Network Security Monitoring
Network security monitoring (NSM) is the continuous collection, analysis, and escalation of network data to detect, investigate, and respond to security threats before or after they produce measurable harm. This page covers the definition and scope of NSM as a professional discipline, the technical mechanisms that underpin it, the operational scenarios where it applies, and the decision criteria that distinguish NSM from adjacent security functions. NSM operates at the intersection of regulatory compliance, threat detection, and incident response across enterprise, government, and critical infrastructure environments.
Definition and scope
Network security monitoring describes a structured operational practice in which network traffic, host telemetry, and security event data are persistently observed to identify anomalies, policy violations, and indicators of compromise. The scope extends beyond passive logging — NSM encompasses detection architecture, analyst workflows, alert triage, and evidence preservation in support of network security incident response.
The National Institute of Standards and Technology (NIST) addresses continuous monitoring requirements in NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations, which defines an information security continuous monitoring (ISCM) strategy requiring organizations to maintain ongoing awareness of security posture. Federal civilian agencies are further obligated under the Department of Homeland Security's Continuous Diagnostics and Mitigation (CDM) program, administered by CISA, to deploy sensors and dashboards that feed agency-level and federal-level visibility.
NSM is classified into three primary data types:
- Full packet capture (FPC) — complete recording of network payloads, used for forensic reconstruction and deep inspection
- Session or flow data — metadata describing connection endpoints, duration, volume, and protocol (NetFlow, IPFIX, sFlow), retained at higher volume than FPC
- Alert data — structured output from detection engines such as intrusion detection systems, correlated and stored in SIEM platforms
These three types form a detection hierarchy: alert data surfaces events, flow data provides context, and FPC enables definitive reconstruction.
How it works
NSM operates through a pipeline of collection, normalization, detection, and analyst review. The operational phases are:
- Sensor deployment — Passive taps, SPAN ports, or inline sensors are placed at network chokepoints: perimeter ingress/egress, internal segment boundaries, and cloud egress points. Sensor placement follows a coverage model derived from network segmentation strategies.
- Data ingestion and normalization — Raw traffic and log feeds are parsed into structured formats. NIST SP 800-92, Guide to Computer Security Log Management, defines log retention and normalization requirements applicable to federal systems and widely adopted in the private sector.
- Signature and behavioral detection — Detection engines apply rule sets (such as those maintained by the Snort and Suricata communities) alongside behavioral baselines. Intrusion detection and prevention systems contribute signature-based alert feeds into the NSM pipeline.
- Correlation and prioritization — Events are correlated across data sources using SIEM logic. The MITRE ATT&CK framework, a publicly maintained knowledge base of adversary tactics and techniques, provides a structured taxonomy for mapping alerts to attacker behavior patterns.
- Analyst triage and escalation — Trained analysts review queued alerts, distinguish true positives from false positives, and escalate confirmed incidents. The SANS Institute's Network Security Monitoring curriculum, documented in Richard Bejtlich's foundational work The Practice of Network Security Monitoring, describes analyst workflow standards adopted across the professional community.
- Evidence preservation — Relevant packet captures, flow records, and logs are preserved for forensic analysis in accordance with chain-of-custody requirements.
Network traffic analysis functions as a sub-discipline within this pipeline, focusing specifically on behavioral baselining and anomaly scoring of flow-level data.
Common scenarios
NSM applies across four operationally distinct environments:
Enterprise perimeter monitoring — Sensors at internet-facing gateways detect known malware command-and-control traffic, data exfiltration, and unauthorized outbound connections. This is the baseline deployment scenario for organizations subject to PCI DSS (Payment Card Industry Data Security Standard), which requires network monitoring under Requirement 10.
Operational technology and industrial control systems — NSM in OT/ICS environments requires protocol-aware sensors capable of parsing Modbus, DNP3, and other industrial protocols. NIST SP 800-82, Guide to Industrial Control Systems Security, addresses monitoring considerations specific to OT and ICS network security.
Cloud and hybrid environments — Virtual taps, VPC flow logs (AWS), and NSG flow logs (Azure) replace physical sensors. Cloud-native monitoring introduces visibility gaps at east-west traffic paths within virtual networks, as documented in cloud network security architecture reviews.
Zero trust environments — In architectures conforming to NIST SP 800-207, Zero Trust Architecture, continuous monitoring is a mandatory control pillar. Every session is treated as potentially hostile, and monitoring validates access decisions in real time. The relationship between NSM and zero trust network architecture is structural, not optional.
Decision boundaries
NSM is distinct from adjacent disciplines by function and operational objective:
| Function | Primary objective | Data consumed | Output |
|---|---|---|---|
| NSM | Detect and investigate threats | Traffic, logs, alerts | Confirmed incidents, evidence |
| Network vulnerability scanning | Identify exploitable weaknesses | Host and service responses | Vulnerability inventory |
| Network forensics | Reconstruct past events | Stored captures, logs | Attribution, timeline |
| Lateral movement detection | Identify attacker progression | Internal traffic, auth logs | Movement indicators |
The boundary between NSM and a full security operations center (SOC) function is operational scope: NSM addresses network-layer visibility specifically, while a SOC integrates endpoint, identity, and application telemetry alongside network data. Organizations with fewer than 50 endpoints may deploy NSM tooling without a dedicated SOC, using managed detection and response (MDR) providers to supply qualified professionals tier. CISA's Known Exploited Vulnerabilities (KEV) catalog provides a prioritized threat feed that NSM detection rules can be tuned against, regardless of organizational size.
References
- NIST SP 800-137 – Information Security Continuous Monitoring for Federal Information Systems
- NIST SP 800-82 – Guide to Industrial Control Systems (ICS) Security
- NIST SP 800-92 – Guide to Computer Security Log Management
- NIST SP 800-207 – Zero Trust Architecture
- CISA Continuous Diagnostics and Mitigation (CDM) Program
- CISA Known Exploited Vulnerabilities Catalog
- MITRE ATT&CK Framework
- PCI DSS Requirements – PCI Security Standards Council