Cybersecurity monitoring is a subset of observability that focuses on detecting and responding to security threats using your telemetry data. While observability uses telemetry to provide insights into overall system behavior, performance, and reliability, cybersecurity monitoring applies these same principles and tools to enable cyber threat detection. This targeted use of existing observability tools can help eliminate the need for parallel or specialized monitoring systems; the telemetry sources that help debug your performance and error issues can also detect security incidents.
This article explains how to use your observability stack and telemetry pipeline for cybersecurity monitoring and covers cyber attacks, threat detection patterns, and metrics relevant to cybersecurity.
Summary of key cybersecurity monitoring concepts
|
Concept |
Description |
|
Taking an integrated approach |
Integrate observability tools to augment cybersecurity telemetry and maximize the benefits of cybersecurity monitoring systems. |
|
Threats and detection response |
Cyber attacks target five main layers: network (infrastructure attacks), web (application attacks), identity (authentication attacks), host (system-level attacks), and data (privacy attacks). Each attack type has distinct patterns in telemetry data that enable detection using monitoring tools. |
|
Pipeline architecture |
Telemetry pipelines are required to scale the processing of metrics, events, logs, and traces (MELT) in large enterprises. This can enable real-time and edge filtering and processing. |
|
Real-time analysis |
Use an approach that guarantees the real-time enrichment and analysis of the elements, maintaining their detection in real time. |
|
Cybersecurity tooling |
Various tools are required for detecting and preventing cyber attacks. Security response and enforcement tools are needed to implement protective measures, such as container security and network segmentation. |
|
Collaboration and scaling |
Collaborate with DevOps teams to leverage the tools already in place for performance monitoring and observability (metrics, events, traces, and logs). |
Taking an integrated approach to cybersecurity monitoring
Many companies maintain separate tooling for cybersecurity monitoring and observability, leading to duplicated effort, increased cost, and fragmented visibility. This separation stems from historical practices where security teams operated independently from operations and engineering teams. However, the telemetry needed for cybersecurity monitoring largely overlaps with performance and reliability monitoring; the difference lies primarily in how this data is viewed, analyzed, and acted upon.
A more integrated approach leverages the existing observability infrastructure for security use cases. For example, the same distributed tracing data that helps debug service latency issues can identify unusual access patterns or potential data exfiltration attempts. Application metrics that track error rates and resource utilization can be used for performance monitoring and denial-of-service detection. Log aggregation systems collect application errors for developers and are equally valuable for detecting injection attempts and application attacks.
Success with this integrated approach requires organizational changes alongside technical ones. Security teams must collaborate closely with platform and operations teams, sharing access, tools, and practices rather than maintaining separate stacks. This means joint planning for telemetry collection, shared access to observability platforms, and coordinated incident response procedures. While security teams may still maintain specialized tools for particular needs like threat intelligence and vulnerability scanning, the core observability infrastructure becomes a shared resource serving multiple teams' needs.
The shift toward infrastructure as code and automated deployments further reinforces this integration. Security controls and monitoring standards can be embedded directly into service definitions and deployment pipelines, making security observability a built-in feature rather than an afterthought. This “shift-left” approach to security ensures;
Comprehensive coverage
Minimized operational overhead
True real-time monitoring and the ability to act
Shifting left from analytics platforms enables faster response to high-priority issues.
Next-generation telemetry data pipelines for logs, metrics, and traces built with leading-edge technologies
- 1
Optimize, enrich & route your real-time telemetry data at the ingestion point
- 2
Drag-and-drop data pipeline creation & maintenance with the need for Regex
- 3
Rely on a future-proof, simple, efficient & flexible architecture built for hyperscale
Threats and detection response
Cyber attacks target systems at multiple layers:
Network infrastructure (DDoS, port scanning, DNS attacks),
Application layer (injection attacks, API abuse),
Authentication systems (credential attacks, session hijacking),
System level (malware, rootkits, container escapes), and
Data layer (SQL injection, exfiltration, ransomware, privacy violations).
We will examine each threat's key observability metrics and detection approaches. Analyzing these signals, ideally in real time and at the front-facing edge of your infrastructure, is essential to protecting against cyber attacks.
Network and infrastructure attacks
Network infrastructure attacks target the foundational layers of connectivity, attempting to disrupt service availability or gain unauthorized network access through protocol and routing manipulation.
The following table examines the different threat patterns and their metrics/responses. We’ll use this format to review all the different types of threats.
|
Threat pattern |
Key metrics/signals |
Detection approach |
Response actions |
|
DDoS attacks |
Request rate, error rate, resource utilization, geographic distribution |
Traffic pattern analysis, baseline deviation |
Rate limiting, traffic filtering, CDN failover |
|
Port scanning |
Connection attempts across ports, failed connection rate |
Pattern detection in network flows |
Dynamic firewall rules, IP blocking |
|
DNS attacks |
DNS query patterns, response sizes, and NXDomain rates |
Anomaly detection in DNS metrics |
Query filtering, DNS response policy zones |
|
ARP spoofing |
ARP request/reply patterns, MAC address changes |
Network flow analysis |
Port security, DHCP snooping |
|
BGP hijacking |
Route announcements, AS path changes |
BGP update monitoring |
Route filtering, RPKI validation |
Application-layer attacks
These attacks exploit vulnerabilities in web applications and APIs, attempting to manipulate application logic, inject malicious code, or abuse application functionality.
|
Threat pattern |
Key metrics/signals |
Detection approach |
Response actions |
|
SQL injection |
Query patterns, error rates, and query complexity |
Trace analysis, query metrics |
Query blocking, WAF rules |
|
XSS attacks |
Script injection patterns, DOM mutations |
Request/response content analysis |
Content filtering, CSP headers |
|
CSRF attacks |
Request origin patterns, token validation |
Session tracking, token verification |
Token validation, origin checks |
|
File upload attacks |
File type distribution, upload sizes, metadata |
Content analysis, behavior patterns |
Upload blocking, sandbox analysis |
|
API abuse |
Endpoint usage patterns, error rates, and request volumes |
Request rate analysis, payload inspection |
Rate limiting, API key rotation |
Authentication and access attacks
Authentication attacks focus on compromising user identities and access controls, using techniques ranging from brute-force attempts to sophisticated session manipulation.
|
Threat pattern |
Key metrics/signals |
Detection approach |
Response actions |
|
Brute force |
Login attempt rates, failure patterns |
Pattern detection in auth logs |
Progressive delays, account lockdown |
|
Credential stuffing |
Login success rates across accounts |
Behavioral analysis, IP reputation |
IP blocking, MFA enforcement |
|
Session hijacking |
Session reuse patterns, geographic changes |
Session tracking analysis |
Session invalidation, reauthentication |
|
Privilege escalation |
Permission changes, unusual access patterns |
RBAC audit logs, access tracking |
Permission revocation, session termination |
|
OAuth token theft |
Token usage patterns, scope changes |
Token tracking, usage analysis |
Token revocation, scope restriction |
|
Login attempt and token usage, IP address |
Authentication pre-validation based on geolocation |
Session invalidation, reauthentication |
System-level attacks
System-level attacks target the underlying computing infrastructure, attempting to compromise hosts, containers, and system processes to gain persistent access or execute unauthorized code.
|
Threat pattern |
Key metrics/signals |
Detection approach |
Response actions |
|
Malware activity |
Process behavior, file system changes |
System metric analysis |
Process isolation, system quarantine |
|
Rootkits |
System call patterns, hidden process detection |
Kernel metric analysis |
System isolation, forced rebuild |
|
Memory attacks |
Memory usage patterns, buffer operations |
Memory metric analysis |
Process termination, patch deployment |
|
Container escapes |
Container resource usage, syscall patterns |
Container metric analysis |
Container isolation, host protection |
|
Supply chain attacks |
Package integrity, dependency changes |
Build system metrics, artifact validation |
Build pipeline lockdown, dependency validation |
Data and privacy attacks
Data-focused attacks aim to exfiltrate sensitive information, encrypt systems for ransom, or exploit system resources for unauthorized purposes like cryptocurrency mining.
|
Threat pattern |
Key metrics/signals |
Detection approach |
Response actions |
|
Data exfiltration |
Network traffic volumes, data access patterns |
Traffic analysis, data access tracking |
Connection termination, access blocking |
|
Cryptojacking |
CPU usage patterns, network connections |
Resource utilization analysis |
Process termination, mining detection |
|
Ransomware |
File system activity, encryption patterns |
File system monitoring |
System isolation, backup restoration |
|
Side channel attacks |
CPU cache usage, timing patterns |
Hardware metric analysis |
Process isolation, workload migration |
|
Privacy violations |
Data access patterns, PII exposure |
Data access tracking |
Access revocation, data masking |
Pipeline architecture
Security monitoring pipeline architectures are increasingly responsible for adding vital threat intelligence and business context to raw telemetry data. To support this alongside other security use cases, effective security monitoring pipelines start with edge filtering to reduce noise and unnecessary data processing. Their architectures are specifically designed to support real-time processing capabilities and maintain scalable data ingestion pathways while context enrichment happens throughout the pipeline.
Pipeline implementation must balance multiple factors, including data retention requirements, which vary by data type and compliance needs. A well-constructed pipeline will provide the right data to downstream tools in an optimized way. For example, if Splunk's Common Information Model (CIM) and Palo Alto Networks (PAN) plug-ins are used, certain fields must be propagated, or the downstream analytics will fail.
Processing latency targets for pipelines should be defined based on threat detection requirements, while cost optimization strategies must account for data volume and processing needs.
Real-time analysis
Real-time security analysis requires performance tuning and filtering across the entire stack. This includes implementing strategic caching layers to reduce lookup times, deploying parallel processing for high-volume telemetry streams, and optimizing memory usage patterns. Processing at the edge and queue management become critical at scale, requiring careful balancing of processing throughput against resource utilization. This can be very complex to set up, and it’s difficult to maintain real-time response times. Thankfully, platforms like Onum, among others, make it easier to manage real-time distributed telemetry pipelines.
Cybersecurity tooling
Cybersecurity monitoring relies on a wide variety of custom tools for scanning, detection, and response. The table below summarizes the key areas of functionality and provides examples of representative tools for each category.
|
Tool Category |
Tool Example |
|
Log aggregation and SIEM solutions, which can help centralize logs for analysis |
|
|
Telemetry data collection |
OpenTelemetry and Fluentd |
|
Solutions designed to monitor network traffic for anomalies |
|
|
Intrusion detection systems to identify threats |
|
|
Behavioral analytics tools detect anomalies |
|
|
Threat intelligence tools |
MISP and AlienVault OTX |
|
SOAR tools automate incident management |
|
|
IAM solutions enforce authentication |
|
|
Open-source container security tools monitor runtime activity and vulnerabilities |
|
|
Transforming, analyzing, and transporting real-time telemetry data in real-time |
Collaboration and scaling
Security monitoring requires deep collaboration among security, development, and operations teams. This includes establishing shared monitoring practices, coordinating incident response procedures, and maintaining consistent tooling across teams. Knowledge- and data-sharing processes must be formalized, especially around instrumentation design, detection engineering, and threat response. Inter-team communication can be much smoother if everyone has the same context and talks about the same underlying data.
Standardizing methodologies across teams minimizes blind spots, reduces detection gaps, and accelerates resolution times.
Effective collaboration prevents redundant investigations and reduces time wasted on false alarms triggered by legitimate activities from other teams. A shared observability stack fosters transparency, providing consistent access to relevant telemetry and security insights for all teams. As organizations scale, leveraging a unified platform ensures the seamless integration of security capabilities without requiring each team to develop bespoke solutions. Cross-functional alignment on security observability promotes efficiency, reduces operational overhead, and enables proactive threat mitigation across the organization. Leveraging your existing observability stack can make scaling across your organization much smoother since it prevents each team from developing bespoke solutions.
Last thoughts
In this article, we have explored various cybersecurity threats, from network intrusions and application vulnerabilities to authentication exploits and data breaches. These threats pose real risks, and history has shown that even the largest organizations are not immune. Below are a few examples:
|
Threat |
Description |
|
Change Healthcare Ransomware Attack (February 2024) |
Change Healthcare, a major medical billing provider, was attacked by an affiliate with ransomware. The attackers encrypted files and exfiltrated the protected health information of approximately 190 million individuals. Alarmingly, this breach alone constituted 69% of the healthcare sector's compromised records that year. |
|
Snowflake Customer Data Breach (Mid-2024) |
Scattered Spider, a hacking group, compromised the data of more than 100 clients of the cloud storage platform Snowflake Inc. Among the affected were AT&T, Ticketmaster, and Santander Bank. The stolen information ranged from personally identifiable details to banking records and customer call logs, making this one of the largest breaches on record. |
|
23andMe Data Breach (October 2023) |
A credential stuffing attack, leveraging reused passwords, allowed a cybercriminal to initially access roughly 14,000 23andMe user accounts. This breach then spread due to interconnected features, ultimately exposing the sensitive personal and genetic data of about 5.5 million users and 1.4 million other profiles. The announcement of this major security incident closely preceded news of 23andMe's potential business failure. |
|
North Korea's Cryptocurrency Exchange Hack (February 2025) |
The $1.5 billion virtual asset theft from ByBit, for which the FBI holds North Korea responsible, serves as a stark reminder of the advanced cybercrime threats posed by nation-states. It also brings to light North Korea's use of these sophisticated attacks to generate funds for its nuclear and ballistic missile programs. |
By extending existing observability practices with security-focused tools and proactive monitoring, you can detect and mitigate threats before they escalate.
We have shown that effective cybersecurity monitoring doesn't require an entirely separate toolset from your observability platform. By extending existing monitoring practices with security-focused collectors and processors, you can achieve comprehensive threat detection while reducing costs and maintaining operational efficiency. It’s essential to use a powerful analytics tool to extract cybersecurity metrics from your observability stack efficiently, so we recommend a tool like Onum to solve the complexity of integration. A well-integrated observability stack and advanced analytics tools ensure real-time threat detection and the best attack protection.
Want the latest from Onum?
Subscribe to our LinkedIn newsletter to stay up to date on technical best practices for building resilient and scalable observability splutions and telemetry pipelines.
