What Is Network Security Monitoring (NSM)?

HOW NETWORK SECURITY MONITORING WORKS: A COMPLETE OVERVIEW

Network security monitoring (NSM) involves the collection and analysis of raw traffic that can surface indicators of compromise, help security analysts at all skill levels understand adversarial tactics, and respond more effectively and faster to cyber threats.

What is network security monitoring (NSM)?

Network security monitoring (NSM) is the collection and analysis of network data such as logs, traffic patterns, and anomalies. Security professionals use this data to discover and respond to potential intrusions and malicious activity.
With NSM, they can quickly and accurately determine if an organization’s systems have been compromised. Additionally, network security monitoring helps organizations understand their security posture, identify potential exploits, and enhance overall defenses.

Network security monitoring operates on the premise that:

1. Intruders are a step ahead

Malicious actors are familiar with widely deployed security tools and strategies, and are continuously devising novel methods for circumventing these defenses. Network security monitoring assumes these actors are circumventing those defenses and already on your network.

2. Prevention eventually fails

Since prevention tools are not 100% effective, NSM focuses on monitoring the network for signs of malicious activity. The goal is to detect and then disrupt bad actors before they can achieve their objectives, whether that is ransoming data, stealing data, disrupting core operations, or some other purpose.

3. Threats, not vulnerabilities, are the focus

Network security monitoring provides the Security Operations Center (SOC) with visibility into how intruders navigate the network and escalate their actions. With this information, they can define the tactics, techniques, and procedures (TTPs) used and write new detections to counter them. However, the primary focus is not on detecting and remediating known vulnerabilities.

hand-typing-NSM

When used by experienced security professionals, network security monitoring can thwart even the most sophisticated and stealthy threat actors who have bypassed detection-based controls. By revealing complex, multi-step campaigns that require persistence in targeted systems, it gives SOCs an edge in stopping advanced and novel attacks.

Network security monitoring employs several data types:

Any organization that hosts a network can theoretically implement network security monitoring. However, the effectiveness of its data as part of a security strategy depends on how well an organization can collect, view, analyze, and respond to the data it generates. The level and diversity of data are important—network security monitoring tools offer various types. Having some is beneficial, but having all the types listed below will offer the most robust and actionable insights for detecting and responding to threats found on the network.

Full content data Network security monitoring creates a copy or mirror of all the actual data that has traversed the network. When collected effectively, this includes full packets and traffic headers that facilitate data summaries. NSM analysis typically doesn’t start with full content data; however, it is frequently used later when a review of logs or summaries indicates that a deeper investigation is warranted.

Extracted content Executable files that travel between computers and servers contain valuable information. Analysts use this content to reconstruct browsing sessions and look for behind-the-scenes messaging that can indicate evidence of malicious content or links injected into traffic. The data is also useful for organizations using malware sandboxes or analysis tools.

Transactional data

Transactional data summarizes the nature of connections and session activity. It contains unique identifiers (UIDs), timestamps, request and reply logs, destination ports and IP addresses, protocols, bytes sent, and other critical details about connections between network nodes. The fidelity of this data can vary depending on the network security monitoring technology used and can impact an analyst’s ability to see the finer details of a network event.

Alert data

Despite largely being a passive monitoring technology, network security monitoring does generate alerts. The alert may originate with an intrusion detection system (IDS) such as Suricata or Snort. These intrusion detection systems generate notifications based on traffic matches with pre-defined signatures . Alerts may also be custom and based on proprietary insight or open-source intelligence related to established TTPs.

Behavioral data Derived from the four data categories above, behavioral data identifies abnormalities like a host trying to reach out to other hosts to determine access or data transfers from one host to another that deviate from normal data transfer rates. Such abnormalities may indicate a compromised host trying to exfiltrate data.

Not all network security monitoring solutions offer the complete range of data categories or the same level of data fidelity within these types. It’s important to understand the capabilities of different platforms by examining both the breadth of data types offered and the depth, fidelity and specific abilities within each category. Additional variations in a platform’s capabilities may depend on its integration with other tools such as endpoint detection and response (EDR) or security information and event management (SIEM). A best-in-class network security monitoring platform will support all data categories to provide defenders with the best capabilities to detect, respond to, and contain sophisticated intruders whether they’re monitoring from their own SOC or working with a third-party. Corelight’s Open NDR Platform offers a solution with all data types.

Network security monitoring fuels threat hunting

Threat hunting is a proactive discipline within a SOC focused on detecting threats before alerts are triggered. It operates under the assumption that intruders have evaded the organization’s preventative tools and persist somewhere on the network. Network security monitoring methods enable threat hunters. NSM data provides evidence that analysts can use to formulate and test hypotheses about what an intruder may be doing, or about to do.

Network security monitoring enables SOCs to advance beyond alerting systems, such as intrusion detection, to gain a deeper understanding of how their networks operate and the methods intruders may use to escalate attacks. With their findings, they can write new detections to alert on these behaviors in the future and raise their team’s knowledge base. The richer the data supplied by the NSM platform, the greater the potential for productive hunts and discovery of the most sophisticated attack patterns.

Common network security monitoring challenges

Successfully deploying network security monitoring requires thoughtful planning to consider an organization’s security policies, privacy requirements, and available staff, to address:

Challenge	Context
Alert fatigue	Network security monitoring tools may have a library of detections and turning everything on may result in increased volume of alerts that may overwhelm the SOC teams resulting in alert fatigue as well as impact the tool’s performance. For NSM tools to be effective, the detections need to be tailored to a specific environment.
Encrypted traffic	When a high volume of network traffic is encrypted it can impact NSM analysis by obscuring the specific details needed for investigation. Despite this, valuable insights that provide SOCs with context generalizing intruder behavior and identifying affected systems can still be provided through transactional and extracted content. Corelight’s Encrypted Traffic Collection offers a practical solution to this issue.
Privacy concerns	Some organizational privacy policies may not support a network security monitoring solution that requires inline decryption or monitoring of sensitive information.
Data analysis and storage	Effective use of network security monitoring requires an advanced data analysis tool such as a security information and event management (SIEM) platform, plus ample storage for network traffic data. Because NSM can generate large volumes of data, organizations can quickly become overwhelmed. Those skilled at working with network security monitoring fine-tune various elements of their systems, such as log volume, to optimize performance and suit their environment.
Skilled analysts	Many of the best-in-class solutions are developed for security teams with significant expertise in network monitoring and hunting. For less experienced analysts, it often takes time and practice to become proficient in using the platform’s data. In response, companies now offer products that integrate network security monitoring into user-friendly dashboards, sometimes enhanced with AI-assistance, putting NSM within reach of junior analysts and easing their threat hunting learning curve. (Corelight’s Investigator, a SaaS-based platform, blends intuitive interfaces with ML-assisted analytics and alert descriptions to help SOCs improve performance metrics and help analysts develop more advanced skills.

Does NSM = NDR?

Network detection and response (NDR) is an advanced enterprise solution that can incorporate many or all aspects of network security monitoring. As the name suggests, an NDR platform improves an organization’s mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR) to active threats on its network.

While closely related, NSM and NDR are not two names for the same thing. Network security monitoring is a process that can be followed using a variety of security frameworks and products. NDR is one of those products. That said, many NDR platforms include toolsets and analytics designed by security engineers with strong understanding of NSM processes. Best-in-class NDR solutions will generate and contextualize all the data types needed for robust NSM listed above.

Network security monitoring deployment

When SOCs deploy network security monitoring, they place sensors at critical points in the network architecture to monitor traffic, network segments and vital assets. Sensors are often positioned at the network perimeter to monitor inbound and outbound (“north-south”) traffic, and internally at locations such as data centers to monitor internal (“east-west”) traffic that’s frequently exploited by attackers. Many other sensor locations may be utilized to operate effectively within a specific network environment.

One advantage of network security monitoring is its out-of-band operation—deployment doesn’t disrupt other systems. With the appropriate resources, a company can cover a significant portion of its network footprint with NSM to monitor and protect against network-based attacks, including placement at:

Comparing network security monitoring to other security technologies

Network security monitoring vs:

TECHNOLOGY	DETAILS
Endpoint detection and response (EDR)	Endpoint detection and response’s (EDR) in-line monitoring capabilities provide an essential view into behaviors on the endpoint as well as advanced response and blocking functions. It provides an extremely valuable defense that delivers visibility into the nature of attacks on compromised assets. At their root, NSM and EDR cover distinct areas of an organization’s digital systems. They can be effectively paired when EDR extracts forensic data from any endpoint identified by the network security monitoring as a source of suspicious traffic and connections. Together, NSM and EDR can help analysts identify malicious activity, even when much of the traffic is encrypted.
Intrusion detection and response (IDS)	Intrusion detection and response (IDS) focuses on vulnerabilities in the security apparatus and data that correspond to signatures of known attack patterns. The end product of an IDS is an alert that either instigates a response or more granular analysis. It is an automation-based approach that has proved effective against many intrusion methods of low- and mid-level complexity. As such, IDS can be defined as a critical part of a network security monitoring stack. Since no detection system is 100% effective, NSM’s data collection and contextualizing functions help analysts investigate IDS alerts and determine whether additional analysis is warranted.
Network performance monitoring (NPM)	Network performance monitoring (or NPM) can sometimes be confused with network security monitoring. While both are critical tools for managing enterprise IT networks, NSM is a cybersecurity tool and NPM is a system monitoring tool that ensures the reliability of network performance. While they can operate in a complementary fashion, network security monitoring focuses on visualizing and improving response to potential threats, while NPM improves performance overall and can help security analysts perform threat hunts and monitoring more effectively.
Cloud security tools (CSPM / CWPP)	There are many security tools and technologies that specifically address cloud security, notably cloud security posture management (CSPM), the cloud workload protection platform (CWPP) and cloud native application protection platform (CNAPP). Cloud security solutions often leave coverage gaps due to over reliance on VPC flow logs that only give partial insights. These tools can be effective when used in conjunction with network security monitoring, but have not replaced them. Many organizations have found they need the extended visibility into network traffic provided by NSM to fully understand the potential threats to cloud environments.

Corelight’s Open NDR Platform offers all four NSM data types

Corelight Open NDR Platform leverages the core principles and functionality of NSM, and provides analysts with full content data, extracted data, transactional data, and alert data, providing the most actionable insights for advanced network monitoring, all stages of incident response, and compliance. Built around the leading open-source network monitoring technology Zeek®, the platform integrates multiple technologies to create a game-changing network investigation and hunting tool.

CORELIGHT OPEN NDR PLATFORM

Features include:

Signature-based IDS alerts fused with network logs for fast investigation.
AI-assisted investigation that walks analysts through remediation steps
Detections that range from signature based to ML (machine learning) models
Visualization dashboards that prioritize issues
Long-term data storage that extend lookback windows to months and years
Complete visibility with collections for Encrypted Traffic, Entities, C2, and ICS/OT
Integration of intelligence from third party sources
Integrate and drive more value from SIEM and XDR tools
Deployment flexibility as hardware, cloud, vm, software, and micro sensors

HOW NETWORK SECURITY MONITORING WORKS: A COMPLETE OVERVIEW

What is network security monitoring (NSM)?

Network security monitoring operates on the premise that:

1. Intruders are a step ahead

2. Prevention eventually fails

3. Threats, not vulnerabilities, are the focus

Network security monitoring employs several data types:

Network security monitoring fuels threat hunting

Common network security monitoring challenges

5 Considerations for Effective Multi-Cloud Threat Detection →

Does NSM = NDR?

Network security monitoring deployment

Learn more about how Corelight can help →

Comparing network security monitoring to other security technologies

How Corelight boosts investigations with LLMs and ML modeling →

Corelight’s Open NDR Platform offers all four NSM data types

Features include:

To learn more about how Corelight combines the essentials of NSM, IDS and AI-assisted analysis and response and supports evidence-based security use cases, contact us today.

Book a demo

Sign up for our newsletter

Locations

1 (888) 547-9497

We're hiring!