Introduction to Security Operations (18)

Basic conditions for security operations:
  • Business continuity planning: BCP involves risk assessment of various processes of an organization, and establishment of strategies and plans to minimize the impact of risks on the organization. It is used to maintain the continuous operations of services when a crisis occurs.
  • Physical security: The purpose of physical security is to prevent physical threats, including peripheral security and internal security.
  • Managing security operations
    • Configuration of protection resources: Manage configurations of assets, including physical, cloud, virtual, and data assets, to ensure that all systems are in the same security state and maintain the status throughout the lifecycle.
    • Use resource protection technologies: The configuration and management of resources in the entire lifecycle are protected by means of media management and asset management.
    • Understand and apply basic security operations principles: Consider the security principles during responsibility management and rights management on organization personnel. 
    • Execute and support patch and vulnerability management: Patch management ensures that appropriate patches are used, and vulnerability management helps to verify that the system is immune from known threats.
    • Participate in and understand the change management process: Change management helps reduce unexpected interruptions caused by unauthorized changes and ensure that changes, such as configuration changes, do not interrupt services.
    • Participate in the solution of personal safety: Implement security controls to enhance enterprise personnel security.
Security operations conditions:
  • Incident prevention and response:
    • Managing logs and monitoring behavior: Logs, monitoring, and auditing programs help organizations prevent incidents and respond effectively when incidents occur.
    • Implementing incident management: The main objective of incident response is to minimize the impact on the organization when security incidents occur.
    • Performing and maintaining preventive measures: Configure devices and measures to prevent security incidents.
  • Disaster recovery plan: When a disaster interrupts services, the disaster recovery plan should be able to work and support recovery operations.
    • Implementing the recovery policy: The policy is instructive on how to restore services after a disaster occurs.
    • Performing the disaster recovery processes.
    • Testing the disaster recovery plan.
  • Investigation and forensics: When the threat and damage caused by some information security incidents are serious enough to require the access of law enforcement agencies, investigators must investigate carefully to ensure that the correct steps are performed.
    • Understanding and supporting the investigation
    • Understanding the requirements for investigation and forensics 
Business and organization analysis: This is used to determine all related departments and personnel involved in the BCP preparation. The following key areas need to be considered during the analysis:
  • Operations departments that provide core services
  • Service support departments, such as the IT department, maintaining the systems of the operations departments.
  • Senior administrative personnel and enterprise decision-makers
BCP team setup: According to the preceding business and organization analysis, the business continuity is closely related to operations departments, service departments, and senior management of enterprises. Therefore, the members of these departments must participate in the BCP development and maintenance team. This team must include the following personnel:
  • Department representatives of each core business operations department
  • Supporting department representatives
  • IT representatives with technical expertise in the BCP domain
  • Security representatives who understand the BCP process 
  • Legal representatives who are familiar with relevant laws
  • Senior management representatives
Resource requirements: During BCP development, testing, training, maintenance, and implementation, a large amount of manpower, time, and materials are consumed. These are the resources required by BCP.

Requirements of laws and regulations: Laws and regulations are different for business continuity in different countries and regions. These laws and regulations ensure the vitality of the national economy while requiring enterprises to comply with the standards of business continuity. 

Priority determination: It is important to determine the priority of a business when a disaster occurs. The business priority can be quantitatively analyzed using the Maximum Tolerable Downtime (MTD).

Risk identification: The organization identifies possible risks, including natural and manmade risks. In this phase, only a qualitative analysis is required to lay a foundation for subsequent assessment.

Possibility assessment: The possibility of risks that threaten the organization occurring is evaluated.

Impact assessment: Assess the impact of risks on the organization in a directional or quantitative manner, including but not limited to reputation, public impact, and resource loss.

Resource priority: Prioritize the business continuity planning resources based on different risks. 
Policy development: Determine the mitigation measures for each risk based on the business impact assessment result.

Plan implementation: Use specific resources to develop plans based on policies as much as possible to reach the preset goals.

Preparation and handling: Provide necessary resources and protection measures for the formulation, maintenance, and implementation of the business continuity planning. These resources include people, buildings/equipment, and infrastructure.

Training and education: Provide training on the business continuity planning for all related personnel involved in BCP so that they can understand the tasks and respond to emergencies in an orderly manner.

Planning approval: After the business continuity planning is designed, obtain approval from the senior management of the organization. 
Detect: Personnel monitor and analyze data to detect security incidents, such as collecting logs. For details, see Data Monitoring and Data Analysis in the following chapter.

Respond: After the detection and verification of the incident, activate the response program. The computer security incident response team needs to assist in investigating, assessing damage, collecting evidences, reporting incidents, recovering programs, restoring, learning lessons, and conducting root cause analysis. Respond to the security incident as soon as possible to reduce the damage. For details, see the Emergency Response.

Mitigate: Mitigation is also a way of responding to emergencies. It is used to prevent the impact of incidents, for example, by interrupting the connection between the infected and the enterprise network to isolate the issue.

Report: When an incident occurs, it needs to be reported to the organization and sometimes needs to be reported to the outside world. Minor security incidents may not need to be reported to the senior management of the organization, but senior administrative personnel must be notified of critical incidents in order to adjust the response policy and contain the impact.

Recover: Restore the system to the normal state. However, evidence collection should be performed before system restoration.

Remediate: In this phase, root cause analysis is performed to fix system vulnerabilities and prevent similar incidents from happening again.

Lessons learned: Summarize the incident, learn lessons, and apply the output of this
phase to the detection and maintenance phases of the subsequent business continuity
planning. 
Disasters include:
  • Natural disasters: Earthquakes, floods, fires.
  • Man-made disasters: Terrorist acts, power interruption.
  • Other public facilities and infrastructure faults: Software/hardware faults, demonstrations, and intentional damages.
Recovery policy: Back up important data and facilities to improve the system recovery capability and fault tolerance capability, thereby ensuring high service availability and improving service quality.
  • Back up the storage policy
  • Site recovery policy
  • Mutual assistance agreement
Execute the disaster recovery plan: For details, see Emergency Response.

Test the disaster recovery plan: A disaster recovery plan must be tested periodically to ensure it works, especially if there have been organizational changes. The test types are as follows:
  • Read-through tests
  • Structured tests
  • Simulation tests
  • Parallel tests
  • Short and medium tests 
The investigation method must comply with laws and regulations.
  • Operation-type investigation: This investigates the computing infrastructure issues of an organization, for example, whether there are performance issues or configuration issues. It is mainly used to analyze issues and does not require strict evidence.
  • Crime investigation: An investigation conducted by legal practitioners against an illegal act.
  • Civil investigation: Civil investigations usually do not involve the work of internal employees and legal teams.
  • Regulatory investigation: Regulatory investigations are carried out by government agencies when organizations violate laws.
  • Electronic forensics: For details, see Electronic Forensics 
Evidence must be acceptable:
  • Evidence must be related to the determination of facts.
  • Evidence must be related to the event.
  • Evidence must be legally obtained.
Evidence type:
  • Physical evidence: objective evidence, such as objects
  • Documentary evidence: written content, such as computer logs
  • Verbal evidence: witnesses' testimony
For details about electronic forensics, see subsequent chapters. 

Ref : [1]