The Onum Blog
2025-05-06T21:00:00+01:0015 min

Cybersecurity Monitoring: Patterns, Metrics, Tools & Architecture

Learn how to integrate observability tools and telemetry pipelines for cybersecurity monitoring, leveraging existing infrastructure and collaborating with DevOps teams for success.

Onum
Onum
2025-05-06T21:00:00+01:0015 min

Cybersecurity monitoring is a subset of observability that focuses on detecting and responding to security threats using your telemetry data. While observability uses telemetry to provide insights into overall system behavior, performance, and reliability, cybersecurity monitoring applies these same principles and tools to enable cyber threat detection. This targeted use of existing observability tools can help eliminate the need for parallel or specialized monitoring systems; the telemetry sources that help debug your performance and error issues can also detect security incidents. 

This article explains how to use your observability stack and telemetry pipeline for cybersecurity monitoring and covers cyber attacks, threat detection patterns, and metrics relevant to cybersecurity.

Summary of key cybersecurity monitoring concepts

Concept

Description

Taking an integrated approach

Integrate observability tools to augment cybersecurity telemetry and maximize the benefits of cybersecurity monitoring systems.

Threats and detection response

Cyber attacks target five main layers: network (infrastructure attacks), web (application attacks), identity (authentication attacks), host (system-level attacks), and data (privacy attacks). Each attack type has distinct patterns in telemetry data that enable detection using monitoring tools.

Pipeline architecture

Telemetry pipelines are required to scale the processing of metrics, events, logs, and traces (MELT) in large enterprises. This can enable real-time and edge filtering and processing.

Real-time analysis

Use an approach that guarantees the real-time enrichment and analysis of the elements, maintaining their detection in real time.

Cybersecurity tooling

Various tools are required for detecting and preventing cyber attacks. Security response and enforcement tools are needed to implement protective measures, such as container security and network segmentation.

Collaboration and scaling

Collaborate with DevOps teams to leverage the tools already in place for performance monitoring and observability (metrics, events, traces, and logs).

Taking an integrated approach to cybersecurity monitoring

Many companies maintain separate tooling for cybersecurity monitoring and observability, leading to duplicated effort, increased cost, and fragmented visibility. This separation stems from historical practices where security teams operated independently from operations and engineering teams. However, the telemetry needed for cybersecurity monitoring largely overlaps with performance and reliability monitoring; the difference lies primarily in how this data is viewed, analyzed, and acted upon.

A more integrated approach leverages the existing observability infrastructure for security use cases. For example, the same distributed tracing data that helps debug service latency issues can identify unusual access patterns or potential data exfiltration attempts. Application metrics that track error rates and resource utilization can be used for performance monitoring and denial-of-service detection. Log aggregation systems collect application errors for developers and are equally valuable for detecting injection attempts and application attacks.

Success with this integrated approach requires organizational changes alongside technical ones. Security teams must collaborate closely with platform and operations teams, sharing access, tools, and practices rather than maintaining separate stacks. This means joint planning for telemetry collection, shared access to observability platforms, and coordinated incident response procedures. While security teams may still maintain specialized tools for particular needs like threat intelligence and vulnerability scanning, the core observability infrastructure becomes a shared resource serving multiple teams' needs.

The shift toward infrastructure as code and automated deployments further reinforces this integration. Security controls and monitoring standards can be embedded directly into service definitions and deployment pipelines, making security observability a built-in feature rather than an afterthought. This “shift-left” approach to security ensures; 

  •  Comprehensive coverage

  •  Minimized operational overhead

  • True real-time monitoring and the ability to act 

 Shifting left from analytics platforms enables faster response to high-priority issues.

Next-generation telemetry data pipelines for logs, metrics, and traces built with leading-edge technologies

  • 1

    Optimize, enrich & route your real-time telemetry data at the ingestion point

  • 2

    Drag-and-drop data pipeline creation & maintenance with the need for Regex

  • 3

    Rely on a future-proof, simple, efficient & flexible architecture built for hyperscale

Threats and detection response

Cyber attacks target systems at multiple layers: 

  • Network infrastructure (DDoS, port scanning, DNS attacks), 

  • Application layer (injection attacks, API abuse),

  • Authentication systems (credential attacks, session hijacking), 

  • System level (malware, rootkits, container escapes), and 

  • Data layer (SQL injection, exfiltration, ransomware, privacy violations). 

We will examine each threat's key observability metrics and detection approaches. Analyzing these signals, ideally in real time and at the front-facing edge of your infrastructure, is essential to protecting against cyber attacks. 

Network and infrastructure attacks

Network infrastructure attacks target the foundational layers of connectivity, attempting to disrupt service availability or gain unauthorized network access through protocol and routing manipulation. 

The following table examines the different threat patterns and their metrics/responses. We’ll use this format to review all the different types of threats.

Threat pattern

Key metrics/signals

Detection approach

Response actions

DDoS attacks

Request rate, error rate, resource utilization, geographic distribution

Traffic pattern analysis, baseline deviation

Rate limiting, traffic filtering, CDN failover

Port scanning

Connection attempts across ports, failed connection rate

Pattern detection in network flows

Dynamic firewall rules, IP blocking

DNS attacks

DNS query patterns, response sizes, and NXDomain rates

Anomaly detection in DNS metrics

Query filtering, DNS response policy zones

ARP spoofing

ARP request/reply patterns, MAC address changes

Network flow analysis

Port security, DHCP snooping

BGP hijacking

Route announcements, AS path changes

BGP update monitoring

Route filtering, RPKI validation

Application-layer attacks

These attacks exploit vulnerabilities in web applications and APIs, attempting to manipulate application logic, inject malicious code, or abuse application functionality.

Threat pattern

Key metrics/signals

Detection approach

Response actions

SQL injection

Query patterns, error rates, and query complexity

Trace analysis, query metrics

Query blocking, WAF rules

XSS attacks

Script injection patterns, DOM mutations

Request/response content analysis

Content filtering, CSP headers

CSRF attacks

Request origin patterns, token validation

Session tracking, token verification

Token validation, origin checks

File upload attacks

File type distribution, upload sizes, metadata

Content analysis, behavior patterns

Upload blocking, sandbox analysis

API abuse

Endpoint usage patterns, error rates, and request volumes

Request rate analysis, payload inspection

Rate limiting, API key rotation

Authentication and access attacks

Authentication attacks focus on compromising user identities and access controls, using techniques ranging from brute-force attempts to sophisticated session manipulation.

Threat pattern

Key metrics/signals

Detection approach

Response actions

Brute force

Login attempt rates, failure patterns

Pattern detection in auth logs

Progressive delays, account lockdown

Credential stuffing

Login success rates across accounts

Behavioral analysis, IP reputation

IP blocking, MFA enforcement

Session hijacking

Session reuse patterns, geographic changes

Session tracking analysis

Session invalidation, reauthentication

Privilege escalation

Permission changes, unusual access patterns

RBAC audit logs, access tracking

Permission revocation, session termination

OAuth token theft

Token usage patterns, scope changes

Token tracking, usage analysis

Token revocation, scope restriction

Impossible Travel

Login attempt and token usage, IP address

Authentication pre-validation based on geolocation

Session invalidation, reauthentication

System-level attacks

System-level attacks target the underlying computing infrastructure, attempting to compromise hosts, containers, and system processes to gain persistent access or execute unauthorized code.

Threat pattern

Key metrics/signals

Detection approach

Response actions

Malware activity

Process behavior, file system changes

System metric analysis

Process isolation, system quarantine

Rootkits

System call patterns, hidden process detection

Kernel metric analysis

System isolation, forced rebuild

Memory attacks

Memory usage patterns, buffer operations

Memory metric analysis

Process termination, patch deployment

Container escapes

Container resource usage, syscall patterns

Container metric analysis

Container isolation, host protection

Supply chain attacks

Package integrity, dependency changes

Build system metrics, artifact validation

Build pipeline lockdown, dependency validation

Data and privacy attacks

Data-focused attacks aim to exfiltrate sensitive information, encrypt systems for ransom, or exploit system resources for unauthorized purposes like cryptocurrency mining.

Threat pattern

Key metrics/signals

Detection approach

Response actions

Data exfiltration

Network traffic volumes, data access patterns

Traffic analysis, data access tracking

Connection termination, access blocking

Cryptojacking

CPU usage patterns, network connections

Resource utilization analysis

Process termination, mining detection

Ransomware

File system activity, encryption patterns

File system monitoring

System isolation, backup restoration

Side channel attacks

CPU cache usage, timing patterns

Hardware metric analysis

Process isolation, workload migration

Privacy violations

Data access patterns, PII exposure

Data access tracking

Access revocation, data masking

Pipeline architecture

Security monitoring pipeline architectures are increasingly responsible for adding vital threat intelligence and business context to raw telemetry data. To support this alongside other security use cases, effective security monitoring pipelines start with edge filtering to reduce noise and unnecessary data processing. Their architectures are specifically designed to support real-time processing capabilities and maintain scalable data ingestion pathways while context enrichment happens throughout the pipeline.

Pipeline implementation must balance multiple factors, including data retention requirements, which vary by data type and compliance needs. A well-constructed pipeline will provide the right data to downstream tools in an optimized way. For example, if Splunk's Common Information Model (CIM) and Palo Alto Networks (PAN) plug-ins are used, certain fields must be propagated, or the downstream analytics will fail.

Processing latency targets for pipelines should be defined based on threat detection requirements, while cost optimization strategies must account for data volume and processing needs.

Real-time analysis

Real-time security analysis requires performance tuning and filtering across the entire stack. This includes implementing strategic caching layers to reduce lookup times, deploying parallel processing for high-volume telemetry streams, and optimizing memory usage patterns. Processing at the edge and queue management become critical at scale, requiring careful balancing of processing throughput against resource utilization. This can be very complex to set up, and it’s difficult to maintain real-time response times. Thankfully, platforms like Onum, among others, make it easier to manage real-time distributed telemetry pipelines. 

Cybersecurity tooling

Cybersecurity monitoring relies on a wide variety of custom tools for scanning, detection, and response. The table below summarizes the key areas of functionality and provides examples of representative tools for each category. 

Tool Category 

Tool Example

Log aggregation and SIEM solutions, which can help centralize logs for analysis

ELK Stack, Graylog, Splunk, Wazuh, and Devo

Telemetry data collection 

OpenTelemetry and Fluentd 

Solutions designed to monitor network traffic for anomalies

Zeek and Suricata 

Intrusion detection systems to identify threats

Snort 

Behavioral analytics tools detect anomalies

Exabeam

Threat intelligence tools

MISP and AlienVault OTX

SOAR tools automate incident management

TheHive, Shuffle, Tines, and Torq

IAM solutions enforce authentication

Authelia

Open-source container security tools monitor runtime activity and vulnerabilities

Falco and Trivy 

Transforming, analyzing, and transporting real-time telemetry data in real-time 

Onum

Collaboration and scaling

Security monitoring requires deep collaboration among security, development, and operations teams. This includes establishing shared monitoring practices, coordinating incident response procedures, and maintaining consistent tooling across teams. Knowledge- and data-sharing processes must be formalized, especially around instrumentation design, detection engineering, and threat response. Inter-team communication can be much smoother if everyone has the same context and talks about the same underlying data. 

Standardizing methodologies across teams minimizes blind spots, reduces detection gaps, and accelerates resolution times.

Effective collaboration prevents redundant investigations and reduces time wasted on false alarms triggered by legitimate activities from other teams. A shared observability stack fosters transparency, providing consistent access to relevant telemetry and security insights for all teams. As organizations scale, leveraging a unified platform ensures the seamless integration of security capabilities without requiring each team to develop bespoke solutions. Cross-functional alignment on security observability promotes efficiency, reduces operational overhead, and enables proactive threat mitigation across the organization. Leveraging your existing observability stack can make scaling across your organization much smoother since it prevents each team from developing bespoke solutions.

Last thoughts

In this article, we have explored various cybersecurity threats, from network intrusions and application vulnerabilities to authentication exploits and data breaches. These threats pose real risks, and history has shown that even the largest organizations are not immune. Below are a few examples:

Threat

Description

Change Healthcare Ransomware Attack (February 2024)

Change Healthcare, a major medical billing provider, was attacked by an affiliate with ransomware. The attackers encrypted files and exfiltrated the protected health information of approximately 190 million individuals. Alarmingly, this breach alone constituted 69% of the healthcare sector's compromised records that year.

Snowflake Customer Data Breach (Mid-2024)

Scattered Spider, a hacking group, compromised the data of more than 100 clients of the cloud storage platform Snowflake Inc. Among the affected were AT&T, Ticketmaster, and Santander Bank. The stolen information ranged from personally identifiable details to banking records and customer call logs, making this one of the largest breaches on record.

23andMe Data Breach (October 2023)

A credential stuffing attack, leveraging reused passwords, allowed a cybercriminal to initially access roughly 14,000 23andMe user accounts. This breach then spread due to interconnected features, ultimately exposing the sensitive personal and genetic data of about 5.5 million users and 1.4 million other profiles. The announcement of this major security incident closely preceded news of 23andMe's potential business failure.

North Korea's Cryptocurrency Exchange Hack (February 2025)

The $1.5 billion virtual asset theft from ByBit, for which the FBI holds North Korea responsible, serves as a stark reminder of the advanced cybercrime threats posed by nation-states. It also brings to light North Korea's use of these sophisticated attacks to generate funds for its nuclear and ballistic missile programs.

By extending existing observability practices with security-focused tools and proactive monitoring, you can detect and mitigate threats before they escalate. 

We have shown that effective cybersecurity monitoring doesn't require an entirely separate toolset from your observability platform. By extending existing monitoring practices with security-focused collectors and processors, you can achieve comprehensive threat detection while reducing costs and maintaining operational efficiency. It’s essential to use a powerful analytics tool to extract cybersecurity metrics from your observability stack efficiently, so we recommend a tool like Onum to solve the complexity of integration. A well-integrated observability stack and advanced analytics tools ensure real-time threat detection and the best attack protection.

Want the latest from Onum?

  • Subscribe to our LinkedIn newsletter to stay up to date on technical best practices for building resilient and scalable observability splutions and telemetry pipelines.

Post content