You are a security administrator for your company. You need to develop a body of knowledge to enable heuristic- and behavior-based security event monitoring on a geographically distributed network. Instrumentation is chosen to allow for monitoring and measuring the network. What is the BEST methodology to use in establishing this baseline?

A. Schedule testing on operational systems when users are not present. Instrument the systems to log all network traffic. Monitor the network for at least eight hours. Analyze the results. Document the established baseline.
B. Model the network in a series of VMs. Instrument the systems to record comprehensive metrics. Run a large volume of simulated data through the model. Record and analyze the results. Document expected future behavior.
C. Instrument the operational network. Simulate extra traffic on the network. Analyze network flow information from all network devices. Document the baseline volume of traffic.
D. Completely duplicate the network on VMs. Replay eight hours of captured corporate network traffic through the duplicate network. Instrument the network. Analyze the results. Document the baseline.

---

B
Explanation: You should model the network in a series of VMs, instrument the systems to record comprehensive metrics, run a large volume of simulated data through the model, record and analyze results, and document expected future behavior.
Operational systems are not the best to use in this situation, especially when users are not present. The whole point is to test the current network baseline.