Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27039:2015 (2016) — Intrusion Detection and Prevention Systems (IDPS)
Guidelines for selection, deployment, and operation of intrusion detection and prevention systems
1. Introduction to ISO/IEC 27039:2015 — Intrusion Detection and Prevention Systems
ISO/IEC 27039:2015 (published in 2016) provides guidelines for the selection, deployment, and operation of intrusion detection systems (IDS) and intrusion prevention systems (IPS) within an organization’s information security framework. As cyber threats evolve in sophistication and volume, IDS/IPS technologies serve as critical control points for identifying and potentially blocking malicious activities before they cause damage. The standard is designed to complement the broader Information Security Management System (ISMS) framework established by ISO/IEC 27001.
The key distinction between IDS and IPS is that IDS monitors and alerts on suspicious activity without taking action, while IPS actively blocks detected threats in real-time. ISO/IEC 27039 provides guidance for both approaches and the considerations for choosing between them.
The standard covers network-based IDS/IPS (NIDS/NIPS), host-based IDS/IPS (HIDS/HIPS), wireless IDS/IPS (WIDS/WIPS), and network behavior analysis (NBA) systems. For each type, the standard discusses detection methodologies (signature-based, anomaly-based, and stateful protocol analysis), deployment architectures, and operational considerations.
| IDS/IPS Type | Monitoring Scope | Detection Methods | Typical Deployment |
|---|---|---|---|
| Network (NIDS/NIPS) | Network traffic segments | Signature, anomaly, protocol analysis | Network choke points, DMZ segments |
| Host-based (HIDS/HIPS) | Individual endpoints/servers | System calls, file integrity, log analysis | Critical servers, employee endpoints |
| Wireless (WIDS/WIPS) | Wi-Fi spectrum and traffic | Signature, rogue AP detection, spectral analysis | Enterprise wireless environments |
| Network Behavior Analysis (NBA) | Network flow data | Statistical anomaly, baseline comparison | Core network, data center perimeters |
2. Selection and Deployment Strategies
ISO/IEC 27039 provides a structured methodology for selecting and deploying IDS/IPS solutions. The selection process begins with a security requirements analysis that considers the organization’s threat profile, risk appetite, regulatory requirements, and existing security controls. The standard emphasizes that IDS/IPS should not be deployed in isolation but as part of a layered defense strategy that includes firewalls, endpoint protection, security information and event management (SIEM) systems, and incident response capabilities.
Deploying IPS in inline blocking mode without thorough testing can cause legitimate traffic to be blocked, leading to business disruption. ISO/IEC 27039 recommends an initial deployment in monitoring-only mode, followed by gradual enablement of prevention capabilities based on observed false positive rates.
Signature Management and Tuning
A critical operational requirement highlighted by the standard is signature management. Signatures must be kept current through regular updates from the vendor or threat intelligence feeds. However, the standard warns against deploying signatures without testing, as poorly written signatures can cause false positives that overwhelm security teams. The recommended practice is to test new signatures in a staging environment with representative traffic, tune detection thresholds based on the organization’s specific environment, and deploy signatures in monitoring mode before enabling blocking actions for prevention systems.
3. Operational Management and Incident Response Integration
ISO/IEC 27039 addresses the full operational lifecycle of IDS/IPS systems. This includes initial configuration, ongoing tuning, monitoring and alerting, incident response integration, and periodic review and assessment. The standard recommends establishing baseline traffic profiles for normal network behavior as a reference for anomaly detection, defining escalation paths for different alert severities, and integrating IDS/IPS alerts with the organization’s SIEM system for correlation analysis.
Organizations that implement a mature IDS/IPS program aligned with ISO/IEC 27039 typically detect intrusions 60% faster and achieve a 40% reduction in false positive alerts through systematic tuning and correlation with other security data sources.
From an engineering perspective, several practical deployment patterns emerge from the standard. For network IDS/IPS, span port aggregation and network TAPs provide the most reliable traffic visibility. For host-based systems, agent deployment should be integrated with endpoint management platforms to ensure consistent coverage. The standard also addresses performance considerations, noting that IDS/IPS appliances must be sized to handle peak traffic volumes without packet loss, which can cause detection blind spots. Engineering teams should implement centralized management consoles that provide unified visibility across all IDS/IPS sensors and support automated rule update distribution.
FAQs
Q: Should IDS or IPS be used?
A: The choice depends on risk tolerance and operational maturity. IDS is appropriate when monitoring is sufficient and false positives must be reviewed before action. IPS is appropriate when immediate blocking of known threats is required and the organization can manage the risk of potential false positive blocks.
A: The choice depends on risk tolerance and operational maturity. IDS is appropriate when monitoring is sufficient and false positives must be reviewed before action. IPS is appropriate when immediate blocking of known threats is required and the organization can manage the risk of potential false positive blocks.
Q: How often should IDS/IPS signatures be updated?
A: The standard recommends a risk-based update frequency. Critical vulnerabilities may require immediate updates, while routine signatures can follow a scheduled update cycle after testing.
A: The standard recommends a risk-based update frequency. Critical vulnerabilities may require immediate updates, while routine signatures can follow a scheduled update cycle after testing.
Q: Can encryption render IDS/IPS ineffective?
A: Yes, encrypted traffic can bypass signature-based detection. The standard recommends deploying SSL/TLS decryption capabilities where legally permissible, or using host-based agents that can inspect traffic after decryption at the endpoint.
A: Yes, encrypted traffic can bypass signature-based detection. The standard recommends deploying SSL/TLS decryption capabilities where legally permissible, or using host-based agents that can inspect traffic after decryption at the endpoint.
Q: What is the role of machine learning in modern IDS/IPS?
A: While the 2015 edition predates widespread ML adoption in IDS/IPS, anomaly-based detection methods described in the standard form the conceptual foundation for modern machine learning-based detection engines.
A: While the 2015 edition predates widespread ML adoption in IDS/IPS, anomaly-based detection methods described in the standard form the conceptual foundation for modern machine learning-based detection engines.
