Security Monitoring
The continuous, 24/7/365 practice of observing systems, networks, and applications for signs of security threats. Because attackers operate at all hours, monitoring that is not continuous leaves predictable windows of unobserved access. Effective security monitoring covers authentication events, network traffic, application behavior, and infrastructure activity, with the goal of detecting threats early enough to respond before significant damage occurs. It is an operational discipline, not a product — it requires people, processes, and tools working together continuously.
Authentication Monitoring
Watching login events for anomalies that may indicate unauthorized access attempts. Key indicators: logins from geographic locations with no organizational presence; authentication attempts outside normal business hours; repeated failed logins followed by a successful one (potential brute force); and sudden account activity after a long dormancy period. Authentication monitoring is the most direct way to detect credential attacks, account takeovers, and insider threats accessing accounts at unusual times or locations.
SIEM (Security Information and Event Management)
A centralized platform that aggregates log data from multiple sources — servers, firewalls, routers, switches, VPN concentrators, cloud services, storage systems — into a single database for analysis, correlation, and reporting. Also referred to as SEM (Security Event Manager). The SIEM's defining capability is correlation: connecting events across disparate systems that would not appear related when viewed in isolation. A SIEM can link a VPN authentication event to subsequent internal file access, compare authentication failure patterns across dozens of servers simultaneously, and baseline data transfer volumes to alert on anomalous spikes. It is the operational center of gravity for security monitoring in most organizations.
Log Aggregation
The process of collecting log data from diverse systems and consolidating it into a central repository for unified analysis. Without aggregation, security logs from firewalls, servers, endpoints, and cloud services exist in different formats, in different locations, and are reviewed separately — making cross-system attack patterns invisible. Log aggregation is the foundational function of a SIEM. It enables correlation, unified reporting, and long-term archiving from a single location.
Correlation (SIEM)
The SIEM capability that connects events from different data sources to identify patterns that no single log would reveal. Examples: correlating 200 failed logins across 30 servers from the same IP to identify brute force; correlating a VPN login from an unusual location with large file access volume to identify a potential credential compromise and exfiltration; correlating a spike in outbound traffic with a recently disclosed C2 callback signature. Correlation is what transforms raw log data into meaningful threat detection.
Continuous Scanning
Active, ongoing queries against network-connected devices to maintain a current inventory of their security-relevant properties: operating system types and versions, installed applications, device driver versions, and configuration anomalies. Unlike point-in-time scans, continuous scanning keeps the asset database current as devices join and leave the network, software is installed and removed, and patches are applied. The database produced by continuous scanning is the foundation for rapid vulnerability analysis when a new CVE is disclosed.
Actionable Reports
Security reports designed to answer not just "what is the current state?" but "what should we do next?" An actionable report identifies systems out of compliance, devices running vulnerable software versions, or users with anomalous access patterns — and frames the output in terms of specific follow-on actions. Contrast with informational reports that describe status without identifying next steps. Actionable reporting is the goal of security monitoring data analysis: collected data has no security value unless it drives decisions and actions.
Ad Hoc Reporting
On-demand, customized reports generated in response to specific, often unanticipated needs. In security monitoring, ad hoc reports support: investigating a newly disclosed vulnerability (how many systems run the affected version?), analyzing a user's historical access during an incident investigation, projecting future exposure (how many systems will be vulnerable when this OS reaches end-of-life in six months?). Ad hoc reporting requires a continuously-updated scan and log database so that queries against current and historical data can be answered immediately.
Archiving (Security Logs)
Retaining security log data over an extended period to support forensic investigation, compliance audits, and legal proceedings. The IBM Security 2022 report documented that organizations take an average of nine months to identify and contain a breach — meaning logs must be retained for at least that long for historical evidence to be available when a breach is finally discovered. Many organizations are also legally required to retain security records for specific periods under state law, federal regulations (HIPAA, PCI-DSS, SOX), or industry frameworks. Insufficient retention destroys evidence of breaches that were not detected in real time.
Alerting
Real-time notification of security events that require immediate human attention. Alert triggers include: increases in authentication failures, anomalous data transfer volumes, malware detections, and firewall rule changes. Delivery methods include SMS/text (immediate awareness for on-call personnel), email (detail and documentation), and SOC console (systematic triage for security operations teams). Effective alerting gets actionable information to the right people fast enough to respond before an incident escalates. The challenge: alerts must be accurate — too many false positives cause alert fatigue and missed real threats.
Quarantine
The foundational initial containment response to a confirmed or suspected security incident. Quarantining a system removes it from normal network communication, preventing an attacker who has compromised it from pivoting to additional systems and preventing the system from receiving further command-and-control instructions. Quarantine stops the spread while preserving the system for forensic investigation. It is the first action taken when a host is confirmed compromised, ahead of remediation — the priority is containment, then analysis, then cleanup.
Alert Tuning
The ongoing process of calibrating alerting thresholds and rules to maximize accurate detection of real threats while minimizing false positives and false negatives. A poorly tuned alert system produces either too many false positives (analysts become desensitized to alerts and miss real ones in the noise) or too many false negatives (real threats are not alerted on at all). Alert tuning is never finished — as the network evolves, new attack patterns emerge, and the organization's understanding of its baseline behavior improves, alert rules require continuous refinement.