ISO 27039 details the selection, deployment and operations of intrusion detection and prevention systems (IDPS). We’re going to explore what that means.
ISO / IEC 27039:2015 provides recommendations to assist organisations in the implementation of intrusion detection and prevention (IDPS) systems. ISO 27039 outlines IDPS selection, implementation, and processes. The standard also offers context information for these guidelines. Detection and prevention of intrusion are two broad words defining practices used to prevent attacks and avoid new threats.
Detection of intrusions is a reactive measure that detects and mitigates ongoing threats using intrusion detection. It’s used to:
Intrusion prevention is a proactive security measure using an intrusion prevention system to eliminate device attacks. That includes:
Well-designed, implemented, configured, controlled, and operated IDPS, like:
The standard has guidance and instructions on the implementation of an IDPS.
ISMS.online makes setting up and managing your ISMS as easy as it can get.
Organisations shouldn’t just know what, where, and how their network, device, or programme was intruded. They should also know which the abused vulnerability and what precautions or implement effective risk treatments to avoid future issues.
Organisations can also identify and prevent cyber intrusions. This method involves an examination of network traffic and audit trails for known attacks or unique patterns that generally implies malicious intent. In the mid-1990s, companies started using intrusion detection and prevention (IDPS) systems to meet these needs.
The general use of IDPS continues to grow with a wider variety of IDPS devices being made available to meet a growing level of organisational requirements for sophisticated intrusion detection.
Intrusion Detection Systems are mostly automated systems that identify hackers’ attacks and intrusions into a network or device and raise the alarm. Intrusion prevention Systems take automation a stage further by automatically reacting to certain methods of identified attack, such as closing specific network ports, via a firewall, to block identified hacker traffic. IDPS refers to both types of this.
An Incident Detection System (IDS) is a hardware or software programme using known intrusion signatures to identify and analyse inbound and outbound network traffic for suspicious activities. An IDS achieves this by:
Upon detecting a security breach, virus or configuration error, an IDS will kick an offending user off the network and send a warning to security personnel.
Despite its advantage, an IDS has inherent disadvantages. Since it uses established intrusion signatures to find attacks. Newly discovered or zero-day threats may remain undetected. An IDS detects only active attacks, not incoming assaults. An intrusion prevention system is needed to block these.
An Intrusion Prevention System (IPS) complements an IDS setup by proactively reviewing incoming traffic to avoid malicious requests. A standard IPS setup uses firewalls and traffic filtering solutions to protect applications.
An IPS avoids attacks by dropping malicious packets, blocking infringing IPs, and alerting security staff to risks. This device typically uses a pre-existing signature recognition database and can be designed to detect traffic-based attacks and behaviour irregularities.
Although effectively blocking known attack vectors, some IPS systems have limitations. These are usually induced by over-reliance on pre-defined laws, rendering them vulnerable to false positive.
ISO released this standard in 2015. ISO 27039 was published as a replacement for ISO/IEC 18043:2006. In 2016, the technical corrigendum revised the description of the standard, reinstating the notably missing words “and prevention”.
ISO/IEC 18043:2006 issued guidelines to an enterprise that choose to provide intrusion detection in its IT infrastructure. It was a ‘how to’ for administrators and users who wanted:
ISO/IEC 18043:2006 provided information that helped promote cooperation between organisations using the IDS. The structure made it easier for organisations to share information on intrusions that cross organisational boundaries.
ISO/IEC 18043:2006 standard provided:
Download your free guide
to streamlining your Infosec
We started off using spreadsheets and it was a nightmare. With the ISMS.online solution, all the hard work was made easy.
Both systems have benefits and drawbacks. ISO 27039 contains specific information and guidance for the successful implementation and application of IDPSs for all organisations.
Although typically linked units do not notice any alteration, the IPS ensures less interference for organisations systems and fewer security incidents.
IPS only tracks network behaviour as it takes action, protecting network users’ privacy. IPS correlate network traffic with established malicious traffic but does not store or access the content.
The IPS adheres with a reputation-based list of suspected malicious sites and domains used proactively to secure the company. For example: If a member of staff clicks a connexion in a phishing email or a malware ad for a site on the IPS denylist of identified malicious sites, the system will block the traffic, and the employee would see a blank screen.
IPS offers zero-day attack protection, reduces brute force password attacks, and offers protection against risks to accessibility, such as DDoS and DoS attempts. For example, suppose a criminal tries to gain access to an account by brute force (e.g. repetitive login attempts). The IPS will track the scale of data movements, identify suspicious patterns, and deny access.
IPS identify and react to unique threats, enabling institutions to respond to defined threats to the company.
However, implementing an IDS has its own benefits. These benefits include:
The ISO 27039 Standard helps organisations:
Trying to meet ISO 27001 requirements, specifically Annex A.16:
Trying to meet the following security objectives of ISO 27002
However, an organisation should understand that implementing IDPS is not a single or complete approach to resolve the requirements. Moreover, this International Standard also isn’t meant as guidelines for any compliance evaluation, such as ISMS certification.
Clause 1: Scope
Clause 2: Terms and definitions
Clause 3: Background
Clause 4: General
Clause 5: Selection
Clause 6: Deployment
Clause 7: Operations
ISO 27039 has seven clauses and one Annex.
Three main parts form the standard’s bulk:
Annex A: Intrusion Detection and Prevention System (IDPS): Framework and issues to be considered
100% of our users achieve ISO 27001 certification first time