CISSP: Domain 7 - Security Operations - Module 1
Understanding and Supporting Investigations

This course is the first of 4 modules of Domain 7 of the CISSP, covering Security Operations.

Learning Objectives

The objectives of this course are to provide you with the ability to:

  • Understand and support investigations
  • Understand requirements for investigation types
  • Conduct logging and monitoring activities
  • Secure the provisioning of resources through configuration management
  • Understand and apply foundational security operations concepts

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Welcome back to the Cloud Academy presentation of the CISSP exam preparation review seminar. Today we're going to begin our discussion of Domain 7 - Security Operations. Now, security operations can be very challenging. It's essentially two domains in one, operations security and security operations, which are distinctly different but complementary. Operations security is primarily concerned with the protection and control of information processing assets in centralized and distributed environments. Security operations are primarily concerned with the daily tasks required to keep security services operating reliably and efficiently. Operation security is a quality of other services and also a set of services in its own right, in addition to this, the concepts of business continuity planning and disaster recovery planning address the preparation, processes and practices required to ensure the preservation of the organization in the face of major disruptions to normal organization operations are discussed. BCP and DRP involve the identification, selection, implementation, testing, and updating of processes and specific prudent actions necessary to protect critical organizational processes from the effects of major system and network disruptions and to ensure timely restoration of organization operations, should those significant disruptions occur.

Now here you see on slide two the domain agenda and the topics that you'll see here, investigations, requirements for investigation types, logging and monitoring activities, secure the provisioning of resources, understand and applying foundational security operations concepts, employ resource protection techniques, conduct incident response, operate and maintain preventive measures, followed by several other topics along these same lines. It becomes evident that security operations is indeed a complex and quite diverse type of a domain. So even though there's quite a variety of topics that we'll be talking about in this particular domain, this is the place where putting together and making work all of the concepts and the other areas that we've discussed so far in the first six domains really comes together. This is the place where you could say the rubber really meets the road, and what we've spoken of is now being put into action, and we're actually able to make it work, to derive the results that the entire CISSP certification and its domains and areas of focus are really intended to bring about.

So here we are at our first section, section one, understanding and supporting investigations, and in this section, we're going to discuss several topics. Beginning with the incident scene, evidence collection and handling, incident handling and response, followed by digital forensic. Now when we look at the incident scene, this is the environment where potential evidence may exist. We're going to apply the various principles and methods of forensic science. We first must identify the scene, and that is essentially to draw a boundary around all of the territory, if you will, that may be included. For a computer that might be limited to a specific computer, the desk it's sitting on, the room that it's in, and so on, but to identify the scene is to throw a boundary around it, otherwise the scene itself could extend on well past the point of necessity and usability. We have to protect the environment, everything that we'll do from this point carries with it the risk that we're going to contaminate the environment in some way, and so we need to protect it, primarily from any additional modification or introduction of any material, any person, or any thing that will change it from the state in which we find it initially.

Now that we've done these things, we need to identify evidence and potential sources of evidence, all within the boundaries that we've set up. We need to minimize throughout this entire process the degree of contamination and that includes anything that anyone else might introduce, anything that could be introduced by any environmental factors, and of course, safeguarding against anything that we ourselves, as the analyst in this case, might introduce, and then we need to conduct the process carefully, painstakingly, thoroughly to collect the evidence itself.

So in information forensics or any forensic science, one of the persons who set forth a lot of the principles that are used in today's world was Dr. Edmond Locard, many times regarded as one of the first serious, dedicated forensicists. He has a famous quote and it applies very much here. "Whatever the intruder touches, whatever he leaves, even unconsciously, all of these bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment, nor is it absent because human witnesses are, or because the seeker knows not where or what he may be seeking. Physical evidence cannot be wrong, it speaks with its own voice, it cannot perjure itself, it cannot be wholly absent. Only human failure to recognize or find it diminishes it." In his statement, he's basically saying that no matter what happens, nothing occurs and leaves no trace of itself. The fact that we may not know what we're looking or where it might be hiding or what form we might find it in, is immaterial. Something will be there, we just need to look hard enough and thorough enough, with open eyes and open minds, to make sure that it's there.

In computer forensics, digital forensics, information systems forensics, call it what you will, evidence is going to be volatile. It stems all the way from the most volatile, something stored in the memory of a computer that's running right now, to something very in-volatile, such as what might be stored on a hard drive or on a tape, but in all cases, we must regard that the data is dynamic and exists in processes that disappear in a relatively short time frame, once the system is powered down, and therefore, we must act with haste but not with recklessness.

So we're going to apply some general guidelines to form the basic method and technique of how we're going to identify and collect the evidence. All general forensic and procedural principles must be applied, these are very methodical and very careful. Methods employed to seize digital evidence must not alter the evidence, it's an article of faith among all forensicists, that any method used to collect evidence cannot in any way change it, such as, the tool marks that would come from a pair of pliers used to pick up a piece of bent metal at the crash site of an aircraft. Any person having access to original digital evidence must be trained, and they must be trained in all the important respects of how this is to be conducted, to make sure that all evidence is preserved pristine, and that everyone knows exactly what to do and more specifically, what not to do.

All activity relating to seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review. This, of course, is one of the principles that is very much close to the heart of the chain of custody, one of the most important aspects of this entire process. While an individual is in possession of digital evidence, he or she is responsible for protecting it from all actions taken. This is part of the chain of custody, such that, if any person should check out a piece of evidence for examination and analysis, it means that everything that happens to it from the instant it leaves its protective locker to the time when it was returned to it, custody of that particular piece of evidence should not have changed without it being documented and authorized, nothing should be performed against it without being documented, and everything that is documented should be documented exactly as it occurs, there should be no time gaps and no lapses.

Any agency responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles. In all of this, of course, policies and procedures will play a very central role. Anyone working in this area must have a solid foundation of knowledge and policy. The incident response process and evidence handling has been gone through and needs to be retrained and retrained for every person to make sure that everybody stays sharp, alert, and fully informed about what they should and should not do. Fundamental to every role involved in this will be internal and external communications, to be sure that it is well documented and that it is authentic and very clear.

Always we must have a properly trained response team, this will include members of internal staff or it could include an external contractor. There's no particular prohibition about anyone external coming in. What does matter is that whether it's internal or external, that they follow all proper forensic procedure. For us, all core areas must be represented. This will involve the primary, usually the IT department and of course, IT security, but there will also be ex-officio members that should be kept into the information loop. This typically will include, legal, HR, physical security, audit, and of course, several other departments such as management.

As I mentioned, chain of custody is one of the most important things. Anytime a forensic analyst is going to sit in a witness box, one thing is going to happen to him. His credibility, his chain of custody, will be challenged by opposing counsel. To dispose of one, either chain of custody and its integrity or the analyst and his integrity, disposes of both, and so this is a vitally important thing to protect. This is integrated with the EDRM model, which you'll see on the next slide. This tracks evidence handling from collection to disposal. It is a formal, well-documented process and must be followed without fail. There cannot be even a single unexplained gap in the timeline.

And here's the electronic discovery reference model or EDRM. As you see, it begins with information management, the overall process. Following that, is identification, preservation, collection, processing, review, analysis, production and presentation, and in each one of these steps chain of custody must be maintained throughout.

During the process of analyzing the digital evidence, the analyst may be called upon to do interviewing or possibly interrogation. Now these two things, one person talking to another, each type of these behaviors with a specific goal, has to be aware of what they're after, what the goal is, who they're talking to and some basic rules. Investigators must keep in mind however, concerns such as due process, the rights of the individual being questioned and considerations unique to the organization or to the jurisdiction. Now interviewing, as you might guess, differs substantially from interrogation. Interviewing is a non-threatening procedure where experts try to ascertain the abilities and capabilities of the candidate, such as in a job interview. It is therefore, a directed discussion to gain insights into the individual, but the thing about interviewing and one thing that distinguishes it quite dramatically from interrogation is, it's not hostile, it's not competitive. It is simply an interview to gain information and as such, it can be very non-threatening and very pleasant, but in contrast to that, interrogation is typically a tool which is much more aggressive in its emotional and psychological impact between the interrogator, the one who's in charge, and the suspect. This is a trained behavior, this is something you must be taught how to do. All of us can interview and some are better, some are not as good, and we can refine our technique, but interrogation is definitely something that must be taught. It is a focused process to obtain information often in the form of a confession, therefore, it is competitive, it is aggressive and it is hostile, and it should be left to the professionals to do, but it is a form of evidence collection.

Now some basic principles in digital forensics have been discussed and the evidence has been discussed as well. As I said earlier, evidence speaks with its own voice. Evidence must be presented very plainly, very straightforwardly and very directly. Some basic principles that apply to this are these: it must be authentic, in other words, it must have integrity, in where it comes from, how it was collected, how it was handled. It must be accurate, or our record of it must be, so that we record all the facts and present them in an unbiased and clear and straightforward way. It must be complete, and that is, it must tell its entire story. If it relies on something else, that's not it being incomplete, that is showing where it fits in the general chain of events. It must be convincing. Ideally, evidence should be convincing, whether for or against. Either one can be dealt with very readily, the worst kind of evidence is ambiguous, because that means it can be skewed either way, as the interpreter may choose. If it's convincing, it's fairly clear, and it must of course, be admissible. Evidence must be collected in a way that does not taint its source or the legality of using it, and so it must be admissible to the process, otherwise, it's of no value at all.

Of course, one of the primary subjects in forensics is media analysis. This is of course, the technological recovery of information or evidence from information media, such as a storage device or a computer. We will, of course, run into various conditions. The media may have been damaged, it may have been overwritten, degaussed or reused. In other words, it may have been corrupted through some sort of attempt to conceal what its contents might be or it may simply have been damaged through mishandling or an accident. However it is, we have to be able to work with whatever we're given. 

There will, of course, be the necessity to do network analysis. Now network analysis is not just sniffing the network, network analysis includes the analysis of data coming from logs and activity to show the relationship between actions and certain evidence that we may either be collecting or will collect. This is, of course, a critical phase in the process as proper evidence management and handling and how we can go about making sure that we do not contaminate or lose a source of very important evidence.

Following collection obviously, there must be some form of analysis that is performed. Now software analysis encompasses investigating the activities, such as looking at malware analysis. This would include examining the malware sample that has been collected to determine its function, to determine how it's put together, what its signature is. This can be done in the form of capturing a virus, examining it for these purposes or it could be used to determine the outcome of an intellectual property dispute, which of course, would include potential copyright infringements or patent infringements or any other infringing activity on an owned piece of intellectual property. Now the goals for things like this include author identification, content analysis, and payload and context analysis. That last one would be more along the lines of examining malware for the functions that it performs.

For author identification, we want to determine who the creator or the author of the software or program or other kind of intellectual property is in question. Each author has a unique style that distinguishes between potential suspects. If you put this in the context of viruses, looking at the author, we're not attempting to name the author, what we're attempting to do is align the style that we encounter with the style of other viruses that have been captured and analyzed for this purpose. By putting it into a category and establishing a pattern of analyses and a pattern of the signatures, we begin to get a sense of what drives the author, how they do things, so that when we look at samples of other viruses in the future, we'll have a sense that it may come from the same source.

In looking at content analysis, we're looking to systematically analyze the code's purpose. This is oftentimes used in cases related to intellectual property disputes, and through it, we're able to develop a high-level impact view of what will happen if the, in this case, malware should happen to activate. More and more, as we deal with the internet of things, and the various components that are inside of a computer, we're going to look at hardware or embedded device analysis as one of the techniques that we have to employ when it comes to examining the entire scene. This looks at the standard hardware and firmware in a laptop or a desktop computer's motherboard. We're going to have to have special tools and techniques that will enable us to image the embedded devices. One of the problems we run into, and unique to these types of devices, are that they cannot be read or copied without altering the relevant information or evidence that we seek to collect, but we have to determine these techniques, so that we can collect it without risking the pristine nature of what we hope to find within these devices.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.