Continue your mission
The security gap from failing to record, analyze, and respond to security-relevant events, enabling attackers to operate undetected with average breach detection times exceeding 200 days.
Insufficient logging and monitoring describes the security gap where organizations fail to record security-relevant events, analyze them in a timely manner, or respond to detected threats. This weakness allows attackers to maintain persistent access, escalate privileges, pivot through networks, and exfiltrate data undetected -- with studies showing the average time to detect a breach exceeds 200 days when logging and monitoring are inadequate.
Comprehensive security logging captures events across authentication systems, access control decisions, input validation failures, application errors, administrative actions, and data access patterns. Each log entry includes sufficient context -- timestamp, source IP, user identity, action performed, resource accessed, and outcome -- to support both real-time detection and forensic investigation. Log aggregation centralizes records from all systems into SIEM platforms where correlation rules and analytics identify attack patterns across multiple data sources. Alert tuning balances detection sensitivity against false positive rates, ensuring security teams investigate genuine threats rather than drowning in noise. Monitoring extends beyond log analysis to include network traffic analysis, endpoint telemetry, user behavior analytics, and integrity monitoring. Incident response procedures define escalation paths, response timelines, and communication protocols triggered by monitoring alerts.
Without adequate logging, organizations cannot detect breaches, investigate incidents, satisfy compliance requirements, or learn from security events. Attackers specifically target logging infrastructure -- disabling agents, clearing logs, and avoiding monitored channels -- because they understand that undetected access is persistent access. Regulatory frameworks including PCI DSS, HIPAA, and SOX mandate specific logging and monitoring controls.
CDA addresses logging and monitoring within TID domain operations as the foundation of detection capability. Theater missions implement logging standards, deploy SIEM correlation rules aligned with MITRE ATT&CK techniques, and conduct purple team exercises that validate whether monitoring detects realistic attack scenarios end-to-end.
CDA Theater missions that address topics covered in this article.
Rogue access point detection identifies unauthorized wireless APs on the network using WIPS sensors, wired-side monitoring, and signal triangulation to prevent network bypass.
LLM security risks include data leakage, prompt injection, model supply chain attacks, and unauthorized tool execution, requiring organizations to treat AI models as high-privilege components.
Written by CDA Editorial
Found an issue? Help improve this article.