Because it’s not bullet proof, the DMZ, and likely the rest of your corporate network, will have monitoring systems in place. Monitoring systems in your corporate network can be likened to building alarm systems.
For example, people can freely walk down the road to your building and, if the gates and doors aren’t locked, walk through it. They can also climb the fence and pick the lock.
If your alarm system isn’t on or recording who and what comes in and out of your building, you may not even know someone has been there, who that someone was or what they did.
If they are already in your house, they can turn your alarm system off so you don’t know they’re there, find your code so they can come in and out undetected as they please, change your code so you can’t get in, or just destroy or rough up the building and its contents.
If you do have your alarm system on and it sends an alert, it still needs to be appropriately responded to depending on what the alert was for.
Securing your machines, servers and device in the context of the internet is like securing your building.
As part of your monitoring system you probably have an Intrusion Prevention System (IPS). An IPS has an Intrusion Detection System (IDS), which monitors and records activity, and additionally helps to prevent attacks by blocking them.
An IPS can watch or ‘inspect’ all activity that passes it across your networks and use things you tell it (eg. a duck with a bomb strapped under its wing looks like this) to alert you to things that shouldn’t be happening on the network or device.
An issue is that an IPS can create a lot of alerts and many may be false positives. The expensive part is the analysis of these alerts. An IPS also needs to be updated with new known threats and any changes to the network or devices.
(Adapted from Ernst 2013)