Organizations should not only know when, if, and how an intrusion of their network, system or application occurs, but also what vulnerability was exploited and what safeguards or appropriate risk treatment options (i.e. risk transfer, risk acceptance, risk avoidance) should be implemented to prevent similar intrusions in the future. Organizations should also recognize and deflect cyber-based intrusions.
This requires an analysis of host and network traffic and/or audit trails for attack signatures or specific patterns that usually indicate malicious or suspicious intent. In the mid-1990s, organizations began to use Intrusion Detection Systems (IDS) to fulfil these needs. The general use of IDS continues to expand with a wider range of IDS products being made available to satisfy an increasing level of organizational demands for advanced intrusion detection capability.
In order for an organization to derive the maximum benefits from IDS, the process of IDS selection, deployment, and operations should be carefully planned and implemented by properly trained and experienced personnel. In the case where this process is achieved, then IDS products can assist an organization in obtaining intrusion information and can serve as an important security device within the overall information and communications technology (ICT) infrastructure.
This international standard provides guidelines for effective IDS selection, deployment and operation, as well as fundamental knowledge about IDS. It is also applicable to those organizations that are considering outsourcing their intrusion detection capabilities. Information about outsourcing service level agreements can be found in the IT Service Management (ITSM) processes based on ISO/IEC 20000.
It is intended to be helpful to:
a) An organization in satisfying the following requirements of ISO/IEC 27001:
- The organization shall implement procedures and other controls capable of enabling prompt detection of and response to security incidents.
- The organization shall execute monitoring and review procedures and other controls to properly identify attempted and successful security breaches and incidents.
b) An organization implementing controls that meet the following security objectives of ISO/IEC 17799:
- To detect unauthorized information processing activities.
- Systems should be monitored and information security events should be recorded. Operator logs and fault logging should be used to ensure information system problems are identified.
- An organization should comply with all relevant legal requirements applicable to its monitoring and logging activities.
- System monitoring should be used to check the effectiveness of controls adopted and to verify conformity to an access policy model.
Contents:
- Foreword
- Introduction
- Scope
- Terms and definitions
- General
- Selection
- Deployment
- Operations
- Annex A - Intrusion Detection System (IDS): framework and issues to be considered
- Bibliography