You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Monitoring and threat detection are the eyes and ears of network security architecture. Without continuous visibility into network traffic, device behaviour, and user activity, even the best-designed architecture is blind to attacks in progress. Detection must be built into the architecture — not bolted on as an afterthought.
Monitoring is not just an operational activity — it must be designed into the network architecture from the start:
| Architectural Decision | Monitoring Impact |
|---|---|
| Network zone boundaries | Detection points where IDS/IPS sensors are placed |
| Encryption strategy | Determines where traffic can be inspected |
| Logging infrastructure | Defines what data feeds the SIEM |
| Cloud vs. on-premises | Different monitoring tools and data sources |
| Microsegmentation | East-west visibility requirements |
| Source | Data Type | Security Value |
|---|---|---|
| Network flow data (NetFlow/IPFIX) | Connection metadata (source, destination, ports, bytes) | Detect unusual patterns, data exfiltration |
| Full packet capture (PCAP) | Complete packet content | Deep forensic analysis |
| Firewall logs | Allowed/denied connections | Policy enforcement visibility |
| IDS/IPS alerts | Signature and anomaly detections | Threat identification |
| DNS logs | Query and response data | Detect tunnelling, DGA, C2 |
| Proxy logs | URL requests, categories | Web-based threat detection |
| Endpoint telemetry (EDR) | Process, file, registry activity | Endpoint threat detection |
| Authentication logs | Login successes, failures, MFA events | Credential-based attacks |
| Cloud audit logs | API calls, configuration changes | Cloud security visibility |
Internet
│
▼
[TAP / SPAN] ── Sensor 1: North-south traffic at perimeter
│
[Firewall]
│
├── [TAP / SPAN] ── Sensor 2: DMZ traffic
│
[Internal Firewall]
│
├── [TAP / SPAN] ── Sensor 3: East-west traffic between zones
│
[Core Switch]
│
├── [TAP / SPAN] ── Sensor 4: Data centre traffic
│
[Server Zone]
| Feature | IDS | IPS |
|---|---|---|
| Deployment | Passive (mirror/TAP) | Inline (in the traffic path) |
| Action | Detects and alerts | Detects, alerts, and blocks |
| Risk | No impact on traffic flow | False positives can block legitimate traffic |
| Use case | Monitoring and forensics | Active threat prevention |
| Method | How It Works | Strengths | Weaknesses |
|---|---|---|---|
| Signature-based | Matches traffic against known attack patterns | Low false positives for known threats | Cannot detect unknown (zero-day) attacks |
| Anomaly-based | Establishes baseline, flags deviations | Detects novel attacks | Higher false positive rate |
| Behavioural | Analyses patterns of behaviour over time | Detects slow, stealthy attacks | Requires tuning and learning period |
| Machine learning | Models trained on traffic data | Adapts to evolving threats | Requires quality training data |
NDR platforms go beyond traditional IDS/IPS by analysing network traffic using machine learning and behavioural analytics:
| Feature | Description |
|---|---|
| Full traffic analysis | Inspects all network traffic, not just signatures |
| Encrypted traffic analysis | Detects threats in encrypted traffic without decryption (metadata analysis) |
| Lateral movement detection | Identifies east-west movement between internal systems |
| Automated investigation | Correlates related events into incidents automatically |
| Threat hunting | Provides rich data for proactive threat hunting |
| Solution | Key Feature |
|---|---|
| Darktrace | AI-driven anomaly detection |
| Vectra AI | Attack signal intelligence |
| ExtraHop Reveal(x) | Real-time network intelligence |
| Cisco Stealthwatch | NetFlow-based analytics |
| Corelight | Zeek-based network evidence |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.