Network security risk mitigation best practices
This section discusses network security risk mitigation best practices, including defense in depth, Zero Trust, least privilege access, network security monitoring, and incident response management
Learning objectives
List and describe network security risk mitigation best practices
Develop an appreciation for the need for a defense in depth approach to cybersecurity
Describe the three principles and six foundational pillars of the Zero Trust model
Explain the principle of least privilege and its role in mitigating insider threats and limiting attack surfaces
Describe the complementary roles of IAM (Identity & Access Management) and NAC (Network Access Control) in ensuring robust enterprise access management
Differentiate the function of AAA (Authentication, Authorization, and Accounting) as the operational framework within IAM for network-level enforcement
Compare the goals and techniques of IDS/IPS and NTA (Network Traffic Analysis)
Outline the four phases of the NIST SP 800-61r2 incident response lifecycle and describe the key activities in each phase
Describe the role of automation in ensuring consistent and compliant patch management processes
Identify key physical security controls used to protect network infrastructure from unauthorized access and environmental threats
This section discusses network security risk mitigation best practices, beginning with the foundational strategies of defense in depth and the Zero Trust model. The section then examines core technical controls, including robust access control (least privilege, Identity and Access Management, automated policy enforcement, and Multi-Factor Authentication) and network security monitoring. The discussion continues by covering the essential processes of incident response management, timely software patching, and physically securing the network, before concluding with the supporting practices of using multiple vendors and Quality Assurance.
Topics covered in this section
Defense in depth (layered security)
The Zero Trust model
Robust access control
Network security monitoring
Network Traffic Analysis (NTA)
Incident response management
Timely software patching
Physically securing the network
Using multiple vendors
Quality Assurance
Defense in depth (layered security)
The terms defense in depth and layered security are often used interchangeably to describe a multi-layered security architecture. However, it's useful to think of them as two sides of the same coin: defense in depth is the overarching strategy, while layered security represents the practical implementation of that strategy through a combination of procedural, technological, and physical controls.
The core idea behind defense in depth is that no single security control is perfect. A firewall can be misconfigured, an IDS can miss a novel attack, and a user can fall for a phishing email. A defense-in-depth strategy acknowledges this reality and builds resilience by creating multiple, overlapping layers of protection. If one layer fails or is bypassed, the next layer is already in place to stop the attack, slowing its progress and providing defenders with more time to detect and respond. This approach transforms security from a single barrier into a series of interconnected hurdles for an attacker.
A layered security architecture implements controls across multiple security domains. These domains can be visualized as a stack of defensive layers, starting from the physical infrastructure and moving up to the data itself. A practical layered security architecture can be comprised of the following layers:
Physical layer: This is the foundation of security. It involves protecting the physical assets that house your data and systems. Controls here include limiting access to data centers and network closets to only authorized personnel, using security badges, biometrics, mantraps, and 24/7 surveillance. If an attacker cannot physically touch a server, many attack vectors are immediately neutralized.
Identity and access layer: This layer focuses on ensuring that only the right people (and devices) have access to the right resources. It's where the principles and technologies of robust access control are implemented. Key controls include:
Identity and Access Management (IAM) systems that define and manage user identities and their permissions (e.g., Role-Based Access Control).
Multi-Factor Authentication (MFA) , which requires users to provide something they know (a password) plus something they have (a phone) or something they are (a fingerprint).
Conditional access policies that grant or deny access based on specific conditions, such as the user's location, device health, or risk level.
Perimeter layer: This layer secures the boundary between your corporate network and the public internet (or other untrusted networks). Its goal is to filter out attacks and unwanted traffic before they can reach internal resources. Controls here include next-generation firewalls (NGFWs), Intrusion Prevention Systems (IPS), and Distributed Denial of Service (DDoS) protection services that can absorb and filter large-scale volumetric attacks.
Network layer: This layer focuses on security within the network. Its primary goals are to limit the "blast radius" of a successful breach and restrict the lateral movement of attackers. Key controls include:
Network segmentation: Dividing the network into smaller, isolated zones (e.g., separating the finance department's network from the guest Wi-Fi network).
Network Access Control (NAC): Enforcing security policies on devices before they are granted network access, such as checking for up-to-date antivirus or operating system patches.
Virtual Local Area Networks (VLANs) and firewalls between internal segments to control traffic flows.
Compute layer: This layer involves securing the virtual machines, containers, and servers where your applications run. Controls here focus on hardening these systems against attack. Examples include securing remote access protocols (like RDP and SSH) by closing unnecessary ports, enforcing host-based firewalls, and ensuring that virtual machine images are built from secure, hardened baselines.
Application layer: This layer aims to ensure that the applications themselves are secure. It involves integrating security into the software development lifecycle (DevSecOps). Key activities include regular application security testing (static and dynamic analysis), vulnerability scanning, and employing a Web Application Firewall (WAF) to protect against common web-based attacks like SQL injection and cross-site scripting.
Data layer: This is the innermost layer, focused on protecting the crown jewels—the data itself. Controls here are the last line of defense and are critical for maintaining confidentiality and integrity, even if all other layers are compromised. They include:
Data classification and rights management: Labeling data based on sensitivity and controlling who can view, edit, or share it.
Encryption: Protecting data at rest (on hard drives), in transit (over the network), and in use (in memory). This ensures that even if data is exfiltrated, it remains unreadable without the proper keys.
By implementing controls across these layers, an organization creates a robust and resilient security posture. A failure in the perimeter layer, for example, does not automatically spell disaster because the network layer can limit the attacker's movement, and the data layer can prevent the exfiltration of sensitive information. This multi-layered approach is the essence of defense in depth.
The Zero Trust model
The traditional security model often operated like a medieval castle. It had a strong perimeter (the castle walls with firewalls and VPNs) to keep attackers out, but once inside the walls, users and devices were often trusted implicitly. This model is no longer sufficient. Attackers have become adept at breaching the perimeter through phishing, stolen credentials, or exploiting vulnerabilities in web applications. Once inside, they can move laterally, undetected, to access sensitive data.
The Zero Trust model is a modern security strategy built on the principle of "never trust, always verify." It assumes that breach is inevitable, or has perhaps already happened, and that the network is inherently hostile. Therefore, no user, device, or application—whether inside or outside the corporate network—is trusted by default. Every access request must be explicitly verified before granting access to any resource.
Zero Trust guiding principles
The Zero Trust model is guided by three core principles that shape how security is architected and enforced:
Verify explicitly: Always authenticate and authorize access based on all available data points. This goes far beyond a simple username and password. It means continuously verifying the user's identity, the health and compliance of their device, their physical location, the sensitivity of the data they're requesting, and even detecting anomalous behavior in real-time.
Use least privilege access: This principle is a cornerstone of Zero Trust. It means limiting user access with just-in-time (JIT) and just-enough-access (JEA). JIT ensures that privileged access is granted only for a limited time window when needed, while JEA ensures users have the minimum permissions required for a specific task, not broad, standing access.
Assume breach: This principle fundamentally changes the security mindset. Instead of solely focusing on prevention, Zero Trust assumes that a breach has already occurred or will occur. The strategy, therefore, shifts to minimizing the blast radius and preventing lateral movement. This is achieved by segmenting access (by network, user, and application), using end-to-end encryption to protect data, and employing advanced analytics to rapidly detect, investigate, and respond to threats.
The six foundational pillars of Zero Trust
To put these principles into practice, the Zero Trust model provides a framework of six foundational pillars—six elements that work together to provide end-to-end security. These pillars represent the key areas of an IT environment that must be secured in an integrated way.
Identities
Whether a user, service, or IoT device, an identity is the new perimeter. It must be verified with strong authentication (like MFA) and its access must be strictly governed by least privilege principles.
Devices
Devices create a vast attack surface. Zero Trust requires continuous monitoring of device health and compliance. A compromised or non-compliant device should not be trusted, regardless of who is using it.
Applications
This pillar focuses on discovering all applications in use (including "shadow IT" not managed by IT) and managing permissions. It ensures applications are secure, and that access to them is dynamically controlled and audited.
Data
Data is the ultimate asset to protect. Using a Zero Trust model, data should be classified, labeled, and encrypted based on its sensitivity. Security controls should move with the data, protecting it even when it leaves the organization's direct control.
Infrastructure
Whether on-premises or in the cloud, infrastructure is a threat vector. Security is improved by assessing configurations and versions, enforcing just-in-time access for administrative functions, and using telemetry to detect and automatically block risky behavior.
Networks
The network should no longer be considered a trusted zone. Zero Trust mandates deep network segmentation (including micro-segmentation within data centers), real-time threat protection, end-to-end encryption, and robust monitoring to detect and respond to malicious traffic.
By applying the three guiding principles across these six pillars, an organization can build a cohesive and robust security posture that protects its modern, distributed resources, regardless of where users work or where data resides. Zero Trust is not a single product, but a strategic, holistic approach to security that aligns with the layered defense (defense-in-depth) model.
Robust access control
A critical aspect of network design is enforcing strict access controls to prevent unauthorized entry. Best practices for access control in network design include least privilege access control, Identity and Access Management (IAM), automated policy enforcement, and Multi-Factor Authentication (MFA).
Least privilege access control: Granting the minimal access required for users to perform their duties.
Identity and Access Management (IAM): The core framework for defining and managing digital identities and their permissions across the enterprise.
Automated policy enforcement: The mechanisms—such as Network Access Control (NAC) and cloud security groups—that execute IAM policies in real-time without manual intervention.
Multi-Factor Authentication (MFA): A critical control that requires multiple verification methods, directly implementing the Zero Trust mandate to verify explicitly.
Least privilege access control
The principle of least privilege rules that only the necessary and sufficient level of access privilege is granted to each authorized user or user group. Establishing and enforcing the least-privilege principle for access management and access control is the principal preventive measure against insider threats. Giving users the least amount of access they need to do their jobs enhances data security because it limits what they can accidentally or deliberately access and ensures that if their passwords are compromised, a hacker does not have all keys to the kingdom. It is easier to stay secure by enabling access when needed than to revoke access and mitigate damage after an incident. Network administrators should regularly audit access logs and revoke unnecessary privileges to maintain a least-privilege environment.
Identity and Access Management (IAM)
IAM is a comprehensive discipline and set of technologies for identification, authentication, authorization, accounting, and identity management across systems. IAM is the broad, enterprise-wide strategy for governing identity and access policies. It is responsible for establishing user identities, assigning access privileges, and defining the business rules that govern those privileges across all systems (applications, data, and network). Technologies like Microsoft Active Directory are core components that implement the identity repository aspect of this IAM strategy. AAA is a critical functional framework within IAM, focused specifically on the operational enforcement of Authentication, Authorization, and Accounting for network access. It is the "how" for controlling access to network devices and services. This AAA framework is implemented using specific technologies and protocols. Cisco ISE is a prime example of a comprehensive AAA server that also performs Automated Policy Enforcement. This enforcement is a key capability of modern Network Access Control (NAC) systems, which use AAA protocols like RADIUS and TACACS+ to dynamically apply the broader IAM policies at the network level.
IAM vs AAA
Scope
Enterprise-wide. Covers applications, data, files, cloud services, and network infrastructure.
Network-centric. Primarily focused on controlling access to network devices and network access itself (e.g., Wi-Fi, VPN).
Function
Governance and Strategy. Manages the complete identity lifecycle (onboarding, role changes, offboarding), defines access policies, and ensures compliance.
Operational Enforcement. The specific process of checking credentials (AuthN), granting permissions (AuthZ), and logging activity (Acct) for network access.
Components
Identity Providers (IdP), Single Sign-On (SSO), User Provisioning/De-provisioning systems, Identity Governance tools.
AAA Servers (like Cisco ISE), Network Access Devices (NADs) like switches and WLCs, and protocols like RADIUS and TACACS+.
Analogy
The entire corporate security policy and HR department. It defines that a user is an employee, what their role is, and what resources they should have access to.
The security guard at the building door. They don't decide the policy, but they enforce it by checking your ID badge (AuthN), verifying you're allowed to enter (AuthZ), and noting the time you entered (Acct).
Core capabilities of IAM include:
User Lifecycle Management: Provisioning, de-provisioning, and updating user accounts.
Role-Based Access Control (RBAC): Assigning permissions based on a user's role in the organization. RBAC ensures that users and devices only have permissions necessary for their functions, minimizing insider threats and credential misuse.
Attribute-Based Access Control (ABAC): A more dynamic model that grants access based on attributes (user, resource, environment).
Federation: Allowing users to use a single identity across different systems (e.g., using your corporate login for cloud apps).
Privileged Access Management (PAM): A subset of IAM focused on securing highly privileged accounts.
IAM systems—such as Microsoft Active Directory, Microsoft Entra ID, Okta, and Ping Identity—serve as the authoritative source of truth for identity policy across the organization.
Automated policy enforcement
IAM defines the policies, users, roles, and permissions. Automated policy enforcement uses the rules defined in the IAM system to automatically allow, deny, or restrict access in real-time. Automated policy enforcement refers to the tools and mechanisms that implement the policies defined in the IAM system without manual intervention. This is crucial for scalability and security in modern networks. Examples of automated policy enforcement tools leveraged by IAM include:
Network Access Control (NAC): Enforces security policies at the point of network connection.
Cloud Security Groups and Firewalls: Automatically allow or deny traffic based on security tags derived from IAM roles.
Endpoint Detection and Response (EDR) platforms: Automatically isolate a compromised endpoint from the network based on predefined policies.
SIEM Automation: A Security Information and Event Management (SIEM) tool can automatically disable a user account after detecting multiple failed login attempts, based on a pre-defined policy.
Network Access Control (NAC)
NAC restricts network access to only those devices that comply with security policies, such as having up-to-date antivirus or OS patches. A NAC system operates at the network edge, evaluating each device that attempts to connect. The process typically follows these steps:
Check device identity: Is it a corporate laptop, a guest smartphone, or an unmanaged IoT sensor?
Assess compliance: Is the operating system patched? Is antivirus software installed and updated?
Query the IAM system: Based on the authenticated user (if any), what is their role and associated permissions?
Enforce policy dynamically: Based on the collected information, the NAC system grants appropriate access—placing the device on a specific VLAN, granting full network access, restricting access to only necessary applications, or blocking the connection entirely.
Non-compliant devices may be blocked, quarantined, or automatically remediated (e.g., by redirecting to a patch server). NAC works best in tightly controlled environments like corporate offices or government networks but can be challenging in dynamic settings like hospitals or universities, where device types and users change frequently, which complicates policy enforcement.
Examples of NAC technologies:
Open source:
PacketFence – A widely used open-source NAC that enforces policies via VLAN assignment, captive portals, and device profiling.
FreeRADIUS – A flexible authentication server often integrated with NAC to control network access via protocols like 802.1X.
Commercial:
Cisco ISE (Identity Services Engine) – A leading enterprise NAC solution that enforces policies, profiles devices, and automates threat responses.
Aruba ClearPass – A policy-based NAC platform that supports BYOD, IoT security, and dynamic role-based access.
NAC vs IAM
Network Access Control (NAC) and Identity and Access Management (IAM) are complementary frameworks that operate at different layers. Understanding their distinction is essential for designing robust access control architectures. The following table compares the two frameworks.
Primary Focus
Controls device access to the network based on compliance and identity. Example: A hospital blocks an unpatched laptop from connecting to the network until it updates its OS.
Manages user identities and their access to systems and applications. Example: An employee uses single sign-on (SSO) to access Salesforce but is denied entry to the HR system due to their role.
Scope of Enforcement
Operates at the network layer (ports, VLANs, Wi-Fi). Tools: Cisco ISE, Aruba ClearPass, PacketFence. Use case: A university grants students Wi-Fi access only after their devices pass an antivirus check.
Operates at the application and cloud layer (logins, APIs, data). Tools: Okta, Microsoft Entra ID (Azure AD), Keycloak. Use case: A contractor can log in to Google Workspace but can’t access the company’s AWS admin console.
Key Functions
Authenticates devices; checks device health (patch level, antivirus); assigns network segments; often uses 802.1X and MAC filtering.
Authenticates users; manages roles and permissions; enforces MFA; uses SAML, OAuth, and OpenID Connect.
Integration
Modern NAC solutions integrate with IAM to combine device posture checks with user identity and role information for fine-grained access decisions.
When to Use Which?
Use NAC when you need to secure network access against rogue devices, enforce endpoint compliance mandates (e.g., for HIPAA or PCI DSS), or manage guest and BYOD network access.
Use IAM when you need to manage user access to cloud applications, implement role-based access control across the enterprise, or enforce least-privilege access for applications and data.
Multi-Factor Authentication (MFA)
No matter how secure a password may be, it remains vulnerable to theft through phishing, data breaches, or credential stuffing. Multi-factor authentication (MFA) directly addresses this vulnerability by implementing the Zero Trust principle of verify explicitly. MFA requires users to present at least two authentication methods from at least two authentication categories to prove their identity:
Something you know: A knowledge factor, such as a password, PIN, or answer to a security question.
Something you have: A possession factor, such as a smartphone with an authenticator app, a hardware token, or a smart card.
Something you are: An inherence factor, consisting of biometric characteristics like a fingerprint, facial recognition, retina scan, or voice pattern.
By requiring multiple independent factors, MFA dramatically reduces the risk of account takeover. An attacker who compromises a user's password (something they know) cannot access the account without also possessing the user's phone (something they have) or replicating their biometric data (something they are). This layered approach to authentication is a cornerstone of modern identity security and is increasingly mandated by regulatory frameworks and insurance providers.
Network security monitoring
Organizations typically perform three interrelated types of network monitoring—network performance monitoring, network security monitoring, and network visibility. Each monitoring type serves a distinct purpose:
Network Performance Monitoring
"Is the network operational and performing well?"
Availability, latency, bandwidth utilization, device health
Network Security Monitoring
"Is something bad happening on my network?"
Threats, attacks, policy violations, anomalies
Network Visibility
"What is happening on my network?"
Comprehensive understanding of all traffic, users, applications, and behaviors
Network performance monitoring is the practice of continuously observing a network for availability, reliability, and performance. It answers questions like: "Is the critical server online?" and "Is the link saturated?" This is achieved by collecting predefined metrics such as device uptime, bandwidth usage, and error rates. For example, a performance monitoring tool might alert an administrator when a router's CPU load exceeds a threshold.
Network security monitoring focuses specifically on detecting, investigating, and responding to security threats. While performance monitoring might flag a bandwidth spike, security monitoring investigates whether that spike is caused by a legitimate backup or a distributed denial-of-service (DDoS) attack. It uses tools like intrusion detection systems (IDS) and security information and event management (SIEM) platforms to analyze traffic for malicious patterns and support incident response.
Network visibility is a broader, more proactive capability that encompasses both performance and security monitoring. It involves gaining a comprehensive, real-time understanding of all traffic flows across the entire infrastructure. Through advanced telemetry, flow analysis (NetFlow, sFlow), and packet inspection, visibility reveals which applications, users, and protocols are consuming network capacity—providing the essential context needed for troubleshooting, optimization, and threat hunting.
Network security monitoring technologies
A robust security architecture incorporates multiple monitoring technologies that work together to detect and respond to threats. Key technologies include:
Intrusion Detection and Prevention Systems (IDS/IPS): Monitor network traffic for malicious activity.
Security Information and Event Management (SIEM): Aggregates and correlates logs from multiple sources.
Endpoint Detection and Response (EDR): Monitors endpoint behavior for signs of compromise.
Network Traffic Analysis (NTA): Provides deep visibility into network flows and anomalies.
By integrating these technologies, organizations can detect threats at multiple points—network perimeter, internal traffic, endpoints, and centralized logs—creating a comprehensive monitoring posture.
Intrusion Detection Systems (IDS)
An intrusion detection system (IDS) is a device or software application that monitors networks or systems for malicious activity or policy violations. When suspicious activity is detected, the IDS generates alerts that are reported to administrators or collected centrally by a SIEM system for analysis and correlation. IDS deployments fall into two primary categories:
Network Intrusion Detection Systems (NIDS): Monitor network traffic by analyzing packet headers and payloads. Deployed at strategic points (via span ports or network taps), NIDS inspects traffic passing through the network segment.
Host-based Intrusion Detection Systems (HIDS): Monitor activity on individual hosts, including system files, processes, and registry changes. A HIDS can also monitor network traffic arriving at that specific host.
Detection Methodologies
NIDS can be classified by their approach to identifying threats:
Signature-Based
Compares traffic against known attack patterns (signatures).
Effective against known threats; low false positives for well-defined attacks.
Cannot detect zero-day or novel attacks.
Snort (open source), Suricata (open source), Cisco Firepower (commercial)
Anomaly-Based
Uses machine learning or statistical baselining to detect deviations from normal behavior.
Can identify novel attacks, insider threats, and lateral movement.
May generate higher false positives; requires tuning.
Zeek (open source), Suricata (open source), Darktrace (commercial), Cisco Stealthwatch (commercial)
Reputation-Based
Assesses potential malicious activity based on reputation scores of IPs, domains, or files.
Effective for blocking communications with known malicious entities.
Limited to known malicious sources.
Various threat intelligence feeds (see table below)
Examples of Reputation-Based Detection Tools
AlienVault OTX (Open Threat Exchange)
Open threat intelligence
A community-driven platform that shares IP, domain, and file reputation data. Users can integrate OTX feeds into firewalls, IDS/IPS, and SIEM tools to block communications with known malicious entities.
MISP (Malware Information Sharing Platform)
Open source threat intelligence platform
An open-source platform for sharing, storing, and correlating indicators of compromise (IOCs) such as malicious IPs, domains, and hashes.
Cisco Talos Intelligence
Commercial threat intelligence
One of the largest commercial threat intelligence teams, providing reputation data for IPs, domains, and file hashes. Integrated into Cisco security products like Firepower and Umbrella.
VirusTotal
Free/Commercial
Aggregates detection results from multiple antivirus engines and provides reputation data for files, URLs, domains, and IPs.
Palo Alto Networks WildFire
Commercial threat intelligence
Analyzes files and URLs in a sandbox environment and generates reputation data that is shared across Palo Alto Networks subscribers.
A firewall or security appliance configured with a threat intelligence feed might block outbound connections to IP addresses listed as command-and-control servers, quarantine emails originating from domains with poor reputation scores, alert on file downloads with hash values associated with known malware, or dynamically update firewall rules based on real-time reputation changes.
Intrusion Prevention Systems (IPS)
An intrusion prevention system (IPS) builds on IDS functionality by taking active blocking actions. While an IDS passively monitors and alerts, an IPS is deployed inline and can automatically drop malicious packets, block offending IP addresses, or reset connections. Many modern solutions combine both capabilities into a single unified platform (UTM or next-generation firewall).
Security Information and Event Management (SIEM)
SIEM technology aggregates and correlates log data from across the environment—firewalls, IDS/IPS, servers, applications, cloud services—to provide centralized visibility and threat detection. SIEM correlates events to identify complex attack patterns (e.g., multiple failed logins across different systems followed by a successful login). SIEM also provides real-time alerting, historical analysis, and compliance reporting.
Example Tools: Wazuh (open source), Splunk (commercial), IBM QRadar (commercial), Elastic SIEM (open core).
Strengths: Holistic visibility across the environment; essential for incident response and forensics.
Limitations: Requires careful tuning to reduce noise; complements rather than replaces IDS/IPS and other detection tools.
Endpoint Detection & Response (EDR) and Extended Detection & Response (XDR)
While network-focused tools monitor traffic, endpoints remain a critical attack surface. EDR solutions focus on detecting and investigating threats on individual devices.
How it works: Monitors endpoint behavior—process execution, file changes, registry modifications, network connections—using behavioral analysis to detect malware and suspicious activity.
Example Tools: CrowdStrike (commercial), SentinelOne (commercial), Microsoft Defender for Endpoint (commercial).
Best for: Detecting advanced threats that evade network-based controls, including fileless malware and living-off-the-land attacks.
Extended Detection and Response (XDR) expands this concept by integrating and correlating data across multiple security layers—endpoints, network, email, cloud workloads—providing a more unified view of threats than siloed tools can offer.
Network Traffic Analysis (NTA)
Network Traffic Analysis (NTA), also called Network Detection and Response (NDR), is a network monitoring technology focused on providing deep visibility into network activity. While IDS/IPS answers "Is something bad happening?", NTA answers the broader question: "What is happening on my network?" NTA's primary goals are visibility, discovery, and investigation.
NTA and network visibility
Network visibility is the ability to see, understand, and contextualize all activity traversing a network. It is not a single tool but a capability achieved through a combination of technologies, processes, and policies. NTA serves as the primary technical implementation of network visibility, delivering on its key pillars:
Knowing what's on your network
Discovers and inventories all devices, users, and applications communicating across the network.
Understanding behavior
Establishes behavioral baselines for every device and user—e.g., "This server typically communicates with these three systems on port 443."
Identifying anomalies
Flags deviations from established baselines, such as unexpected communications, data transfers to new locations, or unusual protocols.
Providing evidence
Captures and stores packet-level data or rich flow metadata for forensic investigation and historical analysis.
Measuring performance
Monitors traffic flows and application performance as part of comprehensive visibility.
For example, while an IDS/IPS might block obvious, signature-based attacks at the perimeter, an NTA solution could discover a sophisticated attacker that evaded those controls by detecting their unusual command-and-control traffic hidden within normal web requests.
Key NTA technologies and tools
The following table represents a range of NTA and related technologies, from open-source analysis frameworks to commercial AI-driven platforms:
Zeek (formerly Bro)
Open Source
A powerful network analysis framework that generates high-level logs (HTTP requests, DNS queries, SSL certificates) from traffic, providing rich metadata without storing full packets.
Suricata
Open Source
A high-performance threat detection engine that can function as IDS/IPS and also perform anomaly-based analysis for NTA use cases.
Arkime (formerly Moloch)
Open Source
A full-packet capture, indexing, and database system that allows for forensic investigation and replay of network traffic.
Security Onion
Open Source (Platform)
A free and open Linux distribution for threat hunting, enterprise security monitoring, and log management that includes Zeek, Suricata, and Arkime.
Zenarmor
Commercial (with Free Edition)
A next-generation firewall (NGFW) that provides application control, user/group policies, and web filtering, built on open-source foundations.
Darktrace
Commercial
An AI-driven NTA platform that uses machine learning for anomaly detection, identifying threats like unusual data exfiltration or C2 beaconing.
Cisco Stealthwatch
Commercial
An enterprise-grade NTA/NDR solution that analyzes NetFlow data and uses behavioral modeling to detect threats across the network.
How NTA complements other security tools
NTA fills critical gaps left by traditional security controls. The table below illustrates how different tools respond to specific attack scenarios:
Slow data exfiltration via DNS
Allows it (DNS is typically permitted)
Likely misses (no signature)
May miss (unless DNS logs are detailed)
Detects unusual DNS query patterns and volumes
Lateral movement via RDP
Blocks if port is restricted
May detect brute-forcing attempts
Logs the event (if logging enabled)
Flags abnormal internal RDP connections between unrelated systems
C2 beaconing to a new domain
Allows outbound web traffic
May miss (new domain, no signature)
Depends on visibility
Detects periodic beaconing patterns and domain reputation anomalies
NTA strengths and limitations
Strengths:
Detects low-and-slow attacks: Identifies subtle, prolonged attacks like data exfiltration and command-and-control beaconing that signature-based tools miss.
Supports post-breach investigation: Full packet capture or rich metadata allows analysts to reconstruct attacker movements and understand the full scope of an incident.
Works with encrypted traffic: Uses techniques like JA3 fingerprinting and TLS metadata analysis to identify threats even when payloads are encrypted.
Limitations:
Storage requirements: Full packet capture (PCAP) consumes significant storage, requiring careful capacity planning.
Noise and tuning: Behavioral analysis can generate false positives without proper baselining and tuning.
Not a replacement for prevention: NTA excels at detection and investigation but does not actively block threats (unlike IPS or firewalls).
NTA vs IDS/IPS comparison
Understanding the distinction between NTA and IDS/IPS is essential for designing a layered monitoring strategy. While both analyze network traffic, they serve different purposes and provide different types of visibility.
Primary Goal
Detection & Prevention: Identify and stop known attacks and policy violations.
Visibility & Discovery: Understand normal behavior, find anomalies, and perform forensic analysis.
Core Question
"Is something bad happening on my network?"
"What is happening on my network?"
Methodology
Signature-based detection, policy-based blocking, some anomaly detection.
Behavioral analysis, baselining, flow analysis (NetFlow, IPFIX), metadata examination, deep packet inspection.
Focus
Specific events: "Did this packet match a known attack signature?"
Big picture and context: "Who talked to whom, when, for how long, and with what result?"
Output
Alerts (IDS) or blocks (IPS) on specific malicious activities.
Dashboards, communication maps, behavioral baselines, alerts on deviations from normal.
Mindset
Reactive & defensive: "Stop this specific bad thing I know about."
Proactive & investigative: "Let's understand our environment and find what we don't know about."
Packet Usage
Real-time inspection and pattern matching against signatures. Immediate decision and action.
Full packet capture (PCAP) for forensics; flow data and metadata for baselining and anomaly detection.
Example
Blocks a packet matching the "CVE-2023-1234 Exploit" signature.
Flags a workstation sending large data volumes to a new cloud storage provider at 3 AM, outside normal behavior.
Analogy: Two Lenses on Security
IDS/IPS
A burglar alarm and a bouncer. Knows the specific faces of known criminals (signatures) and has a list of rules (policies). It screams (alert) or physically blocks (prevent) when it sees a match, but it doesn't necessarily track everyone's movements in the club.
High-fidelity alerts on known threats, but limited context about overall activity.
NTA
A detailed map and a timeline. It shows you all the roads (connections), how much traffic is on them (volume), and can tell you if a car is driving in an unusual pattern, even if it's not breaking a specific law.
Comprehensive understanding of normal vs. abnormal behavior, enabling discovery of novel or stealthy threats.
How They Use Packets Differently:
IDS/IPS: Inspects packets in real-time, comparing them against signature databases. Once a match is found, it generates an alert (IDS) or drops the packet (IPS). The focus is on immediate detection and response.
NTA: May capture and store full packets for later forensic analysis, but more commonly analyzes flow data and metadata to build behavioral baselines. The focus is on understanding patterns and identifying anomalies over time.
In practice, NTA and IDS/IPS are complementary. IDS/IPS provides reliable detection of known threats at the point of attack. NTA provides the deep visibility needed to detect sophisticated, evasive threats and to investigate incidents thoroughly after they occur. Together, they form a robust network monitoring posture that addresses both known and unknown risks.
Incident response management
One of the biggest challenges facing today's IT professionals is planning and preparing for the almost inevitable security incident. Incident response (IR) is the structured methodology for handling security breaches, cyber threats, and policy violations when they occur. The goal is to manage the situation in a way that limits damage, reduces recovery time and costs, and prevents future occurrences. A standard IR process follows a lifecycle, often based on the NIST SP 800-61r2 framework, which includes four phases: 1) Preparation, 2) Detection and Analysis, 3) Containment, Eradication, and Recovery, and 4) Post-Incident Activity.
1. Preparation
Preparation is the proactive phase focused on getting ready for a potential incident before it happens. This phase directly implements the Zero Trust principle of assume breach by acknowledging that incidents will occur and ensuring the organization is equipped to handle them.
Key activities in this phase include:
Establishing a Security Incident Response Team (SIRT): A cross-functional team assembled from various IT-related departments or units, which may be part of or an extension of a Security Operations Center (SOC).
Developing an incident response plan: A documented playbook outlining structured procedures for managing incidents, including clear escalation paths and communication protocols.
Acquiring necessary tools: Forensic software, secure communication systems, and investigation platforms.
Training and drills: Regular simulations and tabletop exercises to ensure team readiness.
Differentiating event severity: Defining what constitutes a security event versus a security incident. A security event is any observable occurrence (e.g., a virus detected on an endpoint). An event escalates to a security incident when it poses actual harm to systems or data and requires formal response. This distinction ensures resources are allocated appropriately.
2. Detection and Analysis
This phase involves identifying potential security events and investigating them to confirm whether an incident has occurred and understand its scope.
Key activities include:
Monitoring systems for alerts from IDS/IPS, SIEM, antivirus, and other security tools.
Analyzing evidence to determine the cause, nature, and extent of the suspicious activity.
Assessing impact to identify which systems, data, and users are affected.
Prioritizing the incident based on severity to allocate appropriate response resources.
Effective detection depends on the visibility provided by the monitoring technologies discussed earlier in this chapter—NTA, IDS/IPS, SIEM, and EDR.
3. Containment, Eradication, and Recovery
This is the reactive core of the IR process, where the incident is actively handled and resolved.
Containment: Taking immediate actions to limit the damage and prevent further spread. This is often split into short-term containment (e.g., isolating a network segment, disabling compromised accounts) and long-term containment (e.g., applying temporary access controls while preparing for eradication).
Eradication: Removing the root cause of the incident from the environment. This may involve deleting malware, disabling breached user accounts, patching exploited vulnerabilities, or completely rebuilding compromised systems.
Recovery: Restoring systems and data to normal operations. This includes restoring data from clean, verified backups, bringing services back online, and monitoring for any signs of recurring compromise.
Note on backups: While backups are essential for recovery, the work of creating and maintaining them—scheduled backups stored in encrypted, offsite locations—occurs during the preparation phase. During recovery, the focus is on restoring from those backups efficiently and verifying the integrity of restored data.
4. Post-Incident Activity
This critical phase occurs after the incident is resolved and focuses on learning from the experience to improve future response capabilities.
Key activities include:
Conducting a "lessons learned" meeting with all involved parties to review what happened, what was done well, and what could be improved.
Producing a formal incident report documenting the timeline, impact, response actions, and findings.
Updating the IR plan, policies, and security controls based on lessons learned to prevent recurrence and improve future response.
This phase closes the loop, ensuring that each incident strengthens the organization's overall security posture and resilience.
Timely software patching
Timely software patching is critical for maintaining a secure network, as unpatched systems are prime targets for cyberattacks. Vulnerabilities in software—whether in operating systems, applications, or firmware—are frequently exploited by threat actors to gain unauthorized access, deploy malware, or exfiltrate data. Patching is a key technical control that spans multiple layers of the defense-in-depth model, from the operating system and applications to network devices and firmware.
A formal patch management policy governs the process, defining timelines for patch deployment based on risk. For example, critical security patches may require deployment within 48 hours, while standard patches may be applied during regular monthly cycles. Delayed or inadequate patching can lead to:
Increased attack surface: Unpatched systems expose networks to known exploits.
Regulatory penalties: Non-compliance with frameworks like NIST, CIS, or ISO 27001 may result in fines.
Operational disruptions: Exploits like ransomware can cripple business continuity.
Key elements of a patch management program include:
Asset inventory: Maintaining a complete and accurate inventory of all hardware and software to ensure no system is overlooked.
Patch testing: Evaluating patches in a non-production environment before wide deployment to identify potential conflicts or instability.
Risk-based prioritization: Using Common Vulnerability Scoring System (CVSS) scores and vendor advisories to prioritize critical updates.
Deployment and verification: Applying patches according to policy and verifying successful installation.
Legacy and end-of-life systems present a special challenge. When vendors no longer provide patches, organizations must accept the risk, apply compensatory controls (such as strict network segmentation), or plan for system replacement.
Automation and patch management
Automation enhances consistency and compliance in patching, ensuring patches are deployed promptly and uniformly across an organization's infrastructure. Manual patching is error-prone and often inconsistent, especially in large or hybrid environments. Automated patch management tools (e.g., WSUS, SCCM, or third-party solutions like Qualys or Tanium) streamline the process by:
Scheduling and deploying patches during maintenance windows to minimize downtime.
Prioritizing critical updates based on CVSS scores or vendor advisories.
Generating audit logs for compliance reporting, proving adherence to regulatory requirements.
Automation also enables continuous monitoring for missing patches and rollback capabilities if updates cause instability. By integrating with SIEM or IT service management (ITSM) platforms, automated patching systems can trigger alerts for failed deployments, ensuring no asset is left unprotected. In essence, automation reduces human error, enforces policy adherence, and strengthens overall security posture.
Physically securing the network
To protect an enterprise network from physical threats, organizations must implement robust physical security controls to prevent unauthorized access, theft, or tampering with critical infrastructure. Below are key strategies used in real-world environments:
1. Controlled access to facilities
Physical access control protects equipment and data from potential attackers by only allowing authorized users into protected areas such as network closets or data center floors. This is not just to prevent people outside of the organization from gaining access to these areas. Even within the company, access to these areas should be limited to those who need access.
Badge & Biometric Systems – Require employees to use smart cards, key fobs, or biometric scans (fingerprint/retina) to enter secure areas. Multifactor locks can protect access to restricted areas. For example, a door that requires users to swipe a badge and scan their fingerprint to enter. That’s something you have, a badge, and something you are, your fingerprint. Badge systems are very flexible, and permissions granted to a badge can easily be changed. This allows for strict, centralized control of who is authorized to enter where.
Mantraps & Turnstiles – Use double-door entry systems (mantraps) to prevent tailgating and ensure only one person enters at a time.
Visitor Logs & Escorts – All guests must sign in, present ID, and be accompanied by authorized personnel while inside restricted zones.
2. Securing network infrastructure
Locked Server Rooms & Cabinets – Critical network devices (servers, routers, switches) should be housed in access-controlled, monitored rooms with rack-mounted locks.
Tamper-Evident Seals – Use security screws, seals, or sensors to detect unauthorized hardware modifications.
Disable Unused Ports – Physically block or disable unused Ethernet, USB, and console ports to prevent unauthorized connections.
3. Surveillance and monitoring
24/7 CCTV with AI Analytics – Deploy high-resolution cameras with motion detection and facial recognition to monitor sensitive areas.
Security Guards & Patrols – On-site personnel should conduct random checks and verify access permissions.
Environmental Sensors – Monitor for temperature, humidity, and smoke to prevent equipment damage.
4. Preventing data and hardware theft
Asset Tagging & RFID Tracking – Tag all equipment with barcodes or RFID chips to track movement and detect unauthorized removal.
Checkpoint Inspections – Security staff should inspect bags and devices when employees exit the building to prevent data theft.
Secure Disposal Policies – Destroy decommissioned drives (shredding/degaussing) and enforce strict e-waste handling procedures.
5. Redundancy and disaster preparedness
Offsite Backup Storage – Keep backups in a geographically separate, access-controlled facility to ensure recovery in case of physical damage.
UPS & Backup Power – Use uninterruptible power supplies (UPS) and generators to maintain operations during outages.
Fire Suppression Systems – Install gas-based (e.g., FM-200) or waterless suppression systems in server rooms to avoid damage from traditional sprinklers.
Enforcement and best practices
Regular Audits – Conduct surprise inspections to verify compliance with physical security policies.
Employee Training – Educate staff on social engineering risks (e.g., impersonators) and proper access protocols.
Zero Trust for Physical Access – Apply the principle of least privilege—only grant access to personnel who absolutely need it.
By implementing these measures, enterprises can significantly reduce the risk of physical breaches, insider threats, and unauthorized data exfiltration, ensuring the integrity of their network infrastructure.
Using multiple vendors
To enhance security, it is best practice to diversify your vendor choices. For instance, when defending against malware, deploy antimalware solutions from different vendors across various layers—such as individual computers, the network, and the firewall. Since a single vendor typically uses the same detection algorithms across all its products, relying on just one provider (e.g., Vendor A) for all three layers means that if one product fails to detect a threat, the other vendor products likely will too. A more effective strategy is to use Vendor A for the firewall, Vendor B for the network, and Vendor C for workstations. This way, the likelihood of all three solutions—each with distinct detection algorithms/methods—missing the same malware is significantly lower than if you depended on a single vendor.
Quality Assurance
Implementing quality assurance (QA) in enterprise information security risk management involves systematically evaluating processes, controls, and policies to ensure they meet defined security standards and effectively mitigate risks. QA aligns with established frameworks like NIST SP 800-37 (Risk Management Framework), NIST CSF (Cybersecurity Framework), and ISO/IEC 27001 by incorporating continuous monitoring, audits, and compliance checks to validate that security controls are functioning as intended. For example, NIST SP 800-37 emphasizes ongoing assessment and authorization, while ISO 27001 requires regular internal audits and management reviews to maintain certification. By integrating QA practices—such as control testing, gap analysis, and corrective action plans—organizations can proactively identify weaknesses, improve security postures, and ensure adherence to regulatory requirements. This structured approach not only enhances risk management maturity but also fosters a culture of continuous improvement, reducing vulnerabilities and strengthening overall information assurance.
Key takeaways
Network security risk mitigation best practices include Identity and Access Management, network monitoring, incident response and disaster recovery, and layered security.
A Layered Defense (Defense in Depth) is Essential: No single security control is perfect. A robust security posture requires multiple, overlapping layers of defense, including technical, administrative, and physical controls.
Enforce Least Privilege and Robust Access Control: Users and systems should only have the minimum level of access necessary to perform their functions. This is a fundamental preventive measure against the spread of attacks and insider threats.
Visibility is the Foundation of Security: You cannot protect what you cannot see. Comprehensive network visibility through monitoring, NTA, and SIEM is crucial for detecting anomalies, investigating incidents, and understanding normal network behavior.
Automation is Key for Scalability and Consistency: Automated policy enforcement and patch management reduce human error, ensure consistent application of security rules, and allow for a rapid response to threats.
Be Prepared to Respond: Having a formal, tested Incident Response plan is critical for managing a security breach effectively to limit damage, reduce recovery time, and learn from the event to improve future resilience.
Security Extends to the Physical World: Network security is not just digital. Physically securing critical infrastructure through access controls, surveillance, and environmental monitoring is a vital part of a comprehensive security strategy.
References
Center for Internet Security (CIS). CIS Controls. Retrieved from https://www.cisecurity.org/controls
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC). (2022). Information security, cybersecurity and privacy protection — Information security management systems — Requirements (ISO/IEC 27001:2022).
Intrusion detection system. (n.d.). In Wikipedia. Retrieved from https://en.wikipedia.org/wiki/Intrusion_detection_system
National Institute of Standards and Technology (NIST). (2012). Computer Security Incident Handling Guide (SP 800-61 Rev. 2).
National Institute of Standards and Technology (NIST). (2018). Risk Management Framework for Information Systems and Organizations (SP 800-37 Rev. 2).
National Institute of Standards and Technology (NIST). (2018). Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) Version 1.1.
Last updated