CISSP Domain 7: Security Operations- What you need to know for the Exam
Cyber crime is increasing exponentially each year, with the annual global cost of such crimes now approaching more than $100 billion. An estimated 13 million records are exposed each year from a combination of viruses, malware, phishing, Web-based attacks and malevolent insider actions, and approximately 35% of attacks target businesses.
Cyber criminals today are targeting organizations of all sizes – especially large organizations, as they have an extensive footprint and given the nature of the data on their networks which make them a tempting target for cyber criminals. To protect business critical IT and business infrastructure from such cyber criminals, deploying an extensive security monitoring infrastructure and building a Security Operations Center (SOC) is crucial.
Security operations are concerned with the day-to-day access and security of system resources. This means that there must be a Security Operations Center (SOC) framework in place consisting of the proper policies, standards, procedures and guidelines for the core and support services of an organization. The policies must also be under continual review to ensure they remain up to date and relevant. By having these policies in place, and reviewing them as necessary, an organization is showing due care and diligence. Securing a network always requires walking a fine line between ensuring users have access to the tools and resources necessary to perform their jobs, while still providing protection for the network.
One area of concern for the Operational Staff is in providing high availability. Through RAID, clustering, and redundant solutions, an organization can reduce downtime, whether the issues are a result of a malicious attack or simply a power failure.
Also, one of the key areas in the security operations is proper storage and disposal techniques. These are a part of normal operation procedures. Furthermore, system hardening, configuration management and change management are responsibilities of operations as well. Activities under core services also include penetration testing, vulnerability assessments and the implementation of IDS/IPS controls to provide an additional layer of assurance on the network.
The Security Operations domain for CISSP primarily focuses on detecting and protecting sensitive and business critical information within any organization. There are numerous core security operations models briefly touched upon that any business needs to follow to deliver comprehensive security protection to an organization.
When we consider the term “operations” we normally think about the day-to-day tasks necessary to run a business. So the term Security Operations revolves around ensuring that we have policies, standards, procedures, etc., in place to ensure that our normal business functions are secure and that we’re providing Confidentiality, Integrity, and Availability (C-I-A) to the routine functions of the business.
Resource protection makes certain that media and other assets which are valuable to the business are protected during the course of the lifetime of the resource. The purpose of Patch and Vulnerability Management is to identify controls and processes that will provide appropriate protection against threats that could adversely affect the security of the information system or data entrusted to the information system. Effective implementation of these controls will create a consistently configured environment that is secure against known vulnerabilities in operating system and application software. The purpose of the Incident Management policy is to establish controls and processes that will provide the firm’s information system’s effective monitoring capability and responsiveness against security threats and incidents. Design and implementation of an incident management framework can secure the information system against known vulnerabilities and threats.
The key objectives for CISSP include:
- Understanding security operations concepts
- Need-to-know/least privilege
- Separation of duties and responsibilities
- Monitor special privileges (e.g., operators, administrators)
- Job rotation
- Marking, handling, storing, and destroying of sensitive information
- Record retention
- Employing resource protection
- Media management
- Maintenance and operation of IT Security Assets & Services
- Asset management (e.g., equipment life cycle, software licensing)
- Security Operations Center
- Vulnerability Management
- Endpoint Protection
- Data Security
- Proxy and Web Content Filtering
- Network Forensics
- Information Risk Management
- Change and Configuration Management (versioning, baselines, etc.)
The key points which CISSP focuses on deriving the security operations include:
- Information owners should dictate who can access resources and how much capacity users can possess. The security administrator’s job is to make sure this happens.
- Administrative, physical, and technical controls should be utilized to achieve the management’s directives.
- Administrative controls include development and publication of policies, standards, procedures, and guidelines; screening of personnel; security awareness training; and monitoring of system activity and change control procedures.
- Example: Procedures indicating how servers should be installed, annual security awareness education for all employees, implementing a change control program.
- Technical controls consist of logical access control mechanisms, password and resource management, identification and authentication methods, security devices and configuration of the network.
- Example: Anti-virus software, intrusion detection systems, locking down operating systems, encryption, firewalls.
- Physical controls entail controlling individual access into the facility and different departments, locking systems and removing unnecessary floppy or CD-ROM drives, protecting the perimeter of the facility, monitoring for intrusion and environmental controls.
- Example: Removing floppy drives from computers, locking chassis, security guards monitoring the facility, air conditioning and humidity control.
The information owner is usually a senior executive within the management group of the company. The information owner has the final corporate responsibility of data protection and would be the one held liable for any negligence when it comes to protecting the company’s information assets. The person that holds this role is responsible for assigning a classification to the information and dictating how the information should be protected.
If the information owner does not lay out the foundation of data protection and ensure that the directives are being enforced, this would violate the due care concept.
Access Control Types
There are several types of security mechanisms and they all need to work together. The complexity of the controls and of the environment they are in can cause the controls to contradict each other or leave gaps in security. This can introduce unforeseen holes in the company’s protection that are not fully understood by the implementers.
Very strict technical access controls could be in place and all the necessary administrative controls could be up to snuff, but if any person is allowed to physically access each and every system in the facility, then there are clear security dangers present within the environment.
Directive Controls are particulate policies to preclude or mandate actions to reduce risk. All controls that are administrative, technical or physical can be easily sub-categorized as either preventative, detective or corrective.
Technical next generation focus areas – Threat Intelligence, investigation and other security operation services
Some of the key focus areas to mitigate the cyber security risks to any organization from a technical security service are:
Threat and event analysis
- Security alert analysis, notification and escalation, 24/7/365
- Recommendations for remediation
- Trend analysis and reporting at regularly scheduled intervals (weekly, monthly, and quarterly)
System support and health monitoring
- Operational analysis and recommendations
- Source data feed monitoring
- Threat research and analysis services
Threat intelligence (threat research and analysis)
Almost as important as knowing what security events are happening or have taken place is the ability to know what emerging security threats might directly impact your business in the near future. This is the objective of security operation services, which comprises of a suite of services (such as investigations, investigation types, logging and monitoring, secure provisioning, resource protection techniques, incident management, preventative measures, etc.), that provide:
- Enriched threat intelligence feeds which can be integrated into the organization’s deployed Security Incident and Event Management (SIEM) solution to enable correlation of security events in the organization’s infrastructure with known bad actors in the wild. While the scope of the proposed effort generally does not include investigations which are based upon the alerts which get triggered through these feeds integration to SIEM, the security operation analysts will monitor data that is integrated into the SIEM environment.
- Threat intelligence use cases and content tuning, which implements generic and custom threat intelligence monitoring content within organizations monitoring the environment. While the scope of services does not generally constitute tuning of the SIEM for any organization’s environment, the security analysts will identify tuning needs throughout the project and follow the change management process to get it aligned to the business and deployed in the infrastructure.
- The threat research and analysis services provide the analysts working with an organization’s security monitoring team the access to business insights to have a comprehensive threat analysis corresponding to the business. This enables interactive research and analysis on current and emerging threats providing business contextualization.
The described security services enable analysts to cross-reference alerts and incidents with potentially known bad actors, which will significantly enhance the Security Operations Center’s (SOC) ability to escalate and provide analysis and recommendations to the business. Additionally, periodic reviews of the security processes and threat research and analysis are critical to mature the processes and to identify potential emerging priority threats for an organization.
System support and health monitoring (operational analysis and system health)
Of equal importance to reporting and alerting on security incidents are the continuous review of incidents after the fact to suggest short- and long-term improvements to an organization’s response posture. To this end, the SOC should include an operational analysis component, which cross-analyzes a wide spectrum of alerts to look for broad indicators of systemic security and/or SIEM operational issues.
The operational analysis should be performed in parallel with other monitoring areas and require no interruption of these services. Security analysts should review an aggregation of the organization’s alerts, reports and client feedback. The output of this process is regular checkpoints back to the organization highlighting:
- Potential security issues
- Possible security infrastructure misconfigurations or required patches
- Suggested improvements to an organization’s incident response procedures
- Suggested improvements to existing SIEM content
- Additional SIEM content for existing use cases
- Additional use cases to address issues identified during operational analysis
The operational analysis provides daily and weekly reporting to the organization’s L2/L3 incident response team, punctuated by monthly review meetings in which the security analyst facilitates an in-depth discussion of the security trends identified from incident analysis over its history, for example the past month. The operational analysis service will also leverage threat research to provide perspective on evolving threats that could impact an organization’s security infrastructure and operations.
The focus on provisioning system health services is crucial in that the security operations analysts will, at periodic intervals, review the patch levels and system availability of the organization’s security monitoring infrastructure. For systems that require patching or hardening, the analyst will enter a ticket in the reporting system and follow-up with the appropriate stakeholder to confirm that needed patches have been applied or that monitoring sensors that have experienced an outage have been restored to service. The analyst will aggregate the tickets for inclusion in the operations analysis report.
In performing the system health services, the security team should leverage a value-added, predefined process for ensuring that SIEM source devices are reporting into the SIEM as expected. This process should be developed and reviewed as an outcome of monitoring business infrastructure in an organization and should include generation of a weekly summary of variances from expected reporting.