Observability in Cyber Security: see more, react better

April 1, 2025

Diego Espitia, Telefónica Tech ColombiaThe digital complexity of the services implemented in organizations today and their relationship with the business is a challenge that traditional methods are proving difficult to manage. As a result, organizations have faced obstacles in ensuring data visibility across processes, proactively managing security, and at the same time delivering satisfactory experience to both their customers and their employees.

The hope of managing this enormous amount of information has turned to AI, which, while here to stay, still lacks maturity in some critical aspects of analytics and automation strategies for its implementation to meet all the observability needs required.

A couple of years ago we talked about what observability is and how that ability to understand each fragment of a digital process, through telemetry, gives us the ability to observe normal behaviors and detect anomalies in the different components. Translating this concept to the field of cyber security, it provides an improved context for more effective incident response.

Observability in cyber security allows organizations to detect and react effectively to anomalies in digital processes.

Security observability

This is a relatively novel approach, which leverages today's ability to nimbly handle large volumes of data to detect anomalous processes in every component of a digital process. This includes not only traditional network or service components, but also current components such as containers, cloud managers, code segments, DevSecOps, user behavior, among others.

This approach goes beyond traditional monitoring and helps information security teams to capture, through relational analytics, the impact of security event detections on the quality of the services offered, and thus on the achievement of business objectives. Some of the main characteristics of this approach are:

  • It is possible to understand through traces and metrics of each fragment of a digital process not only what has happened, as reported by traditional monitoring, but why it happened and how systems have interacted, facilitating the detection of known and unknown threats.
  • More comprehensive collection of events, transformed into near real-time telemetry of IT infrastructure components, both in traditional networks and in the cloud, as well as microservices and application data.
  • Ability to give context to incidents and resources associated with the threat, by relating digital processes within deployed and monitored technologies. The key lies in understanding the interaction of service topologies and their dependencies.
  • Develop contextual security plans automatically, which reflect the actual operation of applications and their APIs, detailing the attack surface, the efficiency of defense mechanisms, the use of vulnerable elements in developments and other important aspects.

Consequently, the deployment of observability-oriented technologies adds a differential element to information security, making it possible to understand what and why incidents are occurring, and enabling incident detection through observation.

The hope of managing this enormous amount of information has turned to AI, which still lacks maturity in some critical aspects.

Incident detection through observability

As we have seen, the observability capabilities offered by current technologies, together with the possibility of analyzing large volumes of data in near real time thanks to AI, make it possible to identify the root cause of a cyber incident. This involves not only alerting to a threat but also analyzing the internal state of the process and identifying the specific point of unusual activity.

This capability significantly improves threat detection by analyzing patterns and slight variations from normal behavior, using comprehensive data from each of the components of the affected or threatened process.

This approach is not limited to alerts triggered by exceeding a predefined threshold or the detection of a known signature, but takes a proactive approach based on the context provided by events, metrics and the trace of each process, facilitating the identification of anomalies and potential threats. Technology must therefore integrate a series of components that help to deploy this approach, which we will mention below:

  • Real-time analysis and correlation that identifies patterns and deviations from normal behavior, linking seemingly unrelated data. These capabilities make it possible to identify and alert anomalies in the historical data set through machine learning.
  • Extensive collection of telemetric data from all parts of the IT infrastructure, because only comprehensive data collection guarantees a holistic view of the digital environment.
  • Focus on why a threat has occurred using tools that provide context, such as the route traces of a request on affected applications or relationships between applications in different digital processes.
  • The ability to develop a contextual security plan that offers a detailed knowledge of how systems really work and allows for the identification of possible vulnerabilities. For example, detecting specific libraries used in a microservice that may be associated with known threats, according to intelligence reports.
Observability provides an enhanced context for more effective incident response.

Conclusion

Incident detection through observability transforms the reactive approach to known threats. This allows for proactive understanding of system behavior and detection of known threats and, more importantly, unknown threats.

This capability, by providing detailed information and context in real-time, enables security teams to detect, analyze, and respond more effectively, with the ultimate goal of reducing the mean time to containment.

Attacking the risk of false friends
Cyber Security
Attacking the risk of false friends
February 4, 2025