5.4.2. Voice, Video, and Collaboration Security
💡 First Principle: You cannot defend what you cannot see. Network security monitoring provides visibility into traffic patterns, anomalies, and attack signatures — the telemetry that enables detection of attacks that have bypassed preventive controls. In a world where breaches are often measured in months before detection, monitoring is the control that determines how quickly you discover and respond.
Traffic capture and analysis:
| Tool/Method | What It Does | Data Captured | Security Use |
|---|---|---|---|
| Packet capture (PCAP) | Full packet capture at specific points | All traffic including payloads | Deep forensic analysis; full content inspection |
| NetFlow / IPFIX | Traffic metadata only (no payloads) | Source, destination, port, bytes, duration | Traffic pattern analysis; anomaly detection; high volume feasible |
| SPAN / port mirroring | Switch port that mirrors traffic to capture device | All traffic on monitored ports | IDS/IPS placement; protocol analysis |
| Network TAP | Physical device that copies traffic passively | All traffic; even duplex separately | Reliable full capture without switch config |
| SIEM | Aggregates logs and events from multiple sources | Log events, not packets | Correlation across systems; alert generation |
Key network monitoring metrics:
| Metric | What It Reveals |
|---|---|
| Bandwidth utilization | Unusual spikes may indicate DDoS or large data exfiltration |
| Connections per second | Port scans, SYN floods generate high connection rates |
| DNS query volume | Spikes to unusual domains suggest C2 or DNS tunneling |
| Unusual port usage | C2 over non-standard ports; data exfiltration on unusual ports |
| Geographic anomalies | Connections from unexpected countries for user accounts |
| Protocol anomalies | HTTP over non-standard ports; large DNS TXT responses |
| Time-of-day anomalies | Authentication at 3am for user who normally works 9-5 |
Security information and event management (SIEM):
SIEM aggregates log data from multiple sources (firewalls, IDS, servers, endpoints, cloud) and applies correlation rules to detect multi-step attacks that individual point tools miss. A single failed login is noise; 500 failed logins across 50 accounts from the same IP is a password spray attack — visible only when logs are aggregated and correlated.
SIEM capabilities:
- Log aggregation and normalization from diverse source formats
- Real-time correlation rules (if event A and event B occur within time window → alert)
- Historical analysis and threat hunting
- Incident response workflow integration
- Compliance reporting (evidence of monitoring for HIPAA, PCI, SOX)
SIEM challenges:
- Data volume: enterprises generate terabytes of logs; storage and processing are expensive
- Alert fatigue: too many rules → too many alerts → analysts ignore alerts
- Skill requirement: effective correlation rule writing requires deep security and business context
Full Packet Capture (FPC) vs. metadata:
For most network monitoring, NetFlow/IPFIX metadata is sufficient and scalable. Full packet capture is reserved for: forensic investigation of specific incidents, compliance with specific legal requirements, and high-security environments with the storage infrastructure to support it. Capturing everything generates enormous data volumes and creates privacy/legal concerns.
⚠️ Exam Trap: NetFlow captures metadata — source, destination, port, bytes, duration — not packet payloads. It can detect that a workstation made 10,000 connections to an external IP on port 443 (suspicious), but it cannot tell you what data was transmitted (payload content). For content inspection, you need NGFW with TLS inspection, or full packet capture with decryption keys. The exam tests whether you understand this distinction when asked what type of monitoring would reveal specific evidence.
Reflection Question: A forensic analyst is investigating a suspected insider data theft incident. They have NetFlow data showing large volumes of outbound traffic to a personal cloud storage service from the suspect's workstation. What can they conclusively determine from NetFlow alone, what can they not determine, and what additional evidence source would provide the content-level proof needed for a disciplinary or legal proceeding?
