BS ISO/IEC 27039:2015 pdf download-Information technology — Security techniques — Selection, deployment and operations of intrusion detection systems (IDPS).
3 Background The purpose of intrusion detection and prevention system (IDPS) is passively monitoring, detecting and logging inappropriate, incorrect, suspicious or anomalous activity that may represent an intrusion and provide an alert and/or an automated response when these activities are detected. It is the responsibility of the appointed IT Security personnel to actively review IDPS alerts and associated logs in order to make decisions on adequate responses. When an organization needs to detect promptly intrusions to the organization’s information systems and responds appropriately to them, an organization should consider deploying IDPS. An organization can deploy IDPS by getting IDPS software and/or hardware products or by outsourcing capabilities of IDPS to an IDPS service provider. There are many commercially available or open-source IDPS products and services that are based on different technologies and approaches. In addition, IDPS is not “plug and play” technology. Thus, when an organization is preparing to deploy IDPS, an organization should, as a minimum, be familiar with guidelines and information provided by this standard. Fundamental knowledge about IDPS is mainly presented in Annex A. This annex explains the characteristics of different types of IDPS: — Network-based, which monitors network traffic for particular network segments or devices and analyses the network and application protocol activity to identify suspicious activity; — Host-based, which monitors the characteristics of a single host and the events occurring within that host for suspicious activity as well as three basic approaches for detection analysis, i.e. signature- based detection, statistical anomaly-based detection, stateful protocol analysis detection. Behavioural analysis applies to network-based and host-based IDPS.
An organization should understand that the source of information and the different analysis approaches may result in both advantages and disadvantages or limitations, which can impact the ability or inability to detect specific attacks and influence the degree of difficulty associated with installing and maintaining the IDPS.