Introduction
This domain focuses on the operational side of cybersecurity, including monitoring systems, detecting incidents, responding to threats, and ensuring business continuity.
For ICT professionals, security operations represent the real-time defense of systems, requiring coordination between people, processes, and technology to manage ongoing risks.
Outcome 1
Detect and analyze security events using monitoring systems.
Outcome 2
Respond to incidents effectively and minimize damage.
Outcome 3
Maintain operational continuity and resilience.
Figures
Incident Response Lifecycle
Prepare
Detect
Analyze
Contain
Recover
Review
SOC Workflow
Collect Logs
Correlate
Alert
Investigate
Respond
Improve
Case Examples
Ransomware Attack
Malware encrypts organizational data, disrupting operations.
- Contain infected systems
- Restore from backups
Insider Threat
An employee misuses access to extract sensitive data.
- Monitor activity logs
- Enforce separation of duties
Glossary (50 Terms)
| # | Term | Definition |
|---|---|---|
| 1 | Security Operations | The ongoing activities required to monitor, manage, and protect information systems from security threats and incidents in real time. |
| 2 | SOC | A Security Operations Center is a centralized team responsible for monitoring, detecting, and responding to cybersecurity incidents. |
| 3 | SIEM | A platform that collects, analyzes, and correlates log data from multiple sources to detect security incidents and support investigations. |
| 4 | Incident Response | The structured process of identifying, containing, and resolving security incidents to minimize impact and restore normal operations. |
| 5 | Forensics | The process of collecting, analyzing, and preserving digital evidence for investigation and potential legal proceedings. |
| 6 | Event | An observable occurrence in a system or network that may or may not indicate a security issue. |
| 7 | Alert | A notification generated when a potential security event or anomaly is detected by monitoring systems. |
| 8 | Incident | A confirmed security event that poses a threat to confidentiality, integrity, or availability of systems or data. |
| 9 | Log Management | The process of collecting, storing, and analyzing logs to support monitoring, troubleshooting, and security investigations. |
| 10 | Threat Intelligence | Information about potential or existing threats used to inform security decisions and improve defenses. |
| 11 | Playbook | A predefined set of procedures used to respond to specific types of security incidents. |
| 12 | Runbook | A detailed operational guide outlining steps to perform routine security tasks or incident responses. |
| 13 | Containment | The process of limiting the spread or impact of a security incident within an organization. |
| 14 | Eradication | Removing the root cause of a security incident, such as malware or unauthorized access. |
| 15 | Recovery | Restoring systems and operations to normal after a security incident has been contained and resolved. |
| 16 | Lessons Learned | A review process after incidents to identify improvements and prevent recurrence. |
| 17 | Business Continuity | Ensuring essential functions continue during and after disruptions or incidents. |
| 18 | Disaster Recovery | Processes for restoring IT systems and data after major disruptions or catastrophic events. |
| 19 | Backup | Copy of data used to restore systems in case of failure or data loss. |
| 20 | Redundancy | Duplication of critical components to maintain system availability during failures. |
| 21 | High Availability | Design ensuring systems remain operational with minimal downtime. |
| 22 | Monitoring | Continuous observation of systems to detect anomalies and security issues. |
| 23 | Endpoint Security | Protection of individual devices such as computers and mobile devices from threats. |
| 24 | EDR | Endpoint Detection and Response tools monitor and respond to threats on endpoints. |
| 25 | Threat Hunting | Proactive search for hidden threats within systems that evade automated detection. |
| 26 | Malware Analysis | Examination of malicious software to understand its behavior and impact. |
| 27 | Indicators of Compromise | Evidence suggesting a system has been breached or compromised. |
| 28 | Indicators of Attack | Signals indicating an attack is currently in progress. |
| 29 | Chain of Custody | Documentation process ensuring integrity of collected evidence. |
| 30 | Time Synchronization | Ensuring consistent timestamps across systems for accurate event correlation. |
| 31 | Logging | Recording system and network activities for monitoring and analysis. |
| 32 | Correlation | Combining multiple data sources to identify patterns and detect threats. |
| 33 | Automation | Using tools to perform repetitive operational tasks efficiently. |
| 34 | SOAR | Security Orchestration, Automation, and Response platforms automate incident response workflows. |
| 35 | Security Metrics | Measurements used to evaluate effectiveness of security operations. |
| 36 | MTTD | Mean Time to Detect measures how quickly incidents are identified. |
| 37 | MTTR | Mean Time to Respond measures how quickly incidents are resolved. |
| 38 | Vulnerability Management | Continuous process of identifying, prioritizing, and fixing vulnerabilities. |
| 39 | Patch Management | Applying updates to systems to fix vulnerabilities and improve security. |
| 40 | Change Management | Controlled process for implementing system changes safely. |
| 41 | Configuration Management | Maintaining consistent and secure system configurations. |
| 42 | Data Loss Prevention | Controls that prevent unauthorized data exfiltration. |
| 43 | Incident Classification | Categorizing incidents based on severity and type. |
| 44 | Escalation | Process of involving higher-level personnel when incidents exceed initial response capability. |
| 45 | Threat Detection | Identifying malicious activities through monitoring and analysis. |
| 46 | Security Baseline | Minimum security configuration standard for systems. |
| 47 | Resilience | Ability of systems to withstand and recover from disruptions. |
| 48 | Incident Documentation | Recording details of incidents for analysis and compliance. |
| 49 | Operational Security | Protecting information through day-to-day operational practices. |
| 50 | Continuous Improvement | Ongoing enhancement of security operations based on experience and evolving threats. |