BS ISO IEC 27039-2015 pdf free download – Information technology — Security techniques — Selection, deployment and operations of intrusion detection systems (IDPS).
3Background
The purpose of intrusion detection and prevention system (IDPS) is passively monitoring.detecting andlogging inappropriate, incorrect, suspicious or anomalous activity that may represent an intrusion andprovide an alert and/or an automated response when these activities are detected. lt is the responsibilityof the appointed lT Security personnel to actively review IDPS alerts and associated logs in order tomake decisions on adequate responses. When an organization needs to detect promptly intrusions tothe organization’s information systems and responds appropriately to them, an organization shouldconsider deploying IDPS.An organization can deploy IDPS by getting IDPS software and/or hardwareproducts or by outsourcing capabilities of IDPS to an IDPS service provider.
There are many commercially available or open-source IDPS products and services that are based ondifferent technologies and approaches. In addition, IDPS is not “plug and play”technology.Thus, whenan organization is preparing to deploy IDPS, an organization should, as a minimum, be familiar withguidelines and information provided by this standard.
Fundamental knowledge about lDPS is mainly presented in Annex A. This annex explains thecharacteristics of different types of IDPS:
-Network-based, which monitors network traffic for particular network segments or devices and
analyses the network and application protocol activity to identify suspicious activity;
Host-based, which monitors the characteristics of a single host and the events occurring within thathost for suspicious activity as well as three basic approaches for detection analysis, i.e. signature-based detection, statistical anomaly-based detection, stateful protocol analysis detection.
Behavioural analysis applies to network-based and host-based IDPS.This approach examines networktraffic and host activities to identify threats that generate abnormal behaviour, such as distributeddenial of service (DDo$) attacks, brute force attacks, certain forms of malware, and policy violations(e.g. a client system providing network services to other systems).
A host-based intrusion detection and prevention system (HIDPS)derives its source of informationfrom one or more hosts, while a network-based intrusion and prevention system (NIDPS) derives itsinformation from traffic of one or more network segments.The misuse-based approach models attackson information systems as specific attack signatures, and then systematically scans the system foroccurrences of these attack signatures. This process involves a specific encoding of previous behavioursand actions deemed intrusive or malicious. The anomaly-based approach attempts to detect intrusionsby discovering significant deviations from normal behaviour on the assumption that attacks are differentfrom normal/legitimate activity and can therefore be detected bysystems thatidentify these differences.An organization should understand that the source of information and the different analysis approachesmay result in both advantages and disadvantages or limitations,which can impact the ability orinability to detect specific attacks and influence the degree of difficulty associated with installing andmaintaining the IDPS.
4General
IDPS functions and limitation, presented in Annex A, indicate that an organization should combinehost-based (including application monitoring) and network-based approaches to achieve reasonablycomplete coverage of potential intrusions.Each type of 1DPS has its strengths and limitations; togetherthey can provide better security event coverage and alert analysis.
Combining the IDPS technologies depends on the availability of a correlation engine on the alertmanagement system.Manual association of HIDPS and NIDPS alerts may resultin IDPS operator overloadwithout any additional benefit and the result may be worse than choosing the most appropriate outputfrom one type of IDPS.
The process of selecting, deploying and operating IDPS within an organization is shown in Figure 1along with the clauses that address the key steps in this process.BS ISO IEC 27039 pdf download.