Network Security Monitoring (NSM) Explained

Network Security Monitoring (NSM) refers to the collection and analysis of security information to discover the presence or fact of an intrusion in the IT network. It aims to discern, correlate and characterize networking activities that can be classified as an intentional unauthorized activity.

If this sounds similar to Intrusion Detection, you’re not alone! In fact, ISD is often incorrectly used synonymously with Network Security Monitoring. So, let’s clear up this confusion and define network security monitoring as a modern paradigm for organizational security.

The goals of network security monitoring

In modern Network Security Monitoring systems, intrusion detection capabilities are used as a subset component of the technology. NSM is about:

• Understanding your security capabilities.
• Identifying the tactics of adversaries intruding your network.
• Analyzing network information to detect how these adversaries can act to intrude your network.

(Power your SOC with full visibility and security monitoring from Splunk.)

NSM vs IDS

What differentiates Network Security Monitoring from Intrusion Detection Systems (IDS)? The IDS is based on an older security paradigm focused on the following characteristics:

Vulnerability-centric defense

IDS uses this common approach to secure networked systems where vulnerabilities are identified as potential targets for an adversary. These vulnerabilities are resolved against known threats with the goal of preventing exploitation in the first place.

Detection-focused

While network data is collected by the IDS, it is done with little directions and focus. IDS technologies capture all data, without tying the data collection activities with well-defined detection strategies.

Signature-based detection

Most IDS technologies use signatures of known attacks and correlate data patterns with the attack signature patterns. Detecting anomalous behavior is therefore tied to the existence of these signatures, which makes IDS systems using signature-based detection much less effective against zero-day exploits.

Automation-focused

The idea of an IDS technology is to simplify collection and use of all data generated by the IT network. In practice, network traffic behavior evolves continuously. Automating based on fixed rules — which may be less relevant in the future — is never a great strategy for the continuous evolution of cybercrime.

Features of network security monitoring

So, what makes modern Network Security Monitoring different from IDS? Let’s call NSM a new paradigm that aims to maintain information security principles of Confidentiality, Integrity and Availability by adopting the following characteristics:

Prevention eventually fails

Despite having multiple layers of defense in place, your IT network security is always vulnerable to:

• Undiscovered zero-day exploits
• Social engineering compromising the human element
• Insider threats
• Sophisticated organized cyberattacks from organized cybercrime underground rings and state-sponsored entities

The idea that you can always protect an intrusion against these threats is flawed — but you can continuously monitor the threat and keep a proactive, prepared stance.

Threat-centric defense

Instead of focusing all your efforts on how to prevent a cyberattack or network intrusion, Network Security Monitoring aims to narrow down the underlying problem. It is focused on identifying the adversary and understanding why they would commit to a cyberattack.

Indeed, this is harder than simply deploying a layer of sophisticated cybersecurity technology. How do you gain intelligence into the motives of a network intruder? This requires:

1. Fine-grained visibility into your network traffic behavior.
2. The ability to capture the right information and analyze all intelligence related to the anomalous traffic.

(Understand attackers’ motives with cyber threat intelligence.)

Strategic data collection

Yes, IT teams can analyze new data to seek out novel intrusion patterns and unknown vulnerabilities. But they are quickly overwhelmed — bombarded — by the sheer scale of enterprise IT network operations and the exploding volumes of network logs generated across all endpoints and nodes.

While cloud storage is increasingly cost-effective, processing and managing vast volumes of evolving network data has diminishing ROI.

To this end, one of the strategies employed by modern NSM tools is to model the behavior of the system and evaluate deviations of network traffic against the expected model behavior in real-time. This requires advanced machine learning based technologies that:

1. Continuously learns from traffic behavior.
2. Models the system behavior.
3. Can continuously adapt as traffic patterns and network behavior evolve.

Continuous cyclic feedback

Unlike the linear process of Intrusion Detection, NSM technologies follow a circular feedback loop to monitor security threats. For instance, traditional IDS systems evaluate every security incident in isolation. Each incident detection generates alerts based on predefined rules and appropriate response action is taken.

The modern NSM process captures network data, uses AI models to detect an intrusion, uses this knowledge to improve the data collection process and focus on the right network metrics that improve detection capabilities of the NSM system.

Network security monitoring applies to all monitoring

The paradigm of Network Security Monitoring is adopted for a variety of monitoring technologies such as:

• Availability monitoring
• Performance monitoring
• Cloud infrastructure monitoring
• Configurations monitoring
• And more

These technologies use advanced AI algorithms and analytics capabilities to evaluate network state and behavior. This is based on data such as network protocols, traffic patterns and flow, client-server communications as well as the packet data.

An NSM technology can be integrated with the wider set of security technologies that issue a security control action once the intrusion patterns are identified. This option, however, may not be a packaged component of all Network Security Monitoring technologies.