A security administrator at Company XYZ is trying to develop a body of knowledge to enable
heuristic and behavior based security event monitoring of activities on a geographically distributed
network. Instrumentation is chosen to allow for monitoring and measuring the network. Which of
the following is the BEST methodology to use in establishing this baseline?

A.
Model the network in a series of VMs; instrument the systems to record comprehensive metrics;
run a large volume ofsimulated data through the model; record and analyze results; document
expected future behavior.

B.
Completely duplicate the network on virtual machines; replay eight hours of captured corporate
network traffic through the duplicate network; instrument the network; analyze the results;
document the baseline.

C.
Instrument the operational network; simulate extra traffic on the network; analyze net flow
information from all network devices; document the baseline volume of traffic.

D.
Schedule testing on operational systems when users are not present; instrument the systems to
log all network traffic; monitor the network for at least eight hours; analyze the results; document
the established baseline.