SY0-701 Domain 4: Security Operations Study Guide – In-Depth

SY0-701 Domain 4: Security Operations – In-Depth Guide

Objective: Gain a deep understanding of operational security processes, tools, and best practices as required for CompTIA Security+ SY0-701 Domain 4.

4.1 Common Security Techniques

Secure Baselines & System Hardening

Creating and enforcing secure configurations reduces attack surfaces and ensures consistency:

• Configuration Baselines:
  • Define golden images for OS and applications using CIS Benchmarks or vendor hardening guides.
  • Use automation tools (Ansible, Puppet, Chef) to deploy configurations at scale.
• Hardening Tasks:
  • Remove unnecessary services and software, close unused ports.
  • Enforce password policies and account lockouts via Group Policy.
  • Implement secure boot, disable legacy protocols (e.g., SMBv1).
• Monitoring & Drift Detection:
  • Use continuous compliance scanners (OpenSCAP, Chef InSpec).
  • Alert on deviations from baseline and auto-remediate where possible.

Wireless & Mobile Security

Mobile and wireless environments introduce unique risks and require specialized controls:

• Wireless Site Survey:
  • Use tools (Ekahau, AirMagnet) to map signal strength, interference, and rogue AP detection.
  • Create heat maps and implement directional antennas in high-density areas.
• Encryption & Authentication:
  • Implement WPA3-Personal or WPA3-Enterprise with Simultaneous Authentication of Equals (SAE).
  • Deploy 802.1X authentication with EAP-TLS using RADIUS servers.
• Mobile Device Management (MDM) & Unified Endpoint Management (UEM):
  • Enforce encryption, remote wipe, containerization (e.g., Android Enterprise, iOS Managed Apps).
  • Apply geofencing, jailbreak/root detection, application whitelisting.

4.2 Asset Management Lifecycle

Effective asset management ensures visibility and control over all organizational assets:

1. Procurement & Inventory:
   • Perform vendor security evaluation, regulatory checks, license compliance.
   • Record asset details (serial numbers, location, owner) in a Configuration Management Database (CMDB).
2. Deployment & Classification:
   • Tag assets physically/virtually; apply classification labels (Public, Internal, Confidential, Regulated).
   • Integrate with Identity and Access Management (IAM) for owner accountability.
3. Monitoring & Maintenance:
   • Use network discovery (Nmap, SolarWinds) and endpoint inventory tools.
   • Patch management synchronization; schedule decommission timelines.
4. Decommission & Disposal:
   • Follow data sanitization standards (NIST SP 800-88) for media disposal.
   • Ensure secure recycling or destruction with audit trails and certificates.

4.3 Vulnerability Management

Identification Techniques

• Authenticated vs Unauthenticated Scanning: Balance depth vs risk of disruption.
• Static Application Security Testing (SAST) vs Dynamic (DAST): Code-level vs runtime analysis.
• Fuzzing for input validation flaws; integrate into CI/CD pipelines.
• Threat Intelligence feeds (MITRE CVE, vendor bulletins) to stay ahead of zero-days.

Risk Prioritization

• Calculate Single Loss Expectancy (SLE) and Annual Loss Expectancy (ALE) for quantitative assessment.
• Use Common Vulnerability Scoring System (CVSS) base, temporal, and environmental metrics.
• Incorporate business impact, exploit availability, and threat actor interest.

Remediation Strategies

• Patch management via automated orchestration (WSUS, SCCM, satellite servers).
• Temporary compensating controls: Network segmentation, access ACLs.
• Exception management: Formal risk acceptance process with documented justification.

Validation & Reporting

• Rescan to confirm remediation; perform regression testing in staging.
• Generate executive dashboards showing vulnerability trends, Mean Time to Remediate (MTTR).

4.4 Security Tools & Technologies

Security Information and Event Management (SIEM)

• Log aggregation from heterogeneous sources (firewalls, servers, applications).
• Normalization and parsing; custom correlation rules for threat detection.
• Alert tuning to reduce false positives; integrate threat intelligence for context enrichment.

Security Orchestration, Automation, and Response (SOAR)

• Automate playbooks: Phishing triage, malware containment, user de-provisioning.
• Integrate with ticketing systems (ServiceNow, Jira) for workflow management.

Endpoint Detection and Response (EDR) / Extended Detection and Response (XDR)

• Behavior analytics, root cause analysis, automated isolation of compromised hosts.
• XDR extends visibility to email, network, cloud workloads for holistic detection.

Network Access Control (NAC)

• Pre-admission and post-admission controls; dynamic VLAN assignment, remediation VLANs.
• Agent-based vs agentless posture validation, integration with certificate-based authentication.

Data Loss Prevention (DLP)

• Content inspection (regex, fingerprinting) and contextual analysis (user, device, application).
• Policy enforcement: Alert, block, quarantine, encrypt.

Intrusion Detection/Prevention Systems (IDS/IPS) & Next-Generation Firewalls (NGFW)

• Signature-based vs anomaly-based detection; inline blocking vs alert-only modes.
• Application-level inspection, user identity integration, SSL/TLS decryption capabilities.

4.5 Secure Protocols

• SSH: Secure Shell for remote administration; use key-based auth and port management.
• TLS: Ensure use of TLS 1.2 / 1.3, disable weak ciphers, implement HSTS.
• IPSec: Configure Internet Key Exchange (IKEv2), use ESP with AES-GCM and SHA-2 integrity.
• Use DNS Security Extensions (DNSSEC) to authenticate DNS records and prevent cache poisoning.

4.6 Identity and Access Management

• Implement Privileged Access Management (PAM) to vault credentials and enforce Just-In-Time access.
• Use risk-based MFA with adaptive policies (location, device posture, behavior analytics).
• Enforce segregation of duties and role reviews quarterly to prevent privilege creep.

4.7 Public Key Infrastructure & Certificates

• Design internal CA hierarchies with root and issuing CAs; enforce offline root CA.
• Implement Online Certificate Status Protocol (OCSP) stapling for HTTP services.

4.8 Incident Response & Forensics

1. Preparation: IR plan, playbooks, team training.
2. Detection & Analysis: Use SIEM alerts, EDR telemetry, threat hunting queries.
3. Containment: Short-term (network isolation) vs long-term (segmentation).
4. Eradication: Remove malware, apply patches.
5. Recovery: Restore systems from clean backups, validate functionality.
6. Lessons Learned: Post-mortem meetings, update IR plan.

Forensics Tools: EnCase, FTK, Autopsy, Volatility for memory analysis.

4.9 Logging, Monitoring & Alerting

• Implement log forwarding agents, ensure timezone normalization and NTP sync.
• Use UEBA (User and Entity Behavior Analytics) to detect insider threats and credential misuse.
• Deploy Network Detection and Response (NDR) solutions for lateral movement detection (Zeek, Darktrace).
• Establish KPI metrics: MTTR (Mean Time to Respond), MTTD (Mean Time to Detect), log coverage percentage.