Instrumentation & Measurement Magazine 25-6 - 32

last five years by 65%. The average time to detect an incident
was 196 days in 2018 plus another 69 days to contain it, meaning
that many attacks stayed under the radar for a long period.
Vielbeth et al. [6] acknowledge that possible reasons for this belated
discovery include: the failure of overview for devices,
systems, applications and networks; uncertainty on which assets
to monitor and protect; and lack of knowledge in regards
to appropriate tools and how to integrate them. Finally, they
suggest that organizations can be overpowered by the technological
speed adapted by the cyber criminals and the rapidly
growing threat landscape.
Creating visibility across network assets can improve the
overall company security posture, by reducing the severity
and eventually the financial loss of a cyber attack. Decreasing
the detection time of an incident, directly implies that attackers
have less time to wander around the company's infrastructure
for snooping into sensitive data or critical resources. Nonetheless,
detection is not sufficient by itself and it should be
combined with the rest of the key items referred to in the NIST
Cyber Security Framework.
Although SOCs offer multiple benefits there are also some
challenges when it comes to their implementation. The survey
by Vielberth et al. [6] systematically groups difficulties into
Processes, People, Governance and Compliance, and Technology.
For instance, processes need to be integrated across the
whole organization. Additionally a lack of skilled personnel
represents a challenge in recruiting and retaining staff, which
can be addressed only by raising an awareness culture. Nonetheless,
governance and compliance can be difficult to form
without unified standards, which results in impediments to security
audits and overall assessments. Lastly, even the fact that
technology is vast can create issues in choosing the best solution
for a particular use case.
An SOC can accomplish the monitoring of the infrastructure's
assets at different layers; network-based monitoring
refers to the detection mechanisms placed at the network
layer, while endpoint-based monitoring is the collection of the
mechanisms at the host layer. The latter type offers a more finegrained
visibility of the infrastructure's state. According to
Fuentes-Garcia et al. [4], a network security monitoring system
should provide traceability of the processes of the network and
systems under monitoring. However, to achieve this view, the
setup should incorporate multiple components, such as those
described subsequently.
Network-based Monitoring
Network monitoring aims to capture and analyze the network
traffic, with the purpose of identifying security events occuring
within the organization and presenting the relevant information
to the administrator. The remaining section presents the
fundamental technologies of network-based monitoring. For
more details, the interested reader can consult [7].
Traffic Duplication: The network traffic duplication allows
the capturing of the traffic. This can be implemented either
inline or by mirroring. The mirroring mode is realized
32
as a built-in functionality of network devices, like routers or
switches, however, there are several different techniques implemented,
such as port-mirroring, Test Access Point (TAP)
and TAP-like setups [7].
Mirroring ports are available on enterprise routers and
switches. Traffic passing through selected ports is mirrored
and the output is sent to the mirror port or SPAN port. Although
this functionality has multiple advances there are also
some drawbacks, for instance during high traffic rates the port
could be congested, and packets could be dropped [7].
TAP and TAP-like setups are devices that are placed in inline
mode, and the device is connected in the split line where
the traffic is duplicated. Passive TAPs do not require power,
however, they can only operate on low throughput networks.
On the contrary, active TAPs have similar functionalities, and
while they are capable of duplicating high throughput networks,
they are also susceptible to power outages [7]. An
alternative option is to use Network Interface Cards (NIC). An
NIC interface can be configured as a network bridge, thus the
network traffic passing through the NIC can be duplicated.
Still, this setup has some significant software and hardware
drawbacks.
Packet Capturing and Analysis: The network monitoring based
on packet capture has two steps: the first step is the capturing
and saving of network packets in the format of a packet capture
(PCAP) file; and the second is performing traffic analysis
on the captured file. This analysis can either be automated or
manual. Commonly, the IP datagrams are stored in the PCAP,
and then the traffic can be viewed, searched through, inspected,
or filtered [7]. Network traffic can revel new patterns
of traffic, generated by malware or unknown protocols, and
therefore, it has multiple benefits for the system's administrators.
However, it can become cumbersome and repetitive [7].
Tcpdump and Tshark are examples of command line interface
(CLI) tools, while Wireshark offers a graphical user interface
(GUI).
Flow Observation: On the contrary, the flow observation
method does not inspect every single packet but rather accumulates
the packets that have in common the five-tuple of
source and destination IP addresses, source and destination
ports, and Layer 4 protocol, which in most of the cases is TCP
or UDP. For the analysis, several statistics and aggregated metrics
are calculated from the packets that belong to the same
flow, such as the number of transmitted bytes or packets, type
and number of protocol flags, and the inter-arrival time between
the packets. Therefore, as the actual packets are not
stored or analyzed, the flow observation approach is faster,
less privacy intrusive, and requires less storage. The most common
formats for flow data representation are NetFlow and
IPFix [7].
Endpoint-based Monitoring
Endpoint detection and response (EDR) expands the surveillance
capabilities by providing real-time collection of
IEEE Instrumentation & Measurement Magazine
September 2022
Instrumentation & Measurement Magazine 25-6

Table of Contents for the Digital Edition of Instrumentation & Measurement Magazine 25-6
