CISSP Domain 7 Study Guide

CISSP Domain 7 – Security Operations covers various investigative concepts including evidence collection and handling, documentation and reporting, investigative techniques and digital forensics.

Key technologies used in security operations include firewalls, intrusion prevention systems, application whitelisting, anti-malware, honeypots and sandboxing to assist with managing third party security contracts and services, patch, vulnerability and change management processes.

The goal is to understand security operations so that incident response and recovery, disaster recovery, and business continuity can be the most effective. Here are some important concepts you will need to know in Domain 7 of thew CISSP.

Important Security Operations Concepts

There are four different investigation types:

  1. Administrative :
    • Lower burden of proof.
    • Conducted inside an organization.
    • Violation of organizational policies.
  2. Criminal :
    • Evidence needs to be beyond a reasonable doubt.
    • Prosecution under criminal laws.
  3. Civil :
    • Preponderance of evidence.
    • Between private entities.
    • Determines if an entity is liable or not.
  4. Regulatory :
    • Preponderance of evidence.
    • Can be either criminal or civil.
    • Determines if an organization is compliant with a regulation.
  • Need to Know and Least Privilege
    • Access should be given based on a need to know. The principle of least privilege means giving users the fewest privileges they need to perform their job tasks. Access is only granted when a specific privilege is deemed necessary. It is a good practice and almost always recommend to follow.
      • Aggregation – the combining of multiple things into a single unit is often used in role-based access control.
      • Transitive trust – from a Microsoft Active Directory perspective, a root or parent domain automatically trusts all child domains. Because of the transitivity, all child domains also trust each other. Transitivity makes it simpler to have trusts. But it is important to be careful. In high-security environments, it isn’t uncommon to see non-transitive trusts used, depending on the configuration and requirements.
  • Separation of Duties and Responsibilities
    • Separation of duties refers to the process of separating certain tasks and operations so that a single person doesn’t control everything. Administration is key, as each person would have administrative access to only their area.
    • The goal with separation of duties is to make it more difficult to cause harm to the organization via destructive actions or data loss, for example. With separation of duties, it is often necessary to have two or more people working together (colluding) to cause harm to the organization.
    • Separation of duties is not always practical, though, especially in small environments. In such cases, you can rely on compensating controls or external auditing to minimize risk.
  • Privileged Account Management
    • A special privilege is a right not commonly given to people. Actions taken using special privileges should be closely monitored.
    • For high-security environments, you should consider a monitoring solution that offers screen captures or screen recording in addition to the text log.
  • Job Rotation
    • Job rotation is the act of moving people between jobs or duties. The goal of job rotation is to reduce the length of one person being in a certain job or handling a certain set of responsibilities for too long.
    • This minimizes the chance of errors or malicious actions going undetected. Job rotation can also be used to cross-train members of teams to minimize the impact of an unexpected leave of absence.

Information Lifecycle

Information lifecycle is made up of the following phases:

  • Collect data – data is gathered from automated sources and when users produce data such as creating a new spreadsheet.
  • Use data – users read, edit, and share data.
  • Retain data (optional) – data is archived for the time required by the company’s data retention policies.
  • Legal hold (occasional) – a legal hold requires you to maintain one or more copies of specific data in an unalterable form during a legal scenario, an audit, or government investigation. A legal hold is often narrow and in most cases, is invisible to users and administrators who are not involved in placing the hold.
  • Delete data – the default delete action in most operating systems is not secure. The data is simply marked as deleted but is still in storage until overwritten. To have an effective information lifecycle, you must use secure deletion techniques such as disk wiping, degaussing, and physical destruction.

Service-Level Agreements (SLAs)

An SLA is an agreement between a provider (which could simply be an another department within the organization) and the business that defines when a service provided by the department is acceptable.

You’ll most likely come across this as providing a reliable service in the 9s. This is basically an availability or coverage threshold. The focus is usually on high availability and site resiliency. Sometimes there can be financial penalties for not meeting SLA requirements.

Maintaining Detective and Preventative Measures

  • Type 1 Hypervisors are VM hypervisors where the OS is installed directly on the barebone machine. These hypervisors often perform better.
  • Type 2 Hypervisors are applications installed in an OS. They are called hosted hypervisors. These hypervisors often perform slower than type 1 hypervisors since the OS have to translate each call.
  • Tripwire is a HIDS.
  • NIPS is like an IDS, but it’s installed inline to the network. It can modify network packets or block attacks.
  • IACIS is a non-profit organization of digital forensic professionals. The CFCE credential was the first certification demonstrating competency in computer forensics in relation to Windows based computers.
  • CFTT is a project created by NIST to test and certify forensics equipment.
  • Software Escrow Agreement allows the customer to have access to the source code of software when the vendor stops support or is out of business.

Detective and Preventative Measures


The operation of firewalls involve more than modifying rules and reviewing logs. You also need to review the configuration change log to see which configuration settings have been changed recently.

Intrusion Detection and Prevention Systems

You need to routinely evaluate the effectiveness of your IDS and IPS systems. This is not a set and forget security solution. The alerting functionality needs to be reviewed and fine-tuned. Too many alerts with false positives and the dangerous false negatives will impede detection and ultimately response.

Whitelisting and Blacklisting

Whitelisting is the process of marking applications as allowed, while blacklisting is the process of marking applications as disallowed. Maintaining these lists can be automatic and can be built-in to other security software.

Security Services Provided by Third Parties

Some vendors offer security services that ingest logs from your environment. This handles the detection and response by using artificial intelligence or a large network operations center to sort through the noise. Other services perform assessments, audits, or forensics. There are also other third-party security services that offer code reviews, remediation, or reporting.

Open Source Intelligence is the gathering of information from any publicly available resource. This includes websites, social networks, discussion forums, file services, public databases, and other online sources. This also includes non-Internet sources, such as libraries and periodicals. Besides data being available in public places, third parties can provide services to include this information in their security offerings.


Sandboxing is a technique that separates software, computers, and networks from your entire environment. Sandboxes help minimize damage to a production network. Unfortunately, since sandboxes are not under the same scrutiny as the rest of the environment, they are often more vulnerable to attack. Sandboxes are also often used for honeypots and honeynets.

Honeypots and Honeynets

A honeypot or a honeynet is a computer or network that is deliberately deployed to lure bad actors so that the actions and commands are recorded. If you don’t know how something would be compromised, this is a great way to see some of the methods used so that you can better secure your environment. There are important and accepted uses but don’t expect all unauthorized access to be malicious in nature.

It’s interesting that honeypots and honeynets can be seen as unethical due to the similarities of entrapment. It’s undeniable though that security conscious organizations can still take advantage of the information gleaned from their use.


Anti-malware is a broad term that encompass all tools to combat unwanted and malicious software, messages, or traffic. Malicious software includes nearly all codes, apps, software, or services that exist to trick users or cause overall harm. You should deploy anti-malware to every possible device, including servers, computers, and mobile devices. Make sure to keep this stuff updated!

A Security Information and Event Management (SIEM) system performs the following functions :

  • Aggregation : Gathers security log information from multiple sources.
  • Normalization : Present the collected data in a meaningful, understandable way.
  • Correlation : Compare between the different logs, and provide a global view of the security status.
  • Reporting.

Ingress monitoring

Ingress monitoring can be performed using tools such as firewalls, IDS/IPS, SIEM, tap/Span. It monitors for data originating from outside the trusted network.

Egress monitoring

Egress monitoring is about data that is leaving the trusted network.

Data Leak Prevention (DLP) is a common tool that is used in egress monitoring. It compares data that is leaving the organization against a predefined rule set.

Upon detecting a violation, the DLP can do one of the following :

  • Only reminds the user that they’re trying to send sensitive information.
  • Asks for a confirmation from the user before proceeding.
  • Stops the operation, and notifies management.


Rate this post

Leave a Comment