What is ISO 27039?
ISO / IEC 27039:2015 provides recommendations to assist organisations in the implementation of intrusion detection and prevention (IDPS) systems. ISO 27039 outlines IDPS selection, implementation, and processes. The standard also offers context information for these guidelines.
Detection and prevention of intrusion are two broad words defining practices used to prevent attacks and avoid new threats.
Detection of intrusions is a reactive measure that detects and mitigates ongoing threats using intrusion detection. It’s used to:
- Detect malware (e.g. Trojans, backdoors, rootkits)
- Detecting social engineering assaults manipulating users to expose confidential details (e.g. phishing)
Intrusion prevention is a proactive security measure using an intrusion prevention system to eliminate device attacks. That includes:
- Remote file inclusions enabling malware injection,
- SQL injections used to navigate company databases.
Well-designed, implemented, configured, controlled, and operated IDPS, like:
- Automation optimises security professionals who would have to track, evaluate and react as best they can to network security incidents;
- Automation tends to expedite identification and reaction to attacks, especially common types of attack that can be unambiguously identified via unique signatures;
- They reassure management that security problems on networks and networked devices are detected and mitigated.
The standard has guidance and instructions on the implementation of an IDPS.
What are intrusion detection and prevention systems?
Organisations shouldn’t just know what, where, and how their network, device, or programme was intruded. They should also know which the abused vulnerability and what precautions or implement effective risk treatments to avoid future issues.
Organisations can also identify and prevent cyber intrusions. This method involves an examination of network traffic and audit trails for known attacks or unique patterns that generally implies malicious intent. In the mid-1990s, companies started using intrusion detection and prevention (IDPS) systems to meet these needs.
The general use of IDPS continues to grow with a wider variety of IDPS devices being made available to meet a growing level of organisational requirements for sophisticated intrusion detection.
Intrusion Detection Systems are mostly automated systems that identify hackers’ attacks and intrusions into a network or device and raise the alarm. Intrusion prevention Systems take automation a stage further by automatically reacting to certain methods of identified attack, such as closing specific network ports, via a firewall, to block identified hacker traffic. IDPS refers to both types of this.
An Incident Detection System (IDS) is a hardware or software programme using known intrusion signatures to identify and analyse inbound and outbound network traffic for suspicious activities. An IDS achieves this by:
- Comparing system files to malware signatures.
- Scanning processes to identify dangerous patterns.
- Track user actions for malicious intent.
- Control device configurations and parameters.
Upon detecting a security breach, virus or configuration error, an IDS will kick an offending user off the network and send a warning to security personnel.
Despite its advantage, an IDS has inherent disadvantages. Since it uses established intrusion signatures to find attacks. Newly discovered or zero-day threats may remain undetected. An IDS detects only active attacks, not incoming assaults. An intrusion prevention system is needed to block these.
An Intrusion Prevention System (IPS) complements an IDS setup by proactively reviewing incoming traffic to avoid malicious requests. A standard IPS setup uses firewalls and traffic filtering solutions to protect applications.
An IPS avoids attacks by dropping malicious packets, blocking infringing IPs, and alerting security staff to risks. This device typically uses a pre-existing signature recognition database and can be designed to detect traffic-based attacks and behaviour irregularities.
Although effectively blocking known attack vectors, some IPS systems have limitations. These are usually induced by over-reliance on pre-defined laws, rendering them vulnerable to false positive.
The history of ISO/IEC 27039:2015
ISO released this standard in 2015. ISO 27039 was published as a replacement for ISO/IEC 18043:2006. In 2016, the technical corrigendum revised the description of the standard, reinstating the notably missing words “and prevention”.
ISO/IEC 18043:2006 issued guidelines to an enterprise that choose to provide intrusion detection in its IT infrastructure. It was a ‘how to’ for administrators and users who wanted:
- To understand the costs and benefits of an IDS
- To establish a policy and implementation plan for the IDS
- To efficiently control the outputs of the IDS
- To incorporate the monitoring of intrusions into the safety procedures of the organisation
- To consider the legal and privacy concerns involved in the introduction of the IDS
ISO/IEC 18043:2006 provided information that helped promote cooperation between organisations using the IDS. The structure made it easier for organisations to share information on intrusions that cross organisational boundaries.
ISO/IEC 18043:2006 standard provided:
- A brief description of the intrusion detection process
- An explanation of what the IDS can and can not do
- A checklist that helped to determine the best IDS features for a particular IT environment
- A definition of different deployment strategies
- Advice on managing IDS alerts
- An explanation for management and legal concerns
What are the benefits of ISO 27039?
Both systems have benefits and drawbacks. ISO 27039 contains specific information and guidance for the successful implementation and application of IDPSs for all organisations.
Fewer security incidents.
Although typically linked units do not notice any alteration, the IPS ensures less interference for organisations systems and fewer security incidents.
Logging selectively and protecting privacy
IPS only tracks network behaviour as it takes action, protecting network users’ privacy. IPS correlate network traffic with established malicious traffic but does not store or access the content.
Reputable managed security
The IPS adheres with a reputation-based list of suspected malicious sites and domains used proactively to secure the company. For example: If a member of staff clicks a connexion in a phishing email or a malware ad for a site on the IPS denylist of identified malicious sites, the system will block the traffic, and the employee would see a blank screen.
IPS offers zero-day attack protection, reduces brute force password attacks, and offers protection against risks to accessibility, such as DDoS and DoS attempts. For example, suppose a criminal tries to gain access to an account by brute force (e.g. repetitive login attempts). The IPS will track the scale of data movements, identify suspicious patterns, and deny access.
Dynamic response hazard
IPS identify and react to unique threats, enabling institutions to respond to defined threats to the company.
However, implementing an IDS has its own benefits. These benefits include:
- Using the signature database, IDS ensures swift and efficient identification of identified anomalies with a low chance of false alarms.
- It analyses various types of threats, detects trends of malicious content and helps administrators settle, manage and enforce adequate controls.
- It helps ensure regulatory enforcement and comply with safety regulations as it offers greater visibility across the entire network.
- While IDS is usually a passive device, while detecting and generating warnings, some active IDS can block IP addresses or prevent access to resources when an anomaly is detected.
Who can implement ISO 27039?
The ISO 27039 Standard helps organisations:
- The organisation implements procedures and other measures capable of prompt identification and response to security incidents
- To better detect attempted and successful security breaches and incidents, the company shall conduct monitoring and evaluation procedures and other controls
Trying to meet the following security objectives of ISO 27002
- Detecting illegal information-processing activities;
- Monitoring systems with information security activities documented, using operator logs and fault logging to detect device problems
- Aiming to meet all applicable legal criteria for its monitoring and reporting activities
- System monitoring to confirm the efficacy of controls implemented and verify compliance with an access policy model
However, an organisation should understand that implementing IDPS is not a single or complete approach to resolve the requirements. Moreover, this International Standard also isn’t meant as guidelines for any compliance evaluation, such as ISMS certification.
ISO/IEC 27039:2015 requirements
ISO 27039 has seven clauses and one Annex.
Three main parts form the standard’s bulk:
- Clause 5: IDPS range-different forms of IDPS, complementary resources etc. to be considered (detailed more in the Annex)
- Clause 6: IDPS deployment
- Clause 7: Activities for IDPS
ISO/IEC 27039:2015 Clauses
Clause 1: Scope
Clause 2: Terms and definitions
Clause 3: Background
Clause 4: General
Clause 5: Selection
- 1 Introduction
- 2 Information security risk assessment
- 3 Host or Network IDPS
- 4 Considerations
- 5 Tools that complement IDPS5.6 Scalability
- 7 Technical support
- 8 Training
Clause 6: Deployment
- 1 Overview
- 2 Staged deployment
- 3 NIDPS deployment
- 4 HIDPS deployment
- 5 Safeguarding and protecting IDPS information security
Clause 7: Operations
- 1 Overview
- 2 IDPS tuning
- 3 IDPS vulnerabilities
- 4 Handling IDPS alerts
- 5 Response options
- 6 Legal Considerations
ISO/IEC 27039:2015 Annex A Clauses
Annex A: Intrusion Detection and Prevention System (IDPS): Framework and issues to be considered
- 1 Introduction to intrusion detection
- 2 Types of intrusions and attacks
- 3 Generic model of the intrusion detection process
- 4 Types of IDPS
- 5 Architecture
- 6 Management of an IDPS