IG2 IG3

Deploy a Network Intrusion Detection Solution

Control Group: 13. Network Monitoring and Defense

Asset Type: Network

Security Function: Detect

Description

Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.

Implementation Checklist

1

Deploy detection tools or enable detection capabilities

2

Configure alerting thresholds and notification channels

3

Establish monitoring schedule and review process

4

Test detection capabilities with simulated events

5

Document detection procedures and escalation paths

6

Inventory all third-party service providers

7

Classify third parties by risk level

8

Conduct security assessments of critical vendors

9

Include security requirements in contracts

Tool Recommendations

Darktrace DETECT + RESPOND Gartner MQ Visionary, NDR 2024; Forrester Wave Leader, NDR 2024

AI-driven network detection and response with self-learning threat analysis and autonomous response

Darktrace · Enterprise subscription

Vectra AI Platform Gartner MQ Leader, NDR 2024

AI-driven threat detection and response for network, cloud, and identity with attack signal intelligence

Vectra AI · Enterprise subscription

ExtraHop RevealX Gartner MQ Leader, NDR 2024; Forrester Wave Leader, NDR 2024

Network detection and response platform with real-time traffic analysis, encrypted traffic inspection, and cloud visibility

ExtraHop · Per-device/bandwidth subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Command-and-Control Traffic Over Encrypted Channels

Confidentiality

An attacker establishes encrypted C2 communications over HTTPS or DNS tunneling that bypass perimeter firewalls, remaining undetected because no network intrusion detection system is inspecting traffic patterns.

Network-Based Exploitation Traversing Unmonitored Segments

Integrity

An attacker exploits a vulnerability in an internal service, and the exploit traffic crosses network segments without triggering any alert because no NIDS is deployed to analyze east-west traffic.

Large-Scale Data Exfiltration via Network Protocols

Confidentiality

Sensitive data is exfiltrated in bulk over standard protocols like HTTP or FTP to an external staging server, and the anomalous data volume goes unnoticed without network-level intrusion detection.

Vulnerabilities (When Safeguard Absent)

No Network Traffic Anomaly Detection

Without a NIDS, malicious network traffic patterns such as port scans, exploit payloads, and beaconing behavior are not identified, leaving the network blind to active intrusions.

Unmonitored East-West Network Traffic

Internal network segments lack inspection capabilities, allowing attackers who have gained initial access to freely probe and exploit other systems within the environment.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Detection tool deployment evidence (dashboard screenshots, agent status)	Captured monthly
Technical	Sample alert/detection output demonstrating capability	Captured quarterly
Record	Third-party risk assessment reports and scorecards	Annually per vendor
Document	Vendor contracts with security requirements	Per contract cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Network Security Policy

Control 12, Control 13

Network Monitoring Policy

Control 13

Related Safeguards in Control 13

13.1 Centralize Security Event Alerting

13.2 Deploy a Host>Based Intrusion Detection Solution

13.4 Perform Traffic Filtering Between Network Segments

13.5 Manage Access Control for Remote Assets

13.6 Collect Network Traffic Flow Logs

13.7 Deploy a Host>Based Intrusion Prevention Solution

13.8 Deploy a Network Intrusion Prevention Solution

13.9 Deploy Port>Level Access Control

13.10 Perform Application Layer Filtering

13.11 Tune Security Event Alerting Thresholds