More about a career in Network Monitoring & Intrusion Detection
Network Monitoring and Intrusion Detection work has many technical aspects, some of which overlap significantly with other cyber security roles and career paths.
Core to the role is watching for unusual or unauthorised activity on systems and networks. Much of this can be done through intrusion detection and prevention tools but you apply good technical skills to manage these and to interpret what they tell you. There is always the risk that such tools may be insufficient, so you remain alert to any unusual events. You think on your feet.
Depending on the size of your organisation, you may work with other teams such as the Security Engineering team (to tune and enhance the detection technologies) and the Cyber Threat Intelligence team (to work out where to focus your efforts). Whatever the structure around you, you always keep your own skills and knowledge up to date.
Depending on your level of experience and role seniority, you may be expected to provide advice on network and perimeter security architecture. If you work within a Managed Security Services Provider (MSSP) then you're likely to monitor multiple customers networks at any one time.
Because an intrusion may happen at any time - requiring rapid detection and management - you may work flexible hours or on a shift rota. This might include weekends, although the extent of this depends on the size of the team and organisation. In most large organisations, you work in a Security Operations Centre (SOC) or a Network Operations Centre (NOC).
Typical Network Monitoring & Intrusion Detection tasks include:
- configuring, monitoring, managing and troubleshooting network defence tools
- auditing systems, identifying problematic areas and implementing strategic solutions
- monitoring security alert queues, investigating and triaging events based on criticality and taking actions to mitigate threats
- managing and acting as an escalation point for Network Security technical issues
- creating or maintaining network security policies
- managing key relationships with security partners and other internal departments
- managing relationships with external parties such as security vendors
Nearly all roles in this specialism - and particularly if they are not combined with other roles - will be with large organisations with their own significant cyber security requirements; or, more likely, with Managed Security Service Providers (MSSPs) which monitor the networks of multiple client organisations. In these cases, there will usually be two levels of responsibility: practitioners and senior practitioners.
Small and medium-sized organisations are unlikely to have specialist roles in this single specialism. Medium-sized organisations may have a single specialist covering these responsibilities as part of a broader role in Network Engineering or System Management. In such cases, the role will probably be at senior practitioner level, since the responsibility requires a fair amount of expertise and experience.
- manage, monitor and maintain networks
- may work with or in support of more experienced network monitoring practitioners in the team
Senior practitioners may:
- be responsible for the oversight of the monitoring of many clients’ systems
- take responsibility for complex cases and, particularly, take significant responsibility for managing the investigation and resolution of high-impact security incidents
- also be expected to lead and support more junior practitioners in the organisation
- remaining calm in the face of a sometimes high-pressure environment
- juggling multiple priorities in a fast-paced environment
- quickly assessing the relative significance of lots of information
- working in a structured way to identify anomalies or unusual activity
- troubleshooting and problem resolution
- being comfortable working across multiple functions
- conveying complex or difficult technical concepts to audiences with varying levels of technical ability
- establishing and maintaining strong, collaborative working relationships with internal and external teams
- evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action
For a practitioner:
- performing first line security monitoring and analysis, as part of a SOC or NOC team, utilising industry recognised SIEM technologies (e.g. Splunk, LogRhythm)
- understanding of, and experience in, security technologies such as, SIEM, IDS/IPS, AV, web and email content filtering
- using network management, monitoring and diagnostic tools
- conventional network and/or host-based intrusion analysis
- assessment of advanced persistent threat adversaries
For a senior practitioner:
- experience in performing first and second line security monitoring and analysis, as part of a SOC or NOC team, utilising industry recognised SIEM technologies (e.g. Splunk, LogRhythm)
- proven ability to connect disparate data elements in order to identify patterns of behaviour in support of intelligence reporting
- contribute towards ensuring that the capacity, reliability and availability of network services meet the requirements of the organisation
- with experience in other aspects of cyber security such as malware analysis, incident response or forensic investigation, etc.
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)
F1 – Intrusion Detection and Analysis
- monitors network and system activity to identify potential intrusion or other anomalous behaviour
- analyses the information and initiates an appropriate response, escalating as necessary
- uses security analytics, including the outputs from intelligence analysis, predictive research and root cause analysis in order to search for and detect potential breaches or identify recognised indicators and warnings
- monitors, collates and filters external vulnerability. reports for organisational relevance, ensuring that relevant vulnerabilities are rectified through formal change processes
- ensures that disclosure processes are put in place to restrict the knowledge of new vulnerabilities until appropriate remediation or mitigation is available
- produces warning material in a manner that is both timely and intelligible to the target audience(s)
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
Any role which has developed an understanding the technology behind computer and communications networks, and an ability to work in complex and dynamic technological environments, could provide a foundation, with some additional specialist training, to move into Network Monitoring & Intrusion Detection.
Examples of such roles include:
- telecommunications engineering
- IT incident response
- computer or network engineering
Working in a cyber security role requires specialist knowledge, and some roles require a lot. Such knowledge can be acquired in several ways and, although the requirements for any given role are described here in terms of Knowledge Areas (KAs) from the Cyber Security Body of Knowledge (CyBOK), this doesn't mean that a cyber security specialist must read the relevant sections of CyBOK.
Increasingly, however, cyber security qualifications, training and skills definitions are being mapped to CyBOK - so the KAs are a good way of describing the knowledge associated with a specialism.
As an experienced practitioner in a Network Monitoring & Intrusion Detection role, you'll typically use the knowledge in the KAs listed below, although not always to the same level of detail. You're most likely to have a very good understanding of the Core Knowledge, which is essential to performing the role. You may still need a good understanding of the Related Knowledge, but not to quite the same degree. You may need a much less detailed understanding of the elements of Wider Knowledge, which provides context for your work.
Coming into such a role, you will not be expected to have all his knowledge initially.
Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security.
The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence.
Technical details of exploits and distributed malicious systems, together with associated discovery and analysis approaches.
Understanding an attacker’s motivations, capabilities and the technological and human elements that adversaries require to run a successful operation.
You may get started in this specialism as an apprentice. Alternatively, you may demonstrate a strong interest in cyber security through online study and the acquisition of relevant industry certifications.
You may also get started in this specialism as a graduate, with a degree in:
- cyber security or information security
- information technology
- computer science/engineering; or
- a similar technical discipline
Or, you may move into a Network Monitoring & Intrusion Detection role from another IT or cyber security specialism, such as:
From a role in Network Monitoring & Intrusion Detection, you might move into a role in:
- Security Testing
- Cyber Threat Intelligence
- Digital Forensics
- Incident Response
- Vulnerability Management
- Cyber Security Audit & Assurance
With experience, you might progress within the specialism to become:
- a Network Monitoring & Intrusion Detection senior practitioner; or
- Senior Network Engineer
For practitioner roles, jobs may be titled:
- Network (Support/Security) Manager
- Network Security Architect (although this can also be applied to pure network design roles)
- Security Monitoring Analyst
- Cyber Security Analyst
- Monitoring Analyst
- IT Security Analyst
- Network Operations Engineer
- IT Network and Security Engineer
For senior practitioner roles, jobs may be titled:
- Senior Intrusion Analyst
- Senior Security Network Engineer (although this can also be applied to engineers who are responsible for network reliability rather than monitoring)
A practitioner might earn between £30,000 and £45,000 per annum. The median figure for a Junior Network Analyst (excluding London pay) in March 2020 was £30,400. The median figure for a Network Monitoring Role (excluding London pay) in March 2021 was £45,000.
A senior practitioner might earn between £55,000 and £80,000. The median figure for a Senior Network Analyst (excluding London pay) in March 2021 was £55,000. The median figure for a Network Security Architect (excluding London Pay) in March 2021 was £75,000.
The salary ranges are based on job vacancy advertisements published online in February 2021. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk