Security Operations (28%)

Domain 4: Security Operations

Exam Weight: 28% | Largest weighted domain - expect many questions!

Domain Overview

Domain 4 is the largest on the exam, covering the day-to-day activities of security operations. This includes hardening systems, managing assets and vulnerabilities, monitoring for threats, implementing identity management, automating security tasks, and responding to incidents. Mastering this domain is essential for exam success.

Learning Objectives

After completing this domain, you should be able to:

• [ ] Apply common security techniques to computing resources
• [ ] Explain asset management security implications
• [ ] Perform vulnerability management activities
• [ ] Implement security monitoring concepts and tools
• [ ] Modify enterprise capabilities to enhance security
• [ ] Implement and maintain identity and access management
• [ ] Explain automation and orchestration importance
• [ ] Execute appropriate incident response activities
• [ ] Use data sources to support investigations

Lessons in This Domain

| Lesson | Topic | Objectives Covered |

|--------|-------|-------------------|

| 01_security_techniques.md | Security Techniques and Hardening | 4.1 |

| 02_asset_management.md | Asset Management | 4.2 |

| 03_vulnerability_management.md | Vulnerability Management | 4.3 |

| 04_monitoring.md | Security Monitoring | 4.4 |

| 05_enterprise_capabilities.md | Enterprise Security Capabilities | 4.5 |

| 06_iam.md | Identity and Access Management | 4.6 |

| 07_automation.md | Automation and Orchestration | 4.7 |

| 08_incident_response.md | Incident Response | 4.8 |

| 09_investigations.md | Security Investigations | 4.9 |

Key Concepts at a Glance

Hardening Targets

| Target | Key Actions |

|--------|-------------|

| Workstations | Remove bloatware, disable unnecessary services, apply baseline |

| Servers | Minimize roles, secure ports, implement logging |

| Mobile | MDM enrollment, encryption, remote wipe capability |

| Network Devices | Change defaults, disable unused ports, secure management |

| IoT | Segment network, change credentials, update firmware |

Vulnerability Management Lifecycle

Identification → Analysis → Response → Validation
     ↓              ↓           ↓           ↓
  Scanning      CVE/CVSS    Patching    Rescanning
  Threat feeds  Risk rating  Mitigation  Verification
  Pentesting    Prioritize   Accept      Audit

Incident Response Phases

1. Preparation: Policies, procedures, tools, training
2. Detection: Alerts, monitoring, threat intelligence
3. Analysis: Triage, scope determination
4. Containment: Isolate, preserve evidence
5. Eradication: Remove threat
6. Recovery: Restore systems
7. Lessons Learned: Post-incident review

IAM Concepts

| Concept | Description |

|---------|-------------|

| Authentication | Verify identity (who are you?) |

| Authorization | Grant access (what can you do?) |

| Accounting | Track actions (what did you do?) |

| Federation | Trust between domains |

| SSO | Single authentication for multiple systems |

| MFA | Multiple authentication factors |

Exam Tips for Domain 4

⚠️ High-Priority Topics:

• Incident response phases (memorize the order!)
• CVSS scoring and vulnerability prioritization
• Authentication factors (something you know/have/are/somewhere/do)
• Log types and what each reveals
• Hardening techniques for different device types

⚠️ Common Exam Traps:

• Don't confuse containment with eradication—containment is stopping spread, eradication is removing the threat
• SIEM aggregates logs; SOAR automates response—different functions
• Qualitative risk analysis uses categories (High/Medium/Low); quantitative uses numbers ($)
• MAM manages apps; MDM manages devices—both are mobile management

⚠️ Scenario Question Strategy:

For incident response scenarios:

1. What phase are they in?
2. What actions are appropriate for that phase?
3. What evidence needs to be preserved?
4. Who needs to be notified?

Study Checklist

Objective 4.1: Security Techniques

• [ ] Explain secure baseline concepts
• [ ] Apply hardening to different targets
• [ ] Implement wireless security (WPA3, RADIUS)
• [ ] Describe mobile security (MDM, BYOD, COPE)
• [ ] Apply application security techniques

Objective 4.2: Asset Management

• [ ] Explain acquisition and procurement security
• [ ] Describe asset ownership and classification
• [ ] Perform asset inventory and enumeration
• [ ] Apply secure disposal methods

Objective 4.3: Vulnerability Management

• [ ] Use vulnerability identification methods
• [ ] Apply CVSS scoring and analysis
• [ ] Implement vulnerability response actions
• [ ] Validate remediation effectiveness

Objective 4.4: Monitoring

• [ ] Describe monitoring targets and methods
• [ ] Explain log aggregation and alerting
• [ ] Use monitoring tools (SIEM, scanners)
• [ ] Implement baseline deviation detection

Objective 4.5: Enterprise Capabilities

• [ ] Configure firewall rules
• [ ] Implement IDS/IPS signatures
• [ ] Apply web and DNS filtering
• [ ] Configure email security (SPF, DKIM, DMARC)
• [ ] Deploy EDR/XDR solutions

Objective 4.6: Identity and Access Management

• [ ] Manage user provisioning lifecycle
• [ ] Implement federation and SSO
• [ ] Apply access control models
• [ ] Configure MFA solutions
• [ ] Implement PAM tools

Objective 4.7: Automation

• [ ] Identify automation use cases
• [ ] Explain automation benefits
• [ ] Consider automation risks and limitations

Objective 4.8: Incident Response

• [ ] Execute incident response phases
• [ ] Conduct tabletop exercises and simulations
• [ ] Perform root cause analysis
• [ ] Apply digital forensics concepts

Objective 4.9: Investigations

• [ ] Analyze log data sources
• [ ] Use packet captures
• [ ] Interpret dashboard data
• [ ] Correlate investigation data

Quick Reference: CVSS Scoring

| Score | Severity |

|-------|----------|

| 0.0 | None |

| 0.1-3.9 | Low |

| 4.0-6.9 | Medium |

| 7.0-8.9 | High |

| 9.0-10.0 | Critical |

Quick Reference: Authentication Factors

| Factor | Type | Examples |

|--------|------|----------|

| Something you know | Knowledge | Password, PIN |

| Something you have | Possession | Smart card, token, phone |

| Something you are | Inherence | Fingerprint, face, iris |

| Somewhere you are | Location | Geolocation, IP address |

| Something you do | Behavior | Typing pattern, gait |

External Resources

• NIST Incident Response Guide (SP 800-61)
• CVSS Calculator
• CIS Benchmarks
• MITRE ATT&CK
• SANS Incident Response

Continue to Lesson 1: Security Techniques →