IS4670
Unit 7 Assignment 1: Overcome Difficulties of Network Monitoring

One of the initial ideologies behind most organizations' network security practices is still "defense in depth," which is performed using a variety of security controls and monitoring at different locations in an organization's networks and systems. As part of a defense-in-depth scheme, it has become commonplace for organizations to build enterprise security operations centers that bank on in part on monitoring the tremendously large volumes of network traffic at the perimeter of their. There has been a recent style toward increased investment in and reliance on network monitoring in order to streamline sensor deployments, decrease cost, and more easily centralize operations. At the same time, the idea of a well-defined defensible perimeter is being challenged by cloud computing, the insider threat, the so-called advanced persistent threat problem, and the popularity of socially-engineered application-level attacks over network-based attacks.
Commonly, network and security practitioners hear that the start of any network-centric project is to baseline the network. What exactly is this supposed to mean? Simplistic approaches concentrate on bandwidth utilization over time, typically focusing on spikes and troughs. Some try to describe traffic in terms of protocols and port numbers. More advanced approaches try to classify traffic according to flows or even content. Regardless, there is no single accepted taxonomy for creating a network traffic model.
If the network normal challenge is related to traffic passing a single monitoring point, this involves multiple locations. By placing tools in enough locations, it should be possible to visualize the network based on observed traffic patterns. Doing this in an automated way would prove very useful to network administrators and defenders.
In truly large networks, analysts are likely to initiate success the limits of some tools to digest and render network data. Tools which comfortably depict dozens or hundreds of nodes face severe limitations when working with thousands or millions of nodes. As techniques and tools derive information from network data, it's often the analyst's responsibility to derive knowledge from the information. Depending on the data set and the classification involved, tagging individual items in a packet or flow record can be difficult. Still, analysts should have a way to annotate network information for their benefit and the benefit of their teams.
IP addresses are an important element of network traffic but, gradually, content is becoming more substantial. Anybody working in a heavily proxy enterprise will appreciate this problem. Network flows between proxies are almost useless. With the rise of proxy-in-the-cloud answers, network tools will need to spend more time looking at HTTP requests in traffic to the proxy. Associating these "level 7" records with the mixed "level 3" records from the original host can complicate analysis.
The final obstacle involves how to extract value from network traffic. Countless vendors are likely to read this article and reply: "Use our equipment on your network" Inconsiderately, this response reflects a lack of thankfulness of the limits imposed by countless IT organizations on deploying new equipment. Frequently, IT staff must persuade and plead to deploy the hardware currently watching network links. Some of those same placements also required signing intricate arrangements concerning the nature of the work done at those sites. Eventually, it can be impractical simply to add yet another appliance to a link of interest. Rather, networking teams should be willing to consider deploying their tools and techniques to open platforms so they can devise and deploy their own network appliances. This actually means they should be unwilling to spend any effort installing closed vendor platforms.

References
Vacca, J., & Rudolph, K. (2011). System forensics, investigation, and response. Sudbury, MA:
Jones & Bartlett Learning.