- How network performance monitoring works: data collection and key metrics
- Why network performance data alone isn’t enough for security monitoring
- How NDR addresses network performance monitoring’s security gaps
- Monitoring performance in encrypted traffic
- Best practices for unified network observability
- How Corelight unifies security & performance monitoring
- Frequently asked questions
Discover what NPM is, why traditional tools leave security gaps, and how unifying NPM with NDR strengthens your SOC.
Network performance monitoring (NPM) is the continuous practice of measuring, analyzing, and optimizing the health and efficiency of a network infrastructure. At its core, network performance monitoring ensures that data flows reliably between systems, applications, and users, tracking uptime, bandwidth, latency, and packet delivery across every layer of the network.
Traditionally, network performance monitoring has been viewed as a purely operational discipline: keep the network up, keep it fast, and alert when something breaks. But this siloed view misses a critical insight that modern security teams have come to understand. The same network traffic data that reveals a performance bottleneck also contains the earliest indicators of a security compromise.
NPM collects data from multiple sources: Simple Network Management Protocol (SNMP) for device health and interface statistics, flow data (NetFlow, sFlow, IPFIX) for connection patterns and bandwidth consumption, packet metadata for deep protocol analysis, and cloud flow logs (AWS VPC Flow Logs, Azure NSG, GCP VPC) for hybrid visibility. It can operate actively through synthetic testing or passively by observing real user traffic in motion.
Key insight
Performance anomalies are often the earliest observable indicators of a security compromise. A bandwidth spike, an unusual connection pattern, or an unexpected protocol on the wire may signal both a network problem and an active threat simultaneously.
The modern definition of network performance monitoring, therefore, extends beyond uptime and latency dashboards. When treated as network evidence (an immutable, real-time record of what is actually happening on the wire) NPM data becomes a shared asset for both network operations (NetOps) and security operations (SecOps) teams. This convergence is where network performance monitoring’s true value is realized, and where its integration with network detection and response (NDR) becomes essential.
What is network evidence?
Network evidence is the concept that network traffic data, when captured and analyzed with sufficient depth, constitutes an immutable, tamper-resistant record of everything that happened on the wire.
Unlike endpoint logs (which attackers can delete), SIEM alerts (which depend on rules being correctly configured), or user-reported incidents (which are inherently delayed), network evidence exists independently of the attacker’s actions. An adversary can wipe a hard drive. They cannot erase the network footprint they left behind.
Network evidence captures:
- Every connection: Who talked to whom, when, for how long, and how much data moved.
- Protocol behaviors: What applications were used, how they behaved, and whether that behavior was consistent with known-good baselines.
- Certificate and handshake metadata: The identity and integrity signals embedded in encrypted traffic.
- Timing and sequencing: The temporal patterns that reveal beaconing, scanning, and staged exfiltration.
- Anomalous deviations: Statistical departures from established baselines that indicate something has changed.
- Packet metadata and targeted packet capture (PCAP): Deep protocol analysis that extracts application-layer signals without the overhead of storing full packet payloads. However, when metadata alone is insufficient, network evidence also leverages targeted full packet capture (Smart PCAP) on demand for deep forensic investigations.
How network performance monitoring works: data collection and key metrics
Data collection methods
Network performance monitoring platforms draw on a layered set of data sources, each contributing a different dimension of network visibility:
- SNMP (Simple Network Management Protocol): Poll routers, switches, and firewalls for device health, interface statistics, CPU utilization, and memory consumption. Essential for infrastructure-level visibility.
- Flow data (NetFlow / sFlow / IPFIX): Captures metadata about every network conversation: who talked to whom, for how long, using which ports, and how much data was transferred. The foundation of behavioral analysis.
- Packet metadata: Deep protocol analysis without storing full packet payloads. Extracts application-layer signals such as DNS queries, HTTP headers, TLS handshake parameters, and certificate details.
- Cloud flow logs: AWS VPC Flow Logs, Azure NSG Flow Logs, and GCP VPC logs extend NPM visibility into cloud-native environments where traditional probes cannot reach.
- Active vs. passive collection: Synthetic tests inject controlled traffic to measure performance from a user's perspective; passive monitoring observes real traffic to capture actual behavior under load.
Key performance metrics and what they reveal about security
Each performance metric carries a dual signal: an operational meaning and a potential security implication. The table below maps both dimensions.
| Metric | What it measures | Why it matters for security |
|---|---|---|
|
Latency |
Round-trip delay between endpoints |
Sudden spikes may indicate DDoS or network saturation |
|
Packet loss |
% of packets that fail to arrive |
Can signal active interference or failing infrastructure |
|
Throughput |
Actual data transfer rate |
Unusual patterns reveal data exfiltration attempts |
|
Bandwidth utilization |
% of available capacity consumed |
Identifies both congestion and anomalous consumption |
|
Jitter |
Variation in packet arrival timing |
Impacts VoIP/video; can indicate network instability |
|
Connection patterns |
Who-talks-to-whom, frequency |
Reveals lateral movement and unauthorized access |
|
Protocol anomalies |
Unexpected protocols or behaviors |
Indicates tunneling, evasion, or command-and-control |
Gap 1: No threat context
Traditional network performance monitoring can detect that something is wrong, but not exactly what is wrong or why. A bandwidth spike could be a legitimate software update, an internal backup job, or an active data exfiltration. Without threat intelligence, behavioral baselines, and security-focused analytics, NPM alone cannot distinguish between the two. Security teams are left chasing false alarms or, worse, missing real incidents buried in the noise.
Gap 2: Encrypted traffic blindness
More than 95% of network traffic is now encrypted. Traditional NPM tools that rely on deep packet inspection (DPI) to identify applications and diagnose performance are functionally blind to the majority of modern traffic. They can measure that encrypted connections exist and how much bandwidth they consume, but they cannot determine what applications are running, whether traffic is malicious, or why performance is degrading inside an encrypted session.
Gap 3: Missing east-west visibility
Most network performance monitoring deployments focus on north-south traffic at the network perimeter (what enters and exits through internet gateways). But the most dangerous phase of a modern attack happens east-west: lateral movement inside the network, from one compromised host to another, escalating privileges and staging data for exfiltration. Perimeter-focused NPM is functionally blind to this internal threat vector.
Gap 4: Tool sprawl and operational silos
Most enterprises deploy separate tools for NetOps (NPM platforms) and SecOps (Network Detection and Response systems known as “NDR” and Security Information and Event Management platforms known as “SIEM”). Each team works from a different data source, using different terminology, different dashboards, and different alert thresholds. When an incident occurs, particularly one that spans both performance and security, the two teams cannot quickly correlate findings, leading to duplicate investigation effort, finger-pointing, and slower resolution. The infrastructure duplication alone drives significant unnecessary cost.
Gap 5: Limited historical context for forensics
Traditional NPM is optimized for real-time monitoring and short-term trending. Security investigations, however, demand deep historical context: when did anomalous behavior begin, what was the baseline before the incident, and how did the attack progress over time? Without forensic-grade retention and threat-hunting capabilities, NPM data cannot answer the questions that matter most during a breach investigation.
How NDR addresses network performance monitoring’s security gaps
What is network detection and response (NDR)?
Network Detection and Response (NDR) is a security discipline that analyzes network traffic specifically for indicators of compromise and active threats. Where NPM asks, 'Is the network performing well?', NDR asks, 'Is the network being attacked?' Both questions are answered by examining the same underlying data, but through different analytical lenses.
NDR platforms detect lateral movement between internal systems, command-and-control (C2) communications to attacker infrastructure, data exfiltration via encrypted or covert channels, and network reconnaissance that precedes an attack. Best-in-class NDR uses behavioral analysis, machine learning, threat intelligence, and anomaly detection to identify threats that signature-based tools miss entirely.
Drawing on the network evidence layer introduced in Section 1, NDR applies security-focused analytics to the same data that network performance monitoring uses for performance monitoring. When both disciplines share this common evidence layer, every performance metric becomes a potential security signal, and every security alert gains the operational context needed to investigate it effectively.
How NDR fills NPM’s five security gaps
Gap 1 → Threat Context: NDR correlates performance anomalies with threat intelligence and behavioral baselines, transforming ambiguous NPM alerts into actionable security findings.
Gap 2 → Encrypted Traffic: NDR analyzes TLS handshake parameters, certificate characteristics, and connection timing patterns without decryption, extracting rich security signals from traffic that traditional NPM treats as opaque.
Gap 3 → East-West Visibility: NDR deploys sensors throughout the internal network, providing comprehensive lateral movement detection that perimeter-focused NPM cannot deliver.
Gap 4 → Unified Platform: A combined NPM + NDR approach creates a single source of network evidence, eliminating data silos and enabling NetOps and SecOps to collaborate from shared context.
Gap 5 → Forensic History: NDR maintains forensic-grade metadata retention, months or years of network history, enabling threat hunting, incident reconstruction, and compliance reporting.
NPM vs. Application performance monitoring (APM) vs. NDR: understanding the landscape
These three categories are frequently conflated, but they serve different purposes, answer different questions, and serve different teams. The table below clarifies the distinctions:
| NPM | APM | NDR | |
|---|---|---|---|
|
Primary focus |
Network layer performance (bandwidth, latency, device health) |
Application layer performance (code-level, transaction tracing) |
Network-based threat detection (lateral movement, C2, exfiltration) |
|
Primary user |
NetOps / IT Operations |
AppDev / SRE teams |
SecOps / SOC analysts |
|
Data sources |
SNMP, NetFlow, IPFIX, packet metadata |
APM agents, distributed tracing |
Full-session metadata, behavioral analytics |
|
Retention |
Real-time + historical trending |
Real-time transaction traces |
Forensic-grade long-term retention |
Key insight
Organizations who use NPM and NDR working from the same network data can help maximize visibility and operational efficiency. APM and NPM answer 'what is slow and why?' NDR answers 'what is compromised and how?' Together, they can provide complete operational intelligence from a single evidence layer.
Real-world example
Ransomware detection via performance anomalies
- NetOps observes sudden spike in SMB traffic and file server latency (NPM metrics)
- NDR correlates with unusual encryption patterns, connection to recently registered domain, and lateral movement from a compromised workstation
Result: Ransomware detected in encryption phase, before data loss. NPM provided the performance anomaly; NDR provided the threat context.
DDoS vs. legitimate traffic spike
- NetOps sees massive bandwidth spike and latency increase (NPM alerts)
- NDR analysis identifies distributed source IPs, malformed packets, and SYN flood patterns, distinguishing attack traffic from a legitimate flash traffic event
Result: Confirmed DDoS attack, automated mitigation triggered. NPM detected the anomaly; NDR distinguished the attack from legitimate traffic.
Cloud migration troubleshooting
- NetOps reports degraded application performance after AWS migration (high latency visible in NPM dashboard)
- NDR protocol analysis reveals TLS handshake timing issues with a specific certificate authority and misconfigured security groups blocking optimal routing paths
Result: Network configuration issue identified and fixed in hours rather than days. NPM showed the symptom; NDR’s metadata analysis revealed the root cause without requiring decryption or traffic replay.
Monitoring performance in encrypted traffic
More than 95% of network traffic now travels over encrypted channels, using TLS/SSL by default across web applications, SaaS platforms, and internal microservices. Encryption is essential for privacy and security. But it created a fundamental tension for network monitoring: how do you understand what is happening on the wire when you cannot read the payload?
Traditional network performance monitoring tools have relied on deep packet inspection (DPI), a methodology which examines packet contents to identify applications and diagnose performance issues. Encryption makes DPI largely ineffective. Some organizations attempted SSL/TLS interception (decrypting and re-encrypting traffic in a proxy), but this approach introduces significant problems: privacy and compliance concerns, substantial performance overhead, key management complexity, and new security vulnerabilities.
The modern solution: Metadata-based analysis
Both modern NPM and NDR platforms have adopted a metadata-based approach that provides rich insights into encrypted traffic without decryption. Traffic remains encrypted end-to-end while these observable characteristics reveal both performance and security signals.
Five encrypted traffic analysis techniques
1. TLS handshake analysis
The TLS negotiation phase is unencrypted and metadata-rich. Separating handshake latency from application response time pinpoints whether slowness is a TLS or app-layer problem. Handshake data also exposes legacy TLS versions and abnormal sequences that indicate malicious tools masquerading as legitimate software.
2. Certificate intelligence
Every TLS certificate is visible without breaking encryption. Certificate analysis surfaces expired or self-signed certificates, revocation issues causing latency, and newly issued certificates on suspicious domains. This is a reliable early indicator of phishing or C2 infrastructure.
3. Connection pattern analysis
Connection metadata reveals who talks to whom, how often, and how much data moves, without touching the payload. Unusual volumes flag potential exfiltration; unexpected destinations flag potential C2; off-pattern access flags insider risk.
4. TLS fingerprinting (JA3/JA4)
JA3 and JA4 fingerprinting generate a unique hash from TLS client hello parameters, cipher suites, extensions, and elliptic curves that uniquely identify the connecting software even when the payload is fully encrypted. Security teams use these fingerprints to detect malware families and unauthorized remote access tools operating inside the network.
5. Behavioral and timing analysis
The temporal rhythm of connections reveals behavioral patterns that signature-based tools miss entirely. Beaconing malware, off-hours exfiltration, and pre-attack scanning all leave distinctive timing signatures in connection metadata, detectable without ever reading a payload byte.
Best practices for unified network observability
Unified network observability consolidates performance monitoring, security detection, and operational analytics into a single view of network behavior, eliminating the silos between NetOps and SecOps that slow investigation and duplicate cost. Rather than deploying separate tools that each provide partial visibility, this approach treats network data as shared evidence serving multiple purposes simultaneously.
The following six best practices enable organizations to achieve true unified observability:
1. Deploy sensors strategically
Coverage determines what you can see. Deploy sensors at north-south chokepoints (internet gateways, cloud egress), east-west segments (data center fabric, critical internal segments), and cloud environments (AWS, Azure, GCP with native sensor deployment). A gap in sensor coverage is a gap in both performance visibility and threat detection.
2. Establish comprehensive baselines
Monitor for 30–90 days before tuning alert thresholds. Network behavior varies by time of day, day of week, and seasonal patterns; a Monday morning authentication surge looks very different from a weekend off-hours credential stuffing attack. AI and ML-assisted baseline adaptation ensures that thresholds evolve as the network changes, reducing alert fatigue while maintaining detection fidelity.
3. Implement Multi-Layered Detection
No single detection method is sufficient. Combine signature-based detection for known threat patterns, behavioral analytics for anomaly detection, machine learning for statistical outlier identification, and threat intelligence correlation for context enrichment. Each layer catches what the others miss.
4. Integrate across the security stack
Network evidence is most powerful when it flows into the tools that act on it. Feed network metadata to SIEM for cross-source correlation, enrich EDR alerts with the network context that explains how a compromised endpoint communicated, and share network dashboards across both NetOps and SecOps platforms so every team works from the same underlying data.
5. Maintain forensic-grade retention
Security investigations reveal that attackers often dwell in networks for weeks or months before being detected. Full metadata retention of 90+ days enables historical threat hunting and incident reconstruction. Aggregated flow data retained for 12+ months supports compliance reporting and long-term trending. Targeted Smart PCAP capability provides full packet capture on demand for deep forensic investigation when metadata alone is insufficient.
6. Enable cross-team collaboration
Unified observability is as much an organizational practice as a technology choice. Give NetOps and SecOps access to the same underlying data with role-appropriate views and dashboards. Create shared runbooks for incident types that span both disciplines. Eliminate the investigative friction caused by siloed tools and conflicting data sources; the fastest path to resolution runs through shared evidence, shared context, and shared workflows.
Real-world example
Insider threat + data exfiltration
- SecOps receives behavioral alert: employee accessing unusual internal systems (NDR detection)
- NetOps data shows sustained high bandwidth to cloud storage, abnormal data volumes during off-hours, connection patterns inconsistent with job role (NPM metrics)
Result: Insider threat detected before data breach completed. NDR flagged the suspicious behavior; NPM quantified the data movement and provided the forensic evidence for the investigation.
How Corelight unifies security & performance monitoring
Corelight's Open NDR Platform is purpose-built to deliver this vision in practice, transforming network traffic into definitive evidence for both performance and security from a single deployment.
Zeek-powered intelligence
Corelight is built on the open-source Zeek network analysis framework, trusted by enterprises, governments, and research institutions worldwide. Zeek extracts 100+ metadata fields from every network connection, far beyond what flow-based tools capture, providing the protocol-level depth that both performance diagnosis and threat detection require.
True unified platform
A single Corelight sensor deployment serves both NetOps and SecOps simultaneously. The same data feeds performance dashboards and threat detection systems, eliminating tool sprawl, reducing duplicate infrastructure costs, and enabling the cross-team collaboration that unified observability demands.
Industry-leading encrypted traffic visibility
Corelight's Encrypted Traffic Collection analyzes the 95%+ of modern traffic that flows over TLS, without decryption. JA3/JA4 fingerprinting, certificate intelligence, behavioral analysis, and timing pattern detection provide the visibility that DPI-dependent tools cannot deliver in an encrypted-first network environment.
Multi-layered AI-powered detection
Corelight combines signature-based detection via Suricata IDS integration, behavioral analytics via Zeek protocol analysis, machine learning anomaly detection, and threat intelligence correlation from leading providers, delivering coverage across the full MITRE ATT&CK framework with dramatically reduced false positive rates.
Flexible deployment across hybrid environments
Whether using physical sensors for on-premises data centers, virtual sensors for VMware, Hyper-V, and KVM environments, and cloud-native sensors for AWS, Azure, and GCP, Corelight provides unified network evidence across the full hybrid infrastructure without visibility gaps at cloud boundaries.
98%
reduction in false positive alerts
10X
faster threat hunting
100%
coverage of MITRE ATT&CK framework techniques
50%
reduction in Mean Time To Respond (MTTR)
To learn more, read this in-depth primer on NDR. For more about Corelight’s capabilities, check out this overview of the Open NDR Platform.
What is the difference between network performance monitoring and network security monitoring?
Network performance monitoring (NPM) focuses on optimizing network health: Bandwidth, latency, throughput, and availability. Network security monitoring (NSM) and network detection and response (NDR) focus on identifying threats like lateral movement and data exfiltration. Both analyze the same network traffic data. Separating them creates silos and duplicates infrastructure. Corelight's Open NDR Platform combines NPM and NDR, transforming network traffic into network evidence that serves NetOps and SecOps from a single source.
How can network evidence reduce monitoring tool sprawl?
Most enterprises deploy 5–10+ separate network monitoring tools: NetFlow collectors, packet capture appliances, network performance monitoring agents, and SIEM forwarders. Each generates overlapping data, creating duplicate costs and operational complexity. Corelight treats network traffic as network evidence, a single Zeek-powered data source serving multiple use cases: performance monitoring, threat detection, capacity planning, and compliance reporting.
How do I monitor network performance in the cloud?
Cloud environments present unique challenges: ephemeral workloads, VPC boundaries, and limited native visibility. While AWS VPC Flow Logs, Azure NSG Logs, and GCP VPC Logs provide basic connection records, they lack protocol-level detail for effective troubleshooting. Corelight Cloud Sensors deploy natively in AWS, Azure, and GCP, extracting rich Zeek metadata, connection timing, protocol behaviors, and application identification without full packet capture overhead. The result: unified visibility across on-premises and multi-cloud infrastructure.
Why is network performance monitoring important for cybersecurity investigations?
Network traffic provides an immutable record of what occurred during incidents; attackers can delete logs and compromise endpoints, but cannot erase their network footprint. Network performance data becomes forensic evidence: bandwidth patterns reveal exfiltration timing, connection histories show lateral movement, and protocol anomalies indicate command-and-control activity. Historical baselines establish when attacks began. This network evidence correlates with endpoint and SIEM data to reconstruct attack timelines. Compliance frameworks (PCI DSS, HIPAA, GDPR) mandate network audit trails for breach disclosure and forensic analysis.
Do I need separate tools for application and network performance monitoring?
Application performance monitoring (APM) and network performance monitoring (NPM) serve complementary purposes. APM tools provide code-level visibility, transaction traces and database queries. NPM provides network-layer visibility: Bandwidth, latency, and packet loss. Use both to distinguish application slowness from network issues: APM shows which transactions are slow; NPM shows why. Corelight's network evidence integrates with APM platforms, revealing root causes often missed by application-only monitoring.
Book a demo
We’re proud to protect some of the most sensitive, mission-critical enterprises and government agencies in the world. Learn how Corelight’s Open NDR Platform can help your organization mitigate cybersecurity risk.