Collecting logs is easy. Every operating system, application, and network device generates them by default. Most organisations have terabytes of log data sitting in SIEM platforms and log management solutions. And most of that data has never been reviewed by a human being.

The gap between logging and monitoring is where attackers operate. They know that generating a log entry doesn’t mean anyone will see it. As long as they don’t trigger automated alerts, they can dwell in your environment for months without detection.

The Dwell Time Problem

Industry reports consistently show that the average time between initial compromise and detection exceeds 200 days for many organisations. During that time, attackers establish persistence, escalate privileges, map the network, and position themselves for data exfiltration or ransomware deployment.

Every one of those activities generates log entries. Failed authentication attempts, service account usage outside normal hours, lateral movement between systems, and unusual data access patterns all leave traces in your logs. But traces are only useful if someone’s looking for them.

William Fieldhouse, Director of Aardwolf Security Ltd, comments: “We frequently complete entire penetration testing engagements, including Active Directory compromise, lateral movement across multiple systems, and data exfiltration, without triggering a single alert. The logs existed. Nobody was watching them.”

What Effective Monitoring Looks Like

Effective security monitoring starts with knowing what to look for. Correlate authentication failures with subsequent successes from the same source. Alert on privileged account usage outside business hours. Monitor for tools commonly associated with lateral movement, like PsExec and PowerShell remoting. Track DNS queries to newly registered domains.

These detections don’t require expensive AI-powered platforms. They require someone who understands attack techniques to build meaningful alert rules and someone to investigate when those alerts fire.

Testing Your Detection Capability

Both internal network penetration testing and external network penetration testing provide an opportunity to test whether your monitoring detects realistic attack activity. Work with your testing provider to coordinate purple team exercises where the penetration testers execute specific techniques while your security team attempts to detect and respond to them.

The results reveal exactly where your monitoring has gaps. Perhaps you detect initial access but miss lateral movement. Perhaps you catch credential stuffing but not Kerberoasting. Each gap becomes a specific improvement to your detection rules.

Starting Small and Improving

You don’t need to monitor everything on day one. Start with your most critical assets. Build detections for the most common attack techniques. Review and tune your alerts weekly to reduce false positives. And gradually expand your coverage as your team’s capability grows.

Perfect monitoring is a myth. But effective monitoring, where you detect and investigate suspicious activity within hours rather than months, is achievable and dramatically reduces the damage an attacker can do.