"Network Security Monitoring (NSM) is a practice used to defend a network of resources against threats" (Carr, 2021).
"NSM is the collection, detection, and analysis of network security data" (Sanders & Smith, 2017).
NSM can be used to protect against network anomalies. The most critical anomalies that NSM defends against are malicious ones. Cyber threats wreak havoc on networks and their users across the globe. Cyber threats can be detected at various levels, and Antivirus programs can detect anomalies on a system level. At the network level, intrusion detection systems (IDS) and intrusion preventions systems (IPS) can be used to detect anomalies and alert or act when they are found.
In the book, Applied Network Security Monitoring, Sanders & Smith (2017) explained the three phases of NSM. Those phases are collection, detection, and analysis. Before the inception of NSM, intrusion detection was used to detect malicious anomalies. Intrusion detection can be thought of as a portion of the more extensive NSM process. NSM utilizes alerting methods such as IDS instead of IPS, which can perform actions when matches are located. This is because prevention eventually fails, so focusing on detection and response is valuable. NSM is a threat-centric approach (Sanders & Smith, 2017).
Image from: Applied Network Security Monitoring (Sanders & Smith, 2017).
Carr, B. (2021). Automating Suricata Rule-Writing [Master's Theses, Utica College]. ProQuest.
Sanders, C., & Smith, J. (2014) Applied Network Security Monitoring. Syngress