Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Collection, Sensing, and Alerting: Yesterday’s News

Security has evolved to the point that I can now say that collection, sensing, and alerting are yesterday’s news. How can I make such a provocative statement? Wikipedia. Confused? That’s certainly understandable. I’ll explain.

Security has evolved to the point that I can now say that collection, sensing, and alerting are yesterday’s news. How can I make such a provocative statement? Wikipedia. Confused? That’s certainly understandable. I’ll explain.

Years ago, if we wanted to learn about a topic, we looked it up in the encyclopedia. Yes, I realize that some of my readers may be less familiar with this concept than others. Nonetheless, before most of us had access to the Internet, it required some effort to get information when we needed it.

Along came the Internet and suddenly information was everywhere and easily accessible. There was only one problem. Information was hidden in plain sight. True, it was everywhere and easily accessible, but it became harder than ever to organize and make sense of the information.

Therein lies the magic of Wikipedia. What makes Wikipedia great isn’t the information it contains — that can be found anywhere. Rather, what makes Wikipedia great is that it organizes, warehouses, and indexes all of that information neatly, in a factually accurate manner, all in one place. That is, in essence, Wikipedia’s differentiator.

Let’s turn back to security to further examine this concept and its implications. In security, and more specifically in security operations, we have traditionally focused the overwhelming majority of our efforts on collection, sensing, and alerting. Many organizations spend a tremendous amount of time instrumenting their networks and endpoints, tuning rules and logic, and working to produce a reasonable volume of high fidelity, low noise alerting. Please don’t misunderstand my point here — these are all extremely important things that are critical to the success of a security organization, as I have written about many times.

So what am I getting at? Collection, sensing, and alerting are only half of the story. We in the security field sometimes forget something that is extremely important. In fact, I consider it to be one of the most fundamental aspects of security operations. To understand what we’re forgetting, we need to step back and ask ourselves a few questions: Why? So what? What is the point?

Let’s expand these questions a bit further to better understand what I am hoping to highlight: Why have we spent so much time, money, and effort on collection, sensing, and alerting? What does it get us in the end? What end goal are we trying to achieve with all of this telemetry and alerting infrastructure?

To understand the answers to these questions, we have to go back to, you guessed it, the prioritized list of risks we are looking to mitigate as security practitioners. These will, of course, vary by organization. But there is one central theme that runs through each and every organization. At any point in time, I need to be able to quickly assess whether or not my organization has fallen victim to one or more of these risks. Or, to put it another way, I need to be able to make decisions. Not just any decisions, but informed, timely, and accurate decisions.

Conceptually this undertaking sounds easy enough. In practice, however, it turns out to be quite difficult, though perhaps not for the reasons you might expect. Whereas once it was difficult to obtain visibility and reliable telemetry data from the vast expanse of the enterprise, times have changed. I’m not saying that collection, sensing, and alerting aren’t important — indeed they are. Rather, what I’m saying is that they are yesterday’s problem. Today, there is no shortage of options when it comes to collection, sensing, and alerting, whether these capabilities come from a vendor, from open-source, or are built in-house.

Perhaps you’ll understand why I’m a bit surprised that I still see so much discussion around the security community about who has built the better mousetrap. Granted, there will always be important differences between different offerings. The bigger question in my mind, however, is one that I see discussed far less often. What do you do with all of that information? How can all of that information be fused, correlated, and analyzed continually in order to be turned into knowledge? In turn, how can that knowledge subsequently be leveraged to either disrupt attacks, or to tell you when there is something requiring your immediate attention? That is the “wikipedia” piece of security operations that I so often see missing from the broader discussion, dialogue, and debate around the topic.

True security operations requires so much more than merely technology to support collection, sensing, and alerting. It requires intelligence to inform and enrich telemetry and alert data. It requires automation to put together different pieces of the puzzle and build the narrative around what is truly going on. It requires expertise to continually interrogate, mine, and analyze the enriched information in order to turn it into knowledge. Not just any knowledge, of course, but knowledge relevant to and mapped back to the risks we’re most concerned about mitigating. Knowledge that enables and empowers us to make informed, timely, and actionable decisions regarding those risks.

As the security world continues to march forward, having a security operations “wikipedia” seems increasingly critical to a successful security operations effort within an organization. Collection, sensing, and alerting technologies are easy enough to come by nowadays, but that’s only a small part of addressing the overall security operations challenge. It’s becoming less and less about getting the information and more and more about extracting maximum value from that information in support of informed, timely, and accurate decision-making.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...