The Key to Incident Detection Is Information, Not Technology

When searching for information on how to detect cybersecurity incidents, we often encounter a multitude of technology-based solutions promising to help protect our organizations. Many of these solutions leverage artificial intelligence to enhance their capabilities. However, at the same time, if we look at reports on recent security incidents, whether in Mexico or elsewhere, we find that the number of security breaches continues to rise.

Why do these incidents persist despite the continuous emergence of new security solutions?

Unfortunately, technology alone is not enough, even with the significant advancements in artificial intelligence. The key does not lie in technology itself but in the information that feeds these solutions.

Every security incident generates a substantial amount of information. While this is a highly technical subject, I will aim to simplify the explanation for clarity.

Statistics indicate that most incidents originate internally. This means that employees, suppliers, or even attackers who have gained access to an internal network are often responsible. The first action an attacker takes upon accessing an internal network, regardless of how they obtained access, is network exploration.

There are various methods for performing this exploration, but they all involve generating significant network traffic using different communication protocols to map their surroundings. Internal web applications, network devices, configuration consoles, and OT devices all become targets. Every activity an attacker carries out during this exploration generates network traffic, which, in turn, generates information.

This information is reflected in log files, service error logs, system responses, and numerous other records.

These logs fuel security solutions, but if log settings are not configured to store the right information, if the information is not securely interpreted for security tools, or if the data is not retained for an appropriate period with the necessary detail, the information becomes non-existent. Without it, security solutions lack the material they need to function effectively.

Once an attacker completes their reconnaissance, the next step is to search for vulnerabilities in the discovered assets. Just like in the exploration phase, these vulnerabilities leave a trace in logs and produce consequences.

For instance, if an attacker finds a vulnerability in a web application that allows them to extract database information, each query executed on that database will generate a log entry. This activity may be abnormal. If an application is designed to generate reports on a company’s latest sales transactions but instead returns a list of stored usernames and passwords, this is an anomaly that must be logged. Moreover, attacks are rarely flawless; unsuccessful attempts to steal user credentials will likely generate system errors that should also be recorded — not only for security purposes but also for later debugging and analysis.

Once an attacker gains access to a system, they will begin reviewing its contents and extracting any useful data, which they can then leverage for further attacks on other systems.

These activities, known in cybersecurity as lateral movement, will also generate logs.

The real power of security solutions lies in leveraging data from all network assets, applications, systems, databases, among others, and correlating them to identify security incidents. Only then do AI engines, algorithms, and detection models become effective in providing a comprehensive view of malicious activities.

What is the reality in many organizations?

This critical information is often unavailable due to several reasons:

• Storage constraints: Storing logs is costly, leading organizations to prioritize other needs over log retention.

• Configuration errors: Logs may lack the necessary detail to accurately capture events.

• Poorly managed errors in custom-built systems: Developers may neglect proper error handling, failing to record exceptions adequately.

• Implementation issues in security solutions: Log data must be normalized to be properly analyzed, yet many organizations fail to standardize their logs, rendering them ineffective.

Without properly feeding security solutions with relevant data, they become limited in their ability to detect threats, often reducing their function to generating generic alerts that provide little actionable insight.

This is not to say that security solutions are ineffective. In certain cases, they do provide visibility into specific areas, allowing logs to be collected and analyzed. Solutions such as Endpoint Detection and Response (EDR) solutions, antivirus software, and Zero Trust agents help monitor critical components like servers by generating — what exactly? That’s right: log data.

Similarly, tools such as Application Performance Monitoring (APM) solutions and Digital Experience Monitoring (DEM) solutions, enhance the visibility of assets, providing detailed usage logs that can later be analyzed.

One of the most underrated yet simultaneously overestimated security solutions is Security Information and Event Management (SIEM) solutions. In simple terms, a SIEM centralizes information and analyzes it collectively to detect security events.

Why is it underrated? Many organizations perceive SIEMs as costly tools that add little value, believing they fail to detect incidents effectively or are too complex to use for analysis. However, this perception often stems from failing to feed the SIEM with the correct or sufficient data needed for analysis.

Why is it overestimated? Due to its comprehensive analytical capabilities, many believe that merely implementing a SIEM guarantees security without realizing the extensive groundwork required to make it function effectively.

Regardless of the tool — be it an EDR, APM, SIEM, or even a basic antivirus — the key lies in information. Without generating detailed data on each organizational asset, the budget and quantity of security solutions purchased become irrelevant. In all cases, a lack of quality data leads to shallow analysis, allowing security incidents to continue occurring.

Thus, when developing an incident detection strategy, organizations must first assess the information they currently have before investing in new technologies that may not be the right fit.