Network Security
Monitoring began in 1988 as the first intrusion detection system to use network
traffic as its main source of data for generating security alerts. Presently,
the Network Security Monitoring system is usually set up by the Security Operations Center (SOC) or Computer
Incident Response Team (CIRT) of an organization. One key point to note is that
NSM cannot prevent all network intrusions because eventually, prevention measures WILL fail.
It is not possible to stop all intrusions into computer systems and you'd be fooling yourself if you thought otherwise; security
breaches are inevitable. However, if you can detect the intrusions as quickly
as possible, you can contain the quantity of stolen information and the damage
that a malicious party could inflict on your system. If you, as a defender, can endlessly frustrate your adversaries, you can stop them from reaching their mission objectives.
Network Security
Monitoring is separate from other security systems like firewalls, intrusion
prevention systems (IPS), antivirus software, white listing, and data loss prevention (DLP) systems. Each of these pieces of hardware are in place to
help automatically recognize different types of suspicious activity in your
network. These security measures are specifically configured through signature-based recognition. NSM, on the other hand, is meant to be a threat-centric platform, with
a focus on visibility within your network instead of control. It can assist
your security analysts in seeing what is lacking from the rest of your security
measures. Specifically, it can show what packets of information are flowing
throughout your network, and can pull out specific types of data that will find
differences from the way your network runs on a safe day compared to a possible
intrusion; also known as a statistical anomaly.
Ultimately, the
purpose of a Network Security Monitoring System is to give security analysts
the ability to detect, respond to, and contain intruders into your network. Personally, I am a huge fan of metaphor, so I will use a prison to illustrate NSM. Imagine a prison staff that is trying to keep its prisoners inside of the premise by only allowing normal visitor traffic. We'll define this as people that the prison guards recognize because they come and go on a regular basis for visits. If the prison staff has full visibility of their prison, the prison guards will be able to recognize traffic through the prison gates that deviates from the normal traffic, and double check that they're not a threat to anyone inside. The same concept can be used for a network. When a company wants to keep its important information inside of
their systems, they only allow normal user traffic. With full visibility, an NSM system will be able to identify traffic that provides evidence of a statistical anomaly and will alert a security analyst. If an organization has
full visibility of their network, it will be much more difficult for the wrong users to
gain entry into the organization's infrastructure.
