Network Monitoring and Defense

Program Services & Resources

The following services and resources are provided by the NC K-12 Cybersecurity Program and provided to PSUs at no cost to help execute the actions defined in the K-12 CORE Safeguards:

• Distributed Denial of Service Program via MCNC Vital Cyber
• Managed Firewall Service (Palo Alto) via MCNC Vital Cyber

Why is Network Monitoring and Defense Important?

PSUs cannot rely solely on network defenses to protect against evolving cyber threats, as adversaries constantly develop new tactics and share exploit methods within their communities. Even when security tools function as intended, they require proper configuration and tuning based on PSU’s specific risk posture to be effective—something that can be undermined by misconfigurations or lack of staff expertise. Security tools are most effective when they support a process of continuous monitoring, enabling staff to quickly detect and respond to incidents. An overreliance on automated alerts without human involvement often results in false positives and missed threats. For larger or more frequently targeted educational institutions like PSUs, having a security operations capability is essential to identify and respond to threats before they cause significant harm. This approach improves situational awareness, generates valuable metrics for policy improvements and regulatory compliance, and enables faster detection of incidents such as malware infections, credential theft, or data breaches. By cataloging attacker tactics and indicators of compromise (IOCs), PSUs can become more proactive in defending against future threats. Effective response and recovery also depend on having comprehensive visibility into PSU’s infrastructure, ensuring incidents are managed efficiently and with minimal disruption to learning environments.

What can you do?

PSUs don’t need to build a full Security Operations Center (SOC) to gain situational awareness, but should start by understanding their critical functions, network and server architecture, data flows, vendor and partner connections, and end-user devices. This foundational knowledge informs the development of a security architecture, technical controls, and response procedures. At the heart of this effort is a trained team—whether internal, external consultants, or managed service providers—responsible for incident detection, analysis, and mitigation. PSUs should monitor network activity, user credentials, data access, and ensure visibility into both on-premises and cloud environments. While tools like Security Information and Event Management (SIEM) platforms are useful for analyzing logs, they don’t replace skilled staff, and require regular tuning and human insight to detect real threats. Weekly log reviews and correlation tools support manual analysis, but human expertise remains essential. As PSU’s security capabilities mature, it can build a knowledge base to understand its risk landscape and begin developing internal threat intelligence, collecting attacker tactics and behaviors. Eventually, this can lead to proactive threat hunting, where trained staff manually inspect logs and traffic to identify anomalies before they escalate into major incidents.

Specific details and procedures are outlined in the K-12 Cybersecurity CORE Safeguards.

**NC K-12 Cybersecurity Community Mailing list subscription is required to access the CORE Safeguard materials**