Network Security Monitoring: Detect Intrusions Before Damage

The unfortunate truth about cybersecurity in 2026: perimeter defenses will be breached. Your firewall, your endpoint protection, your employee training — none of these guarantee that attackers won't get inside. What determines whether a breach becomes a catastrophe is how quickly you detect them.

Industry studies consistently show the same pattern: the mean time to detect (MTTD) a breach is over 200 days. During that time, attackers are inside your network, moving laterally, exfiltrating data, and establishing persistence. By the time you discover the breach, the damage is done.

Network Security Monitoring (NSM) is the discipline that changes this equation — catching attackers during the window between initial compromise and objective achievement.

What Network Security Monitoring Actually Does

NSM collects and analyzes network traffic data to identify malicious activity. Unlike endpoint detection that focuses on what happens on individual computers, NSM sees the traffic between systems — the commands moving across your network, the data leaving your borders, the unusual communication patterns that indicate compromise.

Think of it like a security camera system for your network. You can't prevent someone from potentially breaking a window, but you can watch for the break-in in progress and respond before they带走 (take) your valuables.

The NSM Process

1. Collection: Capture network traffic at strategic points
2. Storage: Retain traffic data for analysis (days to months depending on capacity)
3. Processing: Parse, normalize, and index traffic for efficient querying
4. Detection: Apply signatures, rules, and anomaly detection
5. Analysis: Investigate alerts and hunt for threats
6. Response: Contain and remediate confirmed incidents

Essential Data Sources for Network Monitoring

Full Packet Capture (PCAP)

The gold standard of NSM data. Full packet capture records every byte of every network packet. When an incident occurs, you can reconstruct exactly what happened — every file transferred, every command executed, every credential used.

The tradeoff is storage. A moderately active network can generate terabytes of PCAP data per day. Most organizations capture full packets for limited windows or critical segments only.

Tools: Zeek (formerly Bro), Moloch, Stenographer

Flow Data (NetFlow/sFlow/IPFIX)

Flow data is metadata about network conversations — source IP, destination IP, port, bytes transferred, duration. It doesn't capture content, but it's extremely efficient to store and can reveal patterns that indicate compromise.

Unusual outbound connections to foreign IPs, large data transfers to suspicious destinations, or beaconing patterns (regular check-ins to command-and-control servers) all appear in flow data.

Tools: SiLK, ntopng, cloud-based services (Cloudflare Analytics, AWS Flow Logs)

DNS Logs

DNS is the backbone of internet communication — and a favorite channel for attackers. Command-and-control communications often use DNS lookups to external servers. Data exfiltration can be encoded in DNS queries. Malware uses DNS to resolve malicious domains.

Monitoring DNS gives you visibility into network activity that other tools miss because DNS traffic is often allowed through firewalls unchecked.

Proxy Logs

If you operate a web proxy (and you should), you have rich logs of web activity. Proxy logs capture URLs requested, files downloaded, potentially unwanted content accessed. They also serve as an effective control point for blocking malicious destinations.

Modern proxies integrate with threat intelligence feeds, automatically blocking requests to known-malicious domains.

Detection Methods: Finding Evil in Your Traffic

Signature-Based Detection

The traditional approach: match network traffic against known-bad patterns. When a specific malware strain uses a distinctive command-and-control signature, detecting it is straightforward.

The limitation: signature detection only catches known threats. Zero-day exploits, custom malware, and novel attack techniques sail through undetected.

Tools: Snort, Suricata, Zeek with community scripts

Anomaly-Based Detection

Anomaly detection establishes a baseline of normal behavior and alerts on deviations. A server that normally communicates with 5 internal hosts suddenly talking to 50? That's worth investigating. A workstation making DNS queries to a foreign server at 3 AM when no one is in the office?

Anomaly detection catches new attacks that signatures don't cover, but produces false positives when legitimate activity differs from baseline. Tuning is essential.

Tools: Zeek + statistical analysis, Security Onion, ELK Stack with ML plugins

Behavioral Analysis

Behavioral analysis looks for attacker techniques regardless of the specific tools used. Rather than detecting "this specific malware," behavioral analysis detects "this sequence of actions that indicates attacker methodology."

Examples:

• Authentication followed by large data transfer (potential data exfiltration)
• Rapid internal reconnaissance (port scanning)
• Use of native system tools for unexpected purposes (living-off-the-land)
• Unusual privileged account usage

Threat Hunting

Threat hunting is proactive investigation based on hypotheses about potential threats. Rather than waiting for alerts, hunters actively search for indicators of compromise that automated tools might miss.

Example hypothesis: "We're in a supply chain attack, so there may be persistence mechanisms we haven't detected yet." Hunter investigates the hypothesis by checking for unusual scheduled tasks, registry modifications, and startup items.

Building Your Monitoring Stack

Open Source Foundation

You don't need expensive commercial tools to implement effective NSM. A powerful stack can be built entirely from open-source components:

Cloud-Native Monitoring

For cloud infrastructure, native monitoring tools provide deep visibility:

• AWS: VPC Flow Logs, CloudTrail, GuardDuty
• Azure: Azure Monitor, Network Watcher, Defender for Cloud
• GCP: Cloud Logging, Network Intelligence Center, Security Command Center

Cloud providers have deep visibility into network traffic within their environments. Integrating cloud-native logs with your NSM stack provides comprehensive coverage.

Key Metrics to Monitor

Not all network activity is equally important. Focus monitoring attention on high-value targets:

Authentication Events

• Failed logins (especially rapid failures indicating brute force)
• Logins from unusual locations or at unusual times
• Privileged account usage
• Authentication to multiple systems in short succession (lateral movement)

DNS Activity

• DNS queries to known-malicious domains
• High volume of DNS queries from single hosts
• DNS queries for uncommon record types
• Queries to newly registered domains

Network Connections

• Connections to known bad IP addresses (via threat intelligence)
• Unusually high outbound traffic (data exfiltration potential)
• Connections on non-standard ports
• Internal hosts communicating directly with external IPs (bypassing proxy)

File Transfer Indicators

• Large outbound data transfers
• File transfers to unusual destinations
• Protocols used for file transfer (FTP, SCP, cloud storage)

Creating Detection Rules

Detection rules translate your threat intelligence into automated alerts. A good detection rule has:

1. Clear logic: You understand exactly what conditions trigger it
2. Low false positive rate: It doesn't fire on legitimate activity
3. Actionable output: When it fires, you know what to investigate
4. MITRE ATT&CK mapping: You know which attack technique it detects

# Example Zeek detection: Potential DNS tunneling
# Alerts on very long DNS queries (possible data exfiltration)

event dns_query(c: connection, query: string, qtype: count) {
    if ( |query| > 100 ) {
        Reporter::info(fmt("Large DNS query from %s: %s (%d bytes)", 
            c$id$orig_h, query, |query|));
    }
}

Incident Response: What Happens When You Detect Something

Detection without response is just expensive logging. When your monitoring detects suspicious activity:

1. Validate: Confirm the alert represents genuine suspicious activity, not a false positive
2. Scope: Determine the extent of the compromise — what systems, what data, what timeline
3. Contain: Isolate affected systems to prevent further spread
4. Eradicate: Remove the attacker presence — close attacker access paths, remove malware
5. Recover: Restore systems to normal operation with improved controls
6. Lessons Learned: Update detection rules to catch similar activity faster

The goal is to shrink the "dwell time" — the period between initial compromise and detection. Every day of dwell time is another day of potential damage.

Minimum Viable Monitoring

You don't need a full security operations center to implement effective monitoring. Start with these essentials:

• DNS logging: Captures significant attack activity with minimal overhead
• VPN logs: Remote access is a common attack vector
• Authentication logs: Detect credential-based attacks
• Firewall/Network device logs: See what's attempting to enter your network
• Web proxy logs: Monitor for malicious destinations

Centralize these logs in a searchable format (SIEM or even a well-structured ELK stack) and create alerts for the highest-fidelity indicators. You can build sophistication over time.

Building Your NSM Program

NSM isn't a product you buy — it's a discipline you build. Key steps:

1. Inventory your data sources: What network data can you collect today?
2. Establish baselines: What does normal traffic look like?
3. Deploy detection rules: Start with high-confidence indicators
4. Create runbooks: Document investigation procedures for common alerts
5. Practice: Run tabletop exercises and purple team assessments
6. Iterate: Refine based on what you learn from incidents

The organizations with the best breach outcomes aren't the ones with the biggest security budgets — they're the ones who detect breaches quickly and respond effectively. NSM is how you build that capability.