(ISC)² CISSP

CISSP domain 7: Security operations — What you need to know for the exam [Updated 2022]

March 31, 2022 by Greg Belding

With the rise of cybercrime to a near exponential level, you may ask, “what is the front line in this battle with cybercrime?” The closest thing to a front line is the day-to-day security operations (aside from end points) of an organization. Be it a security operations center (SOC), logging and monitoring, insertable media management and maintaining preventive measures, or even security training and awareness— security operations can be considered one of the first lines of defense against the constant threat of cybercrime.

The 7th domain of the CISSP certification exam covers security operations. The day-to-day security tasks are not limited to an information security professional monitoring security incidents in a dark SOC computer lab. Instead, security operations is a broad categorization of information security tasks that ranges from how an organization handles security investigations to applying resource protection to maintaining detective measures.

This article will detail the wide range of subdomains covered in domain 7 of CISSP and their respective objectives. It will finish up with further information you will need to know about domain 7, so you can ace the 2021 update of the CISSP certification exam.  

CISSP domain 7: Security operations

Below are the subdomains and objectives covered by domain 7, which make up 13% of the material covered on the CISSP certification exam:

Understand and comply with investigations

  • Evidence collection and handling
  •  Reporting and documentation
  • Investigative techniques
  • Digital forensics tools, tactics, and procedures
  • Artifacts (e.g., computer, network, mobile device)

 Conduct logging and monitoring activities

  • Intrusion detection and prevention
  • Security Information and Event Management (SIEM)
  • Continuous monitoring
  • Egress monitoring
  • Log management
  • Threat intelligence (e.g., threat feeds, threat hunting)
  • User and Entity Behavior Analytics (UEBA)

Perform Configuration Management (CM) (e.g., provisioning, baselining, automation

 Apply foundational security operations concepts

  • Need-to-know/least privilege
  • Separation of Duties (SoD) and responsibilities
  • Privileged account management
  • Job rotation
  • Service Level Agreements (SLAs)

Apply resource protection

  • Media management
  • Media protection techniques

Conduct incident management

  • Detection
  • Response
  • Mitigation
  • Reporting
  • Recovery
  • Remediation
  • Lessons learned

Operate and maintain detective and preventative measures

  • Firewalls (e.g., next generation, web application, network)
  • Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
  • Whitelisting/blacklisting
  • Third-party provided security services
  • Sandboxing
  • Honeypots/honeynets
  • Anti-malware
  • Machine learning and Artificial Intelligence (AI) based tools 

Implement and support patch and vulnerability management

Understand and participate in change management processes

Implement recovery strategies

  • Backup storage strategies
  • Recovery site strategies
  • Multiple processing sites
  • System resilience, High Availability (HA), Quality of Service (QoS), and fault tolerance

Implement Disaster Recovery (DR) processes

  • Response
  • Personnel
  •  Communications
  • Assessment
  • Restoration
  •  Training and awareness
  •  Lessons learned

Test Disaster Recovery Plans (DRP)

  • Read-through/tabletop
  • Walkthrough
  • Simulation
  • Parallel
  • Full interruption

Participate in Business Continuity (BC) planning and exercises

 Implement and manage physical security

  • Perimeter security controls
  •  Internal security controls

Address personnel safety and security concerns

  • Travel
  • Security training and awareness
  •  Emergency management
  • Duress

Now that you are familiar with the objectives and subdomains let’s look more closely at security operations information that will assist you as you get ready for the CISSP certification exam. You can find more information, such as a complete listing of the domains and CISSP linear examination weights, in the CISSP exam outline.

Artifacts

New for the 2021 CISSP exam update, this topic addresses artifacts, which are the things left behind from a security incident that may form a trail of when something happened and what happened. These clues are important for a security investigation and should be preserved as much as possible. Artifacts can reside on computers, network devices, and mobile devices.

New topics covered by conduct logging and monitoring activities

This subdomain covers some topics that are new for the 2021 CISSP exam update. These new topics are:

Log management — refers to the organization and lifecycle of logs. Logs cannot last forever, but they need to be around for long enough so a third-party tool or SIEM can ingest the data in the log and for admins to have enough time to remediate any issues found within them.

Threat intelligence — this is threat-related data that can help in minimizing threats. Examples of threat intelligence are threat feeds and threat hunting.

User and entity behavior analytics (UEBA) — this is a more cutting-edge area of information security that analyzes both user and system behavior to determine a baseline of what is considered normal and to help detect anomalous behavior. It can be thought of as similar to how financial institutions detect fraudulent activity based on anomalous use of a consumer credit card.

Patch management vs. vulnerability management

Some may use patch management and vulnerability management interchangeably, which is mistaken. Patches are software updates that are provided by vendors and patch management is the process of managing all of the patches across an organizational environment. A good patch management system includes automatic detection and download of new patches, automatic distribution of patches, reporting on patch compliance, and automatic rollback capabilities. 

Vulnerability management focuses on vulnerabilities, which are ways an environment is at risk. The risk referred to here is that which would cause your environment to be compromised or degraded. Vulnerability management solutions can scan an environment looking for vulnerabilities. Be ready to explain zero-day vulnerabilities and zero-day exploits on the exam.

Change management

Change management is an area of security operations that may get overlooked. It refers to a structured way an organization handles changes in its environment. The goals of change management are to minimize risk, improve user experience, and provide consistency regarding changes that occur. Organizations approach change differently, but some commonly seen change management steps are:

  •       Identify the need for a change
  •       Test the change in a lab
  •       Put in a change request
  •       Obtain approval
  •       Send out notifications
  •       Perform the change
  •       Send out “all clear” notifications

Conclusion

Domain 7 of the CISSP certification exam covers security operations. This area of CISSP material can be thought of as one of the first lines of defense against cyber threats and exploits. It covers a wide range of security tasks across different areas of information security. Use this article as you prepare for the CISSP certification exam, and you will have a solid start in mastering this exam material.

For more on the CISSP certification, view our CISSP hub.

Sources

  1.   CISSP Exam Pattern Changes, May 2021
Posted: March 31, 2022
Author
Greg Belding
View Profile

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.

Leave a Reply

Your email address will not be published.