Network Monitoring and Intrusion Detection has many technical aspects, some of which overlap significantly with other cyber security roles and career paths. The core aspect of the role is about watching for unusual or unauthorised activity on systems and networks. Much of this can be done through intrusion detection and prevention tools, but there needs to be good technical skills to manage these and interpret them. There is always a risk that these tools may be insufficient, so it is vital to remain alert to any unusual events. 

Depending on the size of the organisation, Network Monitoring and Intrusion Detection may work with other teams, such as the Security Engineering team and the Cyber Threat Intelligence team. Whatever the structure of the organisation, this role involves continuous learning to ensure that skills and knowledge are up to date. 

As an intrusion may happen at any time – requiring rapid detection and management – roles may require flexible hours or a shift rota pattern, which might include weekends, although this depends on the size of the team and organisation. In most large organisations, this would be a Security Operations Centre (SOC) or a Network Operations Centre (NOC). 

In Network Monitoring and Intrusion Detection, you may: 

• configure, monitor, manage and troubleshoot network defence tools 
• audit systems, identify problematic areas and implement strategic solutions 
• monitor security alert queues, investigate and triage events based on criticality and take actions to mitigate threats 
• manage and act as an escalation point for Network Security technical issues 

• create or maintain network security policies 
• manage key relationships with security partners and other internal departments 
• manage relationships with external parties such as security vendors 

Job Titles 

For Network Monitoring and Intrusion Detection roles, titles include: 

• Network (Support/Security) Manager 
• Network Security Architect (although this can also be applied to pure network design roles) 
• Security Monitoring Analyst 
• Cyber Security Analyst 
• Monitoring Analyst 

• IT Security Analyst 
• Network Operations Engineer 
• IT Network and Security Engineer 

For more experienced Network Monitoring and Intrusion Detection roles, titles include:  

• Senior Intrusion Analyst 

• Senior Security Network Engineer (although this can also be applied to engineers who are responsible for network reliability rather than monitoring) 

Salaries 

A Network Monitoring and Intrusion Detection role might earn between £30,000 and £45,000 per annum. The median figure for a Junior Network Analyst (excluding London pay) in March 2020 was £30,400. The median figure for a Network Monitoring Role (excluding London pay) in March 2021 was £45,000. 

With more experience, a role in this specialism might earn between £55,000 and £80,000. The median figure for a Senior Network Analyst (excluding London pay) in March 2021 was £55,000. The median figure for a Network Security Architect (excluding London Pay) in March 2021 was £75,000. 

The salary ranges are based on job vacancy advertisements published online in February 2021. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk 

Each of the 15 specialisms are based on knowledge areas within CyBOK.  

More information on CyBOK knowledge areas can be found here. 

Here are the knowledge areas associated with Network Monitoring & Intrusion Detection. 

Core knowledge – you will need a very good understanding of these areas 

Network Security 

Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security. 

Security Operations & Incident Management 

The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence. 

Related knowledge – you will need a solid understanding of these areas 

Malware & Attack Technologies 

Technical details of exploits and distributed malicious systems, together with associated discovery and analysis approaches. 

Wider knowledge – these areas will help to provide context for your work 

Adversarial Behaviours 

Understanding an attacker’s motivations, capabilities and the technological and human elements that adversaries require to run a successful operation. 

Skills 

Personal attributes 

• remaining calm in the face of a high-pressure environment 
• juggling multiple priorities in a fast-paced environment 
• quickly assessing the relative significance of lots of information 

• working in a structured way to identify anomalies or unusual activity 
• troubleshooting and problem resolution 
• being comfortable working across multiple functions 
• conveying complex or difficult technical concepts to audiences with varying levels of technical ability 
• establishing and maintaining strong, collaborative working relationships with internal and external teams 

• evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action 

Specialist skills  

• performing first line security monitoring and analysis, as part of a SOC or NOC team, utilising industry recognised SIEM technologies (e.g. Splunk, LogRhythm) 
• understanding of, and experience in, security technologies such as, SIEM, IDS/IPS, AV, web and email content filtering 
• using network management, monitoring and diagnostic tools 

• conventional network and/or host-based intrusion analysis 
• assessment of advanced persistent threat adversaries 

For a senior professional: 

• experience in performing first and second line security monitoring and analysis, as part of a SOC or NOC team, utilising industry recognised SIEM technologies (e.g. Splunk, LogRhythm) 
• proven ability to connect disparate data elements in order to identify patterns of behaviour in support of intelligence reporting 

• contribute towards ensuring that the capacity, reliability and availability of network services meet the requirements of the organisation 
• experience in other aspects of cyber security such as malware analysis, incident response or forensic investigation, etc. 

CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs) 

F1 – Intrusion Detection and Analysis 

Principles: 

• monitors network and system activity to identify potential intrusion or other anomalous behaviour 
• analyses the information and initiates an appropriate response, escalating as necessary 
• uses security analytics, including the outputs from intelligence analysis, predictive research and root cause analysis in order to search for and detect potential breaches or identify recognised indicators and warnings 
• monitors, collates and filters external vulnerability. reports for organisational relevance, ensuring that relevant vulnerabilities are rectified through formal change processes 
• ensures that disclosure processes are put in place to restrict the knowledge of new vulnerabilities until appropriate remediation or mitigation is available 

• produces warning material in a manner that is both timely and intelligible to the target audience(s) 

*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec. 

Experience 

Any role which has developed an understanding the technology behind computer and communications networks, and an ability to work in complex and dynamic technological environments, could provide a foundation, with some additional specialist training, to move into Network Monitoring & Intrusion Detection. 

Examples of such roles include: 

• telecommunications engineering 
• IT incident response 
• computer or network engineering 

Linked Specialisms 

• Digitial Forensics 
• Cyber Threat Intelligence 
• Incident Response 
• Vulnerability Management  

Moving On 

From a role in Network Monitoring & Intrusion Detection, you might move into a role in: 

• Security Testing 

• Cyber Threat Intelligence 
• Digital Forensics 
• Incident Response 
• Vulnerability Management 
• Cyber Security Audit & Assurance 

With experience, you might progress within the specialism to become: 

• a Network Monitoring & Intrusion Detection senior practitioner; or 
• Senior Network Engineer 

Our certification framework can be accessed here. This framework allows you to see which certifications may be useful to you, within the different specialisms and at which point of your career.

Entry route information can be found here.

You can also visit the National Cyber Security Centre website at the links below:

NCSC Certified Degrees 

NCSC Certified Training