Network Defense Strategies

In the famous words of security researcher Richard Bejtlich: "Prevention eventually fails." This isn't pessimism—it's operational reality. No matter how robust your defenses, sophisticated attackers, insider threats, and unforeseen vulnerabilities will eventually allow malicious activity to occur. When that happens, the difference between a minor incident and a catastrophic breach often comes down to one factor: detection time.

The 2024 IBM Cost of a Data Breach Report found that breaches identified within 200 days cost an average of $3.93 million, while those taking longer cost $4.95 million—a 26% increase. More critically, many organizations discover breaches only when external parties notify them, sometimes months or years after compromise.

Monitoring and logging are the foundation of security detection. They provide the visibility necessary to:

• Detect ongoing attacks before damage is complete
• Identify compromised systems and accounts
• Understand the scope and impact of incidents
• Provide forensic evidence for investigation
• Demonstrate compliance with regulatory requirements
• Enable continuous improvement through trend analysis

This page explores logging architectures, monitoring technologies, detection methodologies, and the operational practices that transform raw data into actionable security intelligence.

Effective security monitoring begins with comprehensive, reliable logging. Log architecture addresses what to log, how to collect logs, where to store them, and how to ensure their integrity.

What to Log

Security-relevant events span multiple domains:

Authentication Events:

• Successful and failed login attempts
• Password changes and resets
• MFA enrollment and usage
• Session creation and termination
• Privilege escalation (sudo, runas)

Authorization Events:

• Access granted and denied
• Permission changes
• Group membership modifications
• Role assignments

System Events:

• Service starts and stops
• Configuration changes
• Patch installations
• System errors and crashes
• Resource exhaustion warnings

Network Events:

• Firewall accepts and denies
• VPN connections
• DNS queries and responses
• HTTP/S transactions
• Email sending and receiving

Application Events:

• Application-specific authentication
• Business transactions
• Data access and modification
• Error conditions
• API calls (especially to sensitive endpoints)

Physical Security Events:

• Badge access attempts
• Camera motion detection
• Door alarms
• Environmental alerts

Log Collection Architectures

Push vs. Pull Collection:

Push (Agent-based):

• Agents on each system forward logs to central collector
• Real-time or near-real-time transmission
• Agents can buffer during network outages
• Adds software to manage on each endpoint

Pull (Agentless):

• Central collector queries systems for logs
• Simpler infrastructure but may miss events between polls
• Network-accessible log sources required
• Suitable for network devices, legacy systems

Collection Technologies:

• Syslog — Traditional UNIX logging, now standardized (RFC 5424). UDP (unreliable) or TCP (reliable). Widely supported.
• Windows Event Forwarding (WEF) — Native Windows log collection using WinRM/Kerberos. Scales to enterprise level.
• Beats/Fluentd/Vector — Modern log shippers with parsing, filtering, and multiple output support.
• Cloud-native — Cloud providers offer native log routing (CloudWatch, Stackdriver, Azure Monitor).

Log Storage Considerations

Retention Requirements:

• Regulatory requirements (often 1-7 years)
• Forensic needs (investigate incidents months later)
• Storage costs (logs can be massive)
• Tiered storage (hot/warm/cold) for cost optimization

Integrity Protection:

• Logs are critical evidence; attackers often try to modify them
• Write-once storage (WORM) for compliance
• Cryptographic hash chains for tamper detection
• Separate storage from monitored systems

SIEM systems are the central nervous system of security monitoring, aggregating logs from across the environment, normalizing data into common formats, and enabling correlation, alerting, and analysis.

Core SIEM Functions

Log Aggregation:

• Collect logs from all sources (servers, networks, applications, cloud)
• Handle diverse log formats (syslog, JSON, XML, proprietary)
• Scale to handle enterprise log volumes (hundreds of TB+)

Normalization:

• Transform varied log formats into common schema
• Map vendor-specific fields to standard fields (source IP, user, action)
• Enable cross-source correlation and querying

Correlation:

• Identify relationships between events from different sources
• Detect attack patterns spanning multiple systems
• Reduce noise by consolidating related events

Alerting:

• Match events against detection rules
• Prioritize alerts by severity and confidence
• Route alerts to appropriate responders
• Reduce alert fatigue through tuning

Search and Investigation:

• Full-text and structured search across historical data
• Timeline reconstruction for incidents
• Pivot from one indicator to related events

Reporting and Compliance:

• Dashboards for security posture visibility
• Automated compliance reports
• Long-term trend analysis

Modern SIEM Technologies

Traditional SIEM Products:

• Splunk Enterprise Security
• IBM QRadar
• LogRhythm
• ArcSight (Micro Focus)

Cloud-Native SIEM:

• Microsoft Sentinel
• Google Chronicle
• Sumo Logic
• Elastic Security

Open Source Options:

• Elastic Stack (ELK)
• Wazuh
• OSSIM/AlienVault
• Graylog

SIEM Optimization Challenges

Alert Fatigue: The number one SIEM failure mode. Too many alerts, too many false positives, analysts stop investigating.

Solutions:

• Tune rules continuously based on false positive feedback
• Implement tiered alerting (critical vs. informational)
• Use correlation to consolidate related alerts
• Employ risk scoring to prioritize alerts

Data Overload: Collecting everything is expensive and makes analysis harder.

Solutions:

• Define clear log collection policies
• Use log filtering at source
• Implement tiered storage (hot/warm/cold)
• Archive rather than delete for compliance

Skill Requirements: SIEM effectiveness depends on skilled analysts and rule developers.

Solutions:

• Invest in analyst training
• Use vendor-provided detection content
• Share rules via threat intelligence communities
• Implement automation to handle routine tasks

Detecting malicious activity requires multiple complementary approaches. No single detection methodology catches all threats, and effective security operations combine several techniques.

Signature-Based Detection

How it Works: Matches observed activity against known patterns of malicious behavior—specific byte sequences, command strings, network packets, or file hashes.

Examples:

• Antivirus matching malware file hashes
• IDS rules matching exploit packet patterns
• SIEM rules detecting known attack patterns
• Email filters matching known phishing indicators

Strengths:

• Low false positive rates for well-crafted signatures
• Fast detection (simple pattern match)
• Clear explanation of why something triggered

Weaknesses:

• Cannot detect novel (zero-day) attacks
• Easily evaded with minor modifications
• Requires constant signature updates
• Growing signature databases impact performance

Anomaly-Based Detection

How it Works: Establishes baselines of "normal" behavior, then alerts on deviations from those baselines.

Examples:

• Network traffic anomalies (unusual volume, protocols, destinations)
• User behavior anomalies (access at unusual times, unusual data access patterns)
• Process behavior anomalies (unusual parent-child relationships, unexpected network connections)

Strengths:

• Can detect previously unknown attacks
• Adapts to environment-specific patterns
• Effective against insider threats

Weaknesses:

• High false positive rates (normal varies widely)
• Attackers can slowly normalize malicious behavior
• Requires substantial baseline training period
• "Normal" changes over time, requiring recalibration

Behavioral Analysis

How it Works: Defines behaviors characteristic of attacks (TTPs - Tactics, Techniques, Procedures) and detects when those behaviors occur, regardless of specific implementation.

Examples:

• Credential dumping behaviors (accessing LSASS memory)
• Lateral movement patterns (admin tools from non-admin hosts)
• Data exfiltration patterns (large outbound transfers to new destinations)
• Persistence mechanisms (registry modifications, scheduled tasks)

MITRE ATT&CK Framework: The ATT&CK framework catalogs adversary behaviors across attack lifecycle phases:

• Tactics — Why: The adversary's tactical goal (Persistence, Lateral Movement, Exfiltration)
• Techniques — How: General methods for achieving goals (T1003: OS Credential Dumping)
• Sub-techniques — Specific variations (T1003.001: LSASS Memory)
• Procedures — Actual implementation by specific threat actors

Mapping detections to ATT&CK helps identify coverage gaps.

User and Entity Behavior Analytics (UEBA)

How it Works: Machine learning models profile normal behavior of users and entities, detecting anomalies that may indicate compromise or insider threats.

Capabilities:

• Peer group analysis (user differs from similar users)
• Risk scoring (aggregate anomalies into risk level)
• Session analysis (chain of activities within session)
• Credential usage patterns (unusual authentication patterns)

Use Cases:

• Compromised credential detection
• Insider threat identification
• Privileged access monitoring
• Account takeover detection

Network monitoring provides visibility into communications between systems, enabling detection of command and control, lateral movement, data exfiltration, and policy violations.

Network Data Sources

Full Packet Capture (PCAP):

• Complete network traffic recording
• Ultimate forensic fidelity
• Massive storage requirements (TB/hour for enterprise)
• Privacy concerns with encrypted traffic
• Used for targeted capture or post-incident analysis

Flow Data (NetFlow/IPFIX):

• Metadata about connections (source, dest, ports, bytes, duration)
• Much smaller than PCAP (1000x+ reduction)
• Sufficient for many detection use cases
• Loses payload content (can't detect payload-based attacks)
• Cost-effective for long-term retention

DNS Query Logs:

• All DNS resolutions from internal resolvers
• Reveals communication intent even when encrypted
• Detects C2 domains, data exfiltration via DNS tunneling
• Useful for historical investigation

Proxy/Web Gateway Logs:

• HTTP/HTTPS traffic through web proxies
• URL categories, content types, user attribution
• SSL inspection enables payload visibility (with privacy tradeoffs)

Email Gateway Logs:

• Email flow, attachment types, spam/phishing verdicts
• Useful for phishing investigation
• Links email to subsequent web activity

Network Detection and Response (NDR)

NDR platforms combine multiple network data sources with advanced analytics:

Capabilities:

• Passive traffic analysis without inline devices
• Machine learning for anomaly detection
• Encrypted traffic analysis (detecting anomalies without decryption)
• Protocol anomaly detection
• Lateral movement visibility
• Retrospective analysis (search historical traffic)

Key Detection Categories:

Command and Control (C2):

• Beaconing detection (periodic callback patterns)
• Known malicious destination blocking
• Protocol anomalies (HTTP over non-standard ports)
• DNS-based C2 (DGA domains, DNS tunneling)

Lateral Movement:

• Internal scanning detection
• Unusual internal connectivity patterns
• Credential-based protocols to unusual destinations (RDP, SMB, SSH)
• Pass-the-hash/pass-the-ticket detection

Data Exfiltration:

• Large outbound data transfers
• Connections to new external destinations
• Encrypted channel usage patterns
• Cloud storage uploads

Encrypted Traffic Challenges: With TLS 1.3 and encrypted DNS, network visibility decreases. Strategies include:

• TLS inspection — Decrypt and re-encrypt (privacy/performance tradeoffs)
• Encrypted Traffic Analytics — Detect anomalies from metadata (timing, packet sizes, JA3 fingerprints)
• Endpoint visibility — Complement network monitoring with EDR
• DNS visibility — Maintain logging at internal DNS resolvers

Endpoint Detection and Response provides deep visibility into host-level activity—processes, file operations, network connections, registry changes, and more. As network encryption increases, endpoint visibility becomes increasingly critical.

EDR Capabilities

Telemetry Collection:

• Process creation and termination
• Command line arguments
• Parent-child process relationships
• File creation, modification, deletion
• Registry changes
• Network connections per process
• Module/DLL loading
• User logon events
• Scheduled task/service creation

Real-Time Detection:

• Behavioral analysis of running processes
• Memory scanning for known malware
• Script execution monitoring (PowerShell, WMI)
• Exploit technique detection (injections, hooks)

Response Capabilities:

• Process termination
• Network isolation
• File quarantine
• Memory dump collection
• Remote shell for investigation

Key EDR Detection Categories

Process Injection Techniques:

• DLL injection into running processes
• Process hollowing (replacing legitimate process memory)
• Thread hijacking
• APC injection

Credential Access:

• LSASS memory access attempts
• SAM database access
• Credential dumping tools (Mimikatz patterns)
• Kerberos ticket manipulation

Persistence Mechanisms:

• Registry run key modifications
• Scheduled task creation
• Service installation
• Startup folder modifications
• WMI event subscriptions

Defense Evasion:

• AMSI bypass attempts
• ETW patching
• Security tool process termination
• Log clearing

Living-Off-the-Land Techniques:

• Suspicious PowerShell usage
• WMIC/CertUtil abuse
• mshta/rundll32/regsvr32 misuse
• BITSAdmin/msiexec abuse

EDR Deployment Considerations

Coverage Goals:

• All endpoints: workstations, laptops, servers
• Include cloud workloads and containers where possible
• Critical systems first, then expand

Performance Impact:

• Modern EDR has minimal performance overhead
• May require exclusions for high-I/O applications
• Test on production-representative systems

Integration Points:

• SIEM: Forward alerts for correlation with other sources
• SOAR: Enable automated response playbooks
• Threat Intelligence: Enrich with external context

Effective security monitoring requires not just data collection, but meaningful metrics that inform decision-making, demonstrate program effectiveness, and drive continuous improvement.

Detection Metrics

Mean Time to Detect (MTTD): Average time from attack occurrence to detection.

• Industry average: 197 days (2024, improving)
• Target: Hours to days for critical threats
• Measures detection capability
• Broken down by attack type, data source

Mean Time to Respond (MTTR): Average time from detection to containment.

• Measures response capability
• Include investigation, decision, and action time
• Target: Hours for critical incidents

True Positive Rate: Percentage of alerts representing actual threats.

• Low rates indicate noisy rules
• Target: 80%+ for actionable alerts
• Track per rule/detection for tuning

False Positive Rate: Percentage of alerts that are not threats.

• High rates cause alert fatigue
• Investigate top false positive sources
• Continuous feedback loop for tuning

Detection Coverage: Percentage of ATT&CK techniques with detection rules.

• Map detections to framework
• Identify gaps in coverage
• Prioritize based on threat intelligence

Operational Dashboards

SOC Operations Dashboard:

• Alert queue depth (open alerts by priority)
• Alert age distribution (how long alerts wait)
• Analyst workload (cases per analyst)
• Escalation rate (Tier 1 to Tier 2)
• Alert sources (which systems generate alerts)

Threat Detection Dashboard:

• Alerts by type/category over time
• True positive trends
• Top triggered rules
• Geographic/network segment distribution
• Correlated incident view

Compliance Dashboard:

• Log collection completeness
• Retention compliance by data type
• Review cadence compliance (access reviews, etc.)
• Audit finding status
• Policy exception status

Threat Intelligence Dashboard:

• IOC matches over time
• Top threat actors targeting org
• Intelligence source coverage
• Time from intelligence to detection rule

Dashboard Design Principles

Purpose-Driven: Each dashboard serves a specific audience and use case. Don't combine executive reporting with analyst workload.

Actionable: Every metric should drive potential action. If you can't act on it, don't track it.

Trending: Point-in-time metrics without trend are limited. Show direction over time.

Drill-Down: Allow investigation from summary to detail without leaving the dashboard.

Red/Yellow/Green: Clear visual indicators of status against targets. Don't require interpretation.

Threat hunting is the proactive, human-driven search for threats that evade automated detection. While SIEM alerts react to known patterns, hunting assumes sophisticated threats are already present and seeks them actively.

Hunting vs. Detection

Automated Detection:

• Reactive: Waits for patterns to match
• Scalable: Processes all events equally
• Rule-based: Limited to defined patterns
• Fast: Alerts in near-real-time

Threat Hunting:

• Proactive: Doesn't wait for alerts
• Human-driven: Analyst intuition and creativity
• Hypothesis-based: Tests theories about attacker presence
• Thorough: Deep investigation of suspicious patterns

Hunting Methodologies

Intelligence-Driven: Start from threat intelligence about active threats.

1. Receive intelligence about threat actor TTP
2. Develop hypothesis: "If actor X targeted us, they would leave indicators Y"
3. Search telemetry for indicators and behaviors
4. Investigate any matches; escalate or close
5. Convert successful hunts into automated detections

Anomaly-Driven: Start from statistical anomalies, investigate for malicious cause.

1. Identify statistical outliers (rare processes, unusual access patterns)
2. Develop hypothesis: "These outliers may indicate compromise"
3. Investigate context around anomalies
4. Determine if benign or malicious
5. Either tune baseline or escalate

ATT&CK-Driven: Systematically hunt for specific techniques.

1. Select ATT&CK technique not covered by detections
2. Research how technique manifests in telemetry
3. Hunt for evidence of technique execution
4. Build detection rule if pattern found
5. Document even if nothing found (validates coverage)

Monitoring and logging provide the visibility foundation that makes security detection and response possible. Without comprehensive, well-architected observability, organizations operate blind to threats that prevention eventually fails to stop.

What's Next:

With visibility established through monitoring and logging, we'll next explore Incident Response—the structured processes and procedures for responding when threats are detected. Detection without response capability merely documents attacks without stopping them.