Detecting Suspicious and Malicious Activity on Your Network

It’s a virtual certainty that an organization will be faced with security incidents. Technology is constantly shifting and evolving and expanding the attack surface in various ways, at the same time attackers are adapting and escalating the threat landscape. Cybersecurity is an ongoing struggle to deal with changes from both sides of that equation, and it is more or less inevitable that unauthorized or malicious activity will occur inside your network. The question is, how can you detect that activity as quickly as possible and respond effectively to avoid or minimize any potential damage?

There are a variety of tools designed with this purpose in mind—the primary ones being IDS, IPS, DLP, SIEM, and NBAD. Some are evolutions or enhancements of others, and some are narrowly focused on specific types of behavior or malicious activity, but all are intended in some way to give you the means to identify suspicious or malicious activity on your network and act as an early warning system to alert the IT team so the appropriate response can be initiated.

Network Security Tools

IDS (Intrusion Detection System)

The IDS (Intrusion Detection System) is the grandfather of this whole genre of tools. An IDS monitors vulnerabilities in a system and analyzes activity on the network to search for patterns and indicators of compromise of known threats. There are two main types of IDS: NIDS (Network Intrusion Detection System) monitors an entire subnet at the network level, while HIDS (Host Intrusion Detection System) protects an individual host system. By definition, IDS simply raises flags for suspicious or malicious activity and sends alerts to the IT team. It does not take any action to avoid or prevent the activity.

IPS (Intrusion Prevention System)

An IPS (Intrusion Prevention System) is an evolution of the IDS. The functions and capabilities of an IPS are very similar to those of an IDS, with the primary difference being that an IPS can also take action to block the suspicious or malicious activity and prevent the attack. IPS is also sometimes referred to as an IDPS (Intrusion Detection Prevention System).

DLP (Data Loss Prevention)

For most organizations, the most important thing to safeguard is data. Data is also the primary target of most attacks—whether it’s bank or credit card information of customers, sensitive personal data of employees, or confidential intellectual property and corporate data. DLP (Data Loss Prevention—sometimes referred to as Data Loss Protection or Data Leak Prevention as well) deals specifically with protecting data and ensuring that sensitive or confidential data is properly secured and does not become compromised or exposed. DLP can generally enforce data handling policies depending on how data is tagged or classified, and in many cases can also automatically detect things like credit card numbers or Social Security numbers based on the format of the data to alert the IT team and prevent unauthorized disclosure.

SIEM (Security Incident and Event Management)

A SIEM (Security Incident or Information and Event Management) tool is designed to help organizations manage the overwhelming volume of signals and data, and correlate threat information for a centralized view of the IT infrastructure. SIEMs come in many shapes and sizes, but most promise to monitor, record, and analyze network activity to identify potential security incidents or events in real-time and alert the IT team so appropriate action can be taken.

NBAD (Network Behavior Anomaly Detection)

One way to identify suspicious or malicious activity is to simply look for activity that is out of the ordinary. Network Behavior Anomaly Detection (NBAD) establishes a baseline of what “normal” looks like on a given network and provides real-time monitoring of traffic and activity on the network to detect any unusual activity, events, or trends. Anomaly detection can be useful for identifying emerging threats and zero-day attacks because it looks for abnormal activity rather than relying on a signature or indicators of compromise of specific threats.

Taking Action for Effective Cybersecurity

Each of these tools has its own pros and cons, and the effectiveness of each tool is generally a function of how well it is implemented and configured in the first place. Ultimately, though, what is more important than the tool itself or the suspicious or malicious activity it detects is whether or not you have the right expertise and resources available to respond appropriately.

Properly configured network security tools are valuable for monitoring and analyzing an overwhelming volume of traffic in a dynamic, rapidly-changing hybrid or multi-cloud environment to sift through the noise and find the activity that appears to be potentially suspicious or malicious, but there are also inevitably false positives and potential threats that slip through. It’s crucial to have skilled cybersecurity professionals capable of monitoring the output of the network security tools to determine which alerts require action, and take immediate steps to prevent or contain the threat as we do with our SOC Services.

About the Author

Tony Bradley

Tony Bradley is Senior Manager of Content Marketing for Alert Logic. Tony worked in the trenches as a network administrator and security consultant before shifting to the marketing and writing side of things. He is an 11-time Microsoft MVP in security and cloud and has been a CISSP-ISSAP since 2002. Tony has authored or co-authored a dozen books on IT and IT security topics, and is a prolific contributor to online media sites such as Forbes and He has established a reputation for effective content marketing, and building and engaging a community and social media audience.

Connect | Email Me | More Posts by Tony Bradley

*** This is a Security Bloggers Network syndicated blog from Alert Logic - Blogs Feed authored by Tony Bradley. Read the original post at:

Tony Bradley

I have a passion for technology and gadgets--with a focus on Microsoft and security--and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 2 dogs, 4 cats, 3 rabbits, 2 ferrets, pot-bellied pig and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at [email protected]. For more from me, you can follow me on Twitter and Facebook.

tony-bradley has 203 posts and counting.See all posts by tony-bradley