Network Monitoring, IDS/IPS, and Traffic Analysis: Seeing Attacks in Motion

Hook / Why this matters

CISSP Lens: Pick answers that align business risk, governance intent, and practical control execution.

Preventive controls will fail at some point. When they do, your only chance to limit damage is to detect malicious activity quickly. Network monitoring, intrusion detection systems (IDS), and intrusion prevention systems (IPS) help you see what is actually happening on your network rather than what you hope is happening.

Core concept explained simply

Network monitoring is about visibility into traffic. IDS and IPS are tools that analyze this traffic to identify suspicious or malicious behavior.

IDS vs IPS vs firewalls

It helps to distinguish these roles:

• Firewalls enforce policy about which traffic is allowed or blocked based on rules.
• IDS (Intrusion Detection Systems) monitor traffic and alert on suspicious patterns but do not block by themselves.
• IPS (Intrusion Prevention Systems) inspect traffic inline and can automatically block or modify it.

You can think of IDS as a security camera and IPS as a combination of camera and lock that can actively stop certain actions.

Signature based vs anomaly based detection

IDS and IPS use two main detection approaches:

• Signature based detection compares traffic against known patterns of malicious activity, such as specific exploit payloads or command and control protocols.
• Anomaly or behavior based detection looks for deviations from normal baselines, like unexpected protocols, unusual volume, or new communication paths.

Signature based detection is precise for known threats but weak against new techniques. Anomaly based detection can find novel attacks but often requires more tuning to avoid false positives.

Network vs host based monitoring

Monitoring can happen at different locations:

• Network based IDS/IPS (NIDS/NIPS) sit at key points in the network and inspect passing traffic.
• Host based IDS/IPS (HIDS/HIPS) run on individual systems and monitor local activity such as processes, logs, and host level network connections.

Both are valuable. Network based tools see communications between systems, while host based tools see what actually happens on each machine.

Getting traffic to sensors

To monitor traffic, you need to feed it to sensors:

• SPAN or mirror ports on switches send copies of traffic to an IDS.
• Network taps are hardware devices that copy traffic on a link.
• Virtual taps or traffic mirroring perform similar functions in virtualized and cloud environments.

Sensor placement matters. You want coverage at key choke points, such as between zones and at internet edges, not necessarily on every link.

NetFlow, logs, and packet capture

Different data sources provide different levels of detail:

• NetFlow or flow logs summarize who talked to whom, on which ports, and how much data moved.
• Packet capture records full packet contents for deeper analysis.
• Device logs from firewalls, proxies, and routers provide policy decisions and contextual information.

For most organizations, a combination of flow data and logs, with selective packet capture for investigations, offers a good balance.

CISSP lens

In Domain 4, the exam expects you to:

• Differentiate IDS, IPS, and firewalls. Know which is primarily for detection, which for prevention, and how they complement each other.
• Understand detection tradeoffs. Recognize the impact of false positives and false negatives, and why tuning is essential.
• Appreciate placement decisions. Consider where to put sensors to detect relevant threats without overwhelming analysts.
• Connect monitoring to response. Monitoring without defined response processes has limited value.

You do not need to design signature sets, but you should be able to choose appropriate monitoring approaches for given scenarios.

Real-world scenario

A company relied on perimeter firewalls and antivirus software but had no network level monitoring. Attackers compromised a web application and gained a foothold on an internal server.

Once inside, they:

• Moved laterally to other servers using stolen credentials.
• Established encrypted command and control channels over HTTPS.
• Exfiltrated data slowly to blend in with normal traffic.

No alerts were generated. Months later, unusual billing patterns triggered a business review, which eventually led to discovery of the breach. However, with no network monitoring or detailed logs, the investigation struggled to reconstruct events.

After the incident, the company implemented a network monitoring program:

• Deployed network IDS sensors at internet egress points and between major internal zones.
• Configured IDS in monitoring mode initially, tuning rules to reduce false positives.
• Integrated IDS alerts into the central SIEM and defined response playbooks.
• Enabled NetFlow on core routers and collected it for traffic analysis.
• Established log retention policies aligned with regulatory and investigative needs.

Over time, they enabled IPS functionality for certain well understood signatures at key points, such as blocking known exploit kits and command and control domains.

Common mistakes and misconceptions

Organizations often misuse or underuse IDS/IPS:

• Turning on IPS in blocking mode with default rules everywhere. This can cause outages and lead teams to disable the system entirely.
• Trying to monitor everything equally. Without prioritization, analysts drown in alerts of low value.
• Treating alerts as noise instead of opportunities to improve. If alerts are consistently ignored, the system is essentially disabled in practice.
• Focusing only on perimeter monitoring. Many attacks now originate from inside networks or cloud based assets.
• Not retaining logs long enough. Advanced attacks may unfold over months. Too short retention windows cripple investigations.

A CISSP should advocate for a pragmatic, focused monitoring strategy that the organization can actually support.

Actionable checklist

To strengthen network monitoring and detection:

• Identify key network choke points, such as internet gateways and links between major internal zones, and deploy IDS sensors there.
• Start with IDS in alert only mode. Tune signature sets and thresholds before enabling blocking on specific, well understood rules.
• Define a small set of high value detection use cases that align with your threat model, such as detecting unusual admin access, data exfiltration attempts, or lateral movement.
• Integrate IDS, firewall, and proxy logs into a central SIEM or log management system, and set up correlated alerts.
• Set log retention based on regulatory requirements and realistic investigation needs, aiming for months rather than days.
• Develop and practice incident response playbooks that specify how to handle common alert types.
• Periodically review detection coverage and gaps, especially when new applications, networks, or cloud services are introduced.

Key takeaways

• You cannot respond to threats you cannot see. Network monitoring is essential.
• IDS focuses on detection, IPS adds prevention, and both complement firewalls.
• Detection quality depends on good placement, tuning, and clear response processes.
• Monitoring must include internal and cloud traffic, not only the perimeter.
• Log retention and data quality directly affect your ability to investigate incidents.

Optional exam-style reflection question

Why might a security team choose to deploy a network IDS in monitoring mode only, at least initially, instead of enabling IPS blocking capabilities right away?

Answer: Starting in monitoring mode allows the team to learn normal traffic patterns, tune detection rules, and reduce false positives. Enabling blocking with untuned rules can disrupt legitimate business traffic and may cause stakeholders to disable the system, reducing security.