Skip to content

Chapter 8: Domain 7: Security Operations

Abstract

Security Operations ensures appropriate security controls and processes throughout an asset’s lifecycle. Provisioning and operating assets require secure configuration, change, and patch management. The domain highlights technical controls employed to prevent or detect successful compromise. Preventive controls discussed include firewalls, sandboxing, and intrusion prevention. Detective capabilities explored include Intrusion Detection Systems (IDS), Security Information and Event Management (SIEM), and User and Entity Behavior Analytics (UEBA). Correctly handing detected compromise requires robust incident management practices, another focus of this domain. Some incidents warrant performing more thorough digital forensics investigations, and this domain highlights both related processes and tools. Another significant focus of security operations involves Contingency Planning. Continuity of Operations seeks to ensure ongoing availability through highly available systems, Redundant Array of Inexpensive Disks (RAID), and Service Level Agreements (SLAs). Planning for inevitable disruptions involves strategic Business Continuity and tactical, systems-focused, Disaster Recovery Planning. Key elements involve performing a Business Impact Analysis (BIA) to determine a system’s Maximum Tolerable Downtime (MTD), which informs recovery strategies.

Keywords: Threat intelligence; Digital forensics; Incident management; Disaster recovery; Patch management; Configuration management; Maximum Tolerable Downtime (MTD); Business Impact Analysis (BIA)

Exam objectives in this chapter: - Administrative Security - Forensics - Incident Management - Operational Preventive and Detective Controls - Asset Management - Continuity of Operations - Business Continuity Planning - Disaster Recovery Planning

Unique Terms and Definitions

  • Business Continuity Plan (BCP)—a long-term plan to ensure the continuity of business operations
  • Collusion—an agreement between two or more individuals to subvert the security of a system
  • Continuity of Operations Plan (COOP)—a plan to maintain operations during a disaster
  • Disaster—any disruptive event that interrupts normal system operations
  • Disaster Recovery Plan (DRP)—a short-term plan to recover from a disruptive event
  • Mean Time Between Failures (MTBF)—quantifies how long a new or repaired system will run on average before failing
  • Mean Time to Repair (MTTR)—describes how long it will take to recover a failed system
  • Mirroring—complete duplication of data to another disk, used by some levels of RAID
  • Redundant Array of Inexpensive Disks (RAID)—a method of using multiple disk drives to achieve greater data reliability, greater speed, or both
  • Striping—spreading data writes across multiple disks to achieve performance gains, used by some levels of RAID