Operating and Maintaining Preventative Measures
Start course

This course is the 2nd of 4 modules of Domain 7 of the CISSP, covering Security Operations.

Learning Objectives

The objectives of this course are to provide you with the ability to:

  • Employ resource protection techniques
  • Conduct incident response
  • Operate and maintain preventative measures
  • Implement and support patch and vulnerability management
  • Participate in and understand change management processes

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


We're going to move on into section eight, where we're going to talk about how we operate and maintain preventive measures. So here are our section topics, we're going to look at the various forms of preventative tools that we're going to have in place, which will include firewalls, IDSIPS, our intrusion response process, and the IDS management.

Now, operations can be impacted by a variety of threats, these threats may be caused by individuals or environmental factors. The security practitioner who is aware of common threats will be more prepared to propose or implement controls to mitigate or limit the potential for damage. Just as most security requirements can be summed up by the CIA triad, most threats are associated with their opposites. In the case of confidentiality, that would be disclosure, in the case of integrity, that would be corruption or contamination, and, when it comes to availability, that would be mostly destruction. So, let's go into these various preventative measures and see what contribution they make.

Firewalls are a very common preventative measure. Most organizations wouldn't dream of connecting themselves to the Internet, an example of an unknown, and un-trusted network, so they put these devices at the perimeter, where their corporate enterprise network connects to the rest of the world. This technology is designed to examine and filter traffic, both inbound and outbound, based on a set of rules designed to indicate what will or will not be allowed. They typically operate at either the network layer or at the application layer. Usually, alongside it will be something along the lines of an intrusion detection system.

Here we have a network intrusion system, this is usually incorporated into the network in a passive architecture. A network intrusion detection system has to examine every packet traversing the network so that it can see it and compare it to its rules or storage signatures. By inspecting these packets and monitoring sessions, it will be able to alert us when anything of an anomalous or an outright forbidden nature should happen to be traveling through the network, potentially going to impact systems or the applications available through it.

Now, IDS engine analysis methods include two basic families of techniques, these are going to be the ones that analyze the traffic, based on either a pattern match, such as might be the case against a storage signature, or anomaly detection, which can be an unknown, or unwanted pattern, or simply an unrecognized pattern, followed by an alert to say, "Hey, I've found this, this doesn't look normal to me, what do you think I should do?" The intrusion detection uses stateful matching, it scans for attack signatures in the context of a stream of traffic, or overall system behavior, rather than looking at individual packets, or discrete system activities.

We have the statistical anomaly-based intrusion detection, which attempts to identify suspicious behavior by analyzing event data and identifying patterns of entries that deviate from a predicted norm. Along with these, we have protocol anomaly-based, which identifies an unacceptable deviation from expected behavior, based on known network protocols. And then traffic anomaly-based, which identifies unacceptable deviation from expected behavior, based on actual traffic structure.

Now, the intrusion detection system and the intrusion prevention system are both given deterministic logic. When these are brought in and installed and implemented, from the moment they're activated on the network, they begin to learn. The deterministic logic in their programing looks at various patterns, it stores the patterns, or accepts custom programing by its operator. When it learns, and it learns from the moment it's turned on until the moment it's disconnected, it will get better and better at recognizing things that are anomalous, either based on protocol or traffic or statistical models. But over time, it gets to be more and more effective, reducing false positives and false negatives, and increasing the probability that what it will see are things that really do require your attention, rather than many false positives that lead you in wrong directions.

Tactics also include doing whitelisting and blacklisting, in other words, those things that are always okay, or, those things that are never okay. We have spam filtering, which may rest on the ability to recognize unwanted traffic, which we would call spam. It has the ability to put in place a sandbox, so that anything that it recognizes, it puts a virtual environment around it to isolate it from the systems that it may be attempting to assault. If we're looking for a person, an actual hack, we put up honeypots, or possibly a string of honeypots in a honeynet, simulating a real environment. We have anti-malware, of course, or we have third-party services that can provide this as a managed security service.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.