept of Least Privilege through Mandatory Access Control (MAC), or system-enforced data access to a user, or Discretionary Access Control, where access is granted by the data’s owner. These controls are often paired with Separation of Duties, where multiple people are involved in completing critical processes or transactions to ensure power isn’t abused. While used less often, the Rotation of Duties and Mandatory Leave are other ways to detect fraud or abuse.
Forensics is the methodical way of handling the investigations and evidence-collection that follows a digital crime. While a part of incident response, forensics itself is a process that is used to preserve the evidence and uses techniques to maintain the integrity of the data and its environment. At a high level, the steps of the forensics process include identifying the potential evidence, obtaining control of the evidence, analyzing the evidence for clues of the attack, and producing a report out on the evidence found.
Depending on the type of attack, additional focus can be paid to the media gathered using analysis tools against binary images of storage devices or network forensics, where the attack can be replayed as it spread from emails to file transfers, for example. Additionally, software analysis can include reverse engineering malware to understand who possibly created the attack and to understand how it works. Finally, eDiscovery, where electronic information, including data, emails, and documents, can be requested for use as potential evidence, is an area where retention policies, data storage capabilities, and data privacy introduce complex challenges to the desks of security professionals.
Incident Response Management
Quite possibly the most stressful time in any security professionals’ career are the hours following a security breach, which is why each organization needs to be prepared with a plan. Domain 7 presents an 8-step process as a guide that is based on the NIST Special Publication 800-61r2. A definite requirement not only for the exam, but as a regular part of a security professional’s tool-kit, the focus during incident response is on being thorough rather than fast. The process as mapped to the current exam includes the following steps, with Step 8 feeding back to the first:
- Preparation – The training, policies, and procedures identified before an incident.
- Detection – The analysis of events to determine if a security incident has occurred.
- Response – When the incident team works to contain and understand the attack.
- Mitigation – When a resolution or fix for a system attach is identified.
- Reporting – The documentation of findings and actions taken throughout the event.
- Recovery – The steps taken to restore the affected systems to operational status.
- Remediation – Making the system or administrative changes that were vulnerable.
- Lessons Learned – Providing a report of the incident for improvements to be made.
Operational Preventive and Detective Controls
The concept of continued and evolving preparation for security operations extends into the preventative and detective controls that an organization can have in place to monitor their systems. An Intrusion Detection System (IDS) is a device used to detect malicious events on a system while an Intrusion Prevention System (IPS) is a preventative device used to prevent malicious events from having the opportunity to occur. Each IDS and IPS systems can be network-based or host-based. Where the device is placed can affect how network traffic is analyzed and even how it moves, with Network-based IPS (NIPS) systems altering the flow of traffic, including blocking bad traffic, while NIDS systems only monitor the flow using a series of rules as a guide to trigger alerts. Host-based systems, however, only focus on traffic as it enters a host – a process, dataset, systems, or an application – using patterns, behavior analysis, and anomaly detection to look for malicious traffic.
Security Information and Event Management (SIEM) tools are also used to ease the analysis of data coming in from various systems as a way to identify trends and monitor operational risk in a more automated fashion. When used with other tools like Data Loss Prevention, endpoint security tools like antivirus, whitelisting, encryption, and media controls, security professionals can constantly monitor the threats to their assets.
Business Continuity and Disaster Recovery Planning
Two of the most critical concepts in a security professional’s’ toolkit include the ability to facilitate the development of a Business Continuity Planning (BCP) and the subsequent Disaster Recovery Planning (DRP). While related, the two differ in their scope in how an organization responds in the face of a disruptive event. In specific, a BCP focuses on the business as a whole and the critical services that need to be in place, and a DRP provides the short-term plan for responding to specific, identified disruptions caused by natural, human, or environmental sources.
Best practices in DRP often include a series of steps that involve responding to an event through to its recovery. In short, organizations need to be able to Respond; Activate a Recovery Team; Communicate Status; Assess Damage; and Reconstitute critical business operations with many conducting regular testing, training, and awareness campaigns to prepare. BCPs also include other plans, such as Continuity of Operations, Crisis Communications, and Executive Success Plans, to further outline procedures and roles during a disaster. Both DRPs and BCPs are vital to an organization’s ability to be ready for disruptive events and should, therefore, be supported by management and be informed by an evaluation of an organization’s assets.
Backups and Availability
All the planning and testing would be for naught if there were no discussions on data backup and availability planning techniques. To be able to recover critical operations in a timely fashion, organizations have a number of options to choose from to back up their data, including the frequency to which the information can be captured and recovered. Full system backups capture every piece of information and store it in a separate repository, but are time, bandwidth, and resource intensive. Incremental, or backups of data since a certain period of time, are logistically easier while Differential Backups only archive data that has changed since the last full backup. These copies can be held on tapes, through electronic vaulting, remote journaling, or redundant databases, each with their own benefits and pitfalls to consider.
Security operations ultimately focus on how to make data available to users in a way that protects its availability, confidentiality, and integrity. By understanding the people, tools, data, and plans that make up a sound and secure operation, security professionals can help to contain threats to critical operations, both from the inside and out.