Chapter 3: Scenarios & Selection

Financial institutions operate under the most stringent regulatory requirements of any industry, with obligations spanning PCI DSS, SOX, DORA, and local banking regulations. The monitoring system must provide real-time visibility into payment transactions, SWIFT messaging, core banking API calls, and privileged access to financial data. Fraud detection requires sub-second correlation between transaction events and behavioral baselines, while compliance monitoring demands complete audit trails with tamper-evident storage.

The primary threat vectors include account takeover via credential stuffing, insider trading through privileged data access, SWIFT fraud through compromised messaging systems, and ransomware targeting core banking infrastructure. The monitoring architecture must support both real-time detection for fraud prevention and forensic investigation for regulatory reporting.

Energy and utility operators face a unique challenge: their operational technology (OT) environments were designed for reliability and safety, not security. Legacy SCADA systems, industrial protocols (Modbus, DNP3, IEC 61850), and air-gapped network assumptions create monitoring blind spots that nation-state actors and ransomware groups actively exploit. The monitoring architecture must bridge the IT/OT divide without disrupting operational continuity, using passive network monitoring and protocol-aware inspection rather than active scanning.

The Purdue Model provides the logical segmentation framework, with monitoring deployed at the IT/OT demilitarized zone (DMZ) to capture all cross-boundary traffic. Industrial protocol anomaly detection identifies unauthorized command sequences, unexpected device communications, and configuration changes that could indicate pre-attack reconnaissance or sabotage preparation.

Large enterprises with 10,000+ employees and multiple geographic locations require a federated monitoring architecture that provides centralized visibility while respecting data sovereignty, bandwidth constraints, and regional operational requirements. The hub-and-spoke model with regional collectors and a central SIEM is the standard approach, with local triage capability at major sites and centralized correlation for cross-site attack detection.

The most critical detection use-cases for this scenario are lateral movement across sites, credential compromise and account takeover, data exfiltration through cloud services, and supply chain compromise through vendor access. The monitoring system must correlate events across sites to detect attackers who deliberately spread their activity across multiple locations to evade single-site detection.

Organizations that have migrated primarily or entirely to cloud infrastructure face a fundamentally different monitoring challenge. The traditional network perimeter is replaced by identity and API boundaries, and the threat model shifts toward misconfiguration exploitation, credential compromise, and abuse of cloud-native services. Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) capabilities must be integrated into the central SIEM alongside cloud audit logs from all providers.

The monitoring architecture for cloud-native environments must handle the ephemeral nature of cloud resources, where assets are created and destroyed dynamically. Asset inventory must be continuously synchronized from cloud APIs, and detection rules must account for legitimate automation activity to avoid false positive floods from infrastructure-as-code deployments.

Government and defense organizations face nation-state level adversaries with sophisticated, persistent attack capabilities. The monitoring architecture must support multi-level security (MLS) environments where different classification levels require separate monitoring instances with controlled data sharing. Advanced Persistent Threat (APT) detection requires long-dwell-time behavioral analytics and threat intelligence integration at a depth not required in commercial environments.

The monitoring system must operate in air-gapped or highly restricted network environments, with strict controls on data egress. Threat intelligence sharing with peer agencies and national CERTs requires secure, standardized exchange formats (STIX/TAXII). The system must also support forensic investigations that meet evidentiary standards for criminal prosecution or military legal proceedings.

Telecommunications operators must simultaneously protect their own infrastructure and the communications of millions of subscribers. The monitoring architecture spans both the network operations center (NOC) and security operations center (SOC) functions, with tight integration between network performance monitoring and security event detection. BGP hijacking, SS7 protocol abuse, and DDoS amplification attacks require specialized detection capabilities beyond standard enterprise SIEM.

Subscriber data protection under GDPR, CCPA, and telecommunications-specific regulations requires monitoring of all access to subscriber records, with automated alerts for bulk data access patterns that indicate insider threat or external breach. The monitoring system must handle extremely high event volumes from network infrastructure while maintaining sub-second detection latency for DDoS attacks that can impact service availability.

Healthcare organizations face a dual imperative: protecting patient data under HIPAA and similar regulations while ensuring the availability and integrity of medical devices that directly affect patient safety. Ransomware attacks on hospitals have demonstrated that cybersecurity failures can have life-threatening consequences, making availability monitoring as critical as threat detection. Medical IoT devices — from infusion pumps to imaging systems — often run legacy operating systems that cannot be patched and must be monitored through network-based detection.

The monitoring architecture must support rapid isolation of ransomware-affected systems without disrupting active patient care systems. Automated response playbooks must include clinical safety checks before executing containment actions, requiring integration with clinical operations teams and clear escalation paths that bypass standard IT approval processes in life-safety situations.

Manufacturing organizations face converging threats from nation-state actors targeting intellectual property, ransomware groups seeking production disruption leverage, and supply chain compromises that can introduce malicious components into products or software. The monitoring architecture must address both the corporate IT environment and the factory floor OT environment, with particular attention to the IT/OT convergence zones where enterprise systems connect to production systems.

Supply chain security monitoring requires tracking software bill of materials (SBOM), monitoring vendor remote access sessions, and detecting anomalous behavior from third-party integrations. Industrial protocol monitoring using Purdue Model segmentation ensures that production systems are protected from IT-side compromises while maintaining the operational visibility needed to detect OT-specific attacks.