GUEST ESSAY: Actual cyber dangers come up when small flaws mix and alerts are seen in isolation – Cyber Tech
By Jeremy Colvin
Safety groups are drowning in indicators. Alerts fireplace. Logs accumulate. Dashboards mild up. But breaches nonetheless unfold quietly, usually by a sequence of low-level actions that by no means set off a single catastrophic alarm.
Associated: How ‘observability’ drives safety
Attackers don’t depend on one silver bullet. They transfer incrementally. They probe. They chain collectively small weaknesses that, in isolation, look innocent. The issue just isn’t an absence of knowledge. It’s a lack of context.
For years, safety packages have optimized for visibility. Distributed programs and microservices expanded east-west visitors lengthy earlier than AI fashions amplified knowledge motion additional. As we speak, groups are requested to detect knowledge exfiltration inside oceans of authentic exercise, whereas additionally worrying about proprietary data leaking into exterior AI programs. The quantity has grown. The sign has not.
Sign vs. noise
A single vulnerability, a single anomalous login, or a single configuration drift not often explains actual danger. Even mature vulnerability frameworks, with exact CVE classification and steady scanning, solely describe theoretical publicity. They don’t reveal which weaknesses are literally exploitable in a given atmosphere. The hole between recognized vulnerability and real-world danger has widened past what human instinct alone can handle.
Danger turns into legible solely when occasions are evaluated collectively.
Colvin
That is the premise behind “poisonous combos.” As an alternative of treating alerts as remoted incidents, poisonous combos calculate cumulative danger. A low-severity flaw paired with uncommon identification conduct and surprising community motion might point out excess of anyone sign alone. Context turns fragments into patterns.
Context on the supply
Contemplate a benign instance: a researcher accessing servers exterior their regular area. That alone could also be acceptable. But when that very same identification is operating an outdated dependency, utilizing weak cryptography, and working with stale credentials, the cumulative profile modifications. Individually, these are routine findings. Together, they recommend publicity.
The identical logic applies to account lifecycle occasions. Provisioning a brand new person is normal. If that person accesses most delicate information inside minutes of creation, context modifications once more. For organizations defending AI fashions, mental property, or regulated knowledge, these combos matter greater than any single alert.
The query then turns into the way to generate and consider that context effectively.
Fewer, higher alerts
Traditionally, safety instruments have handled the working system kernel as a boundary. Occasions are collected, exported, and analyzed downstream. That mannequin assumes which means is derived later, in centralized programs equivalent to a SIEM.
Applied sciences equivalent to eBPF shift that assumption. By permitting protected packages to run contained in the kernel, groups can observe system calls, community flows, and file operations in actual time and correlate them on the supply. As an alternative of delivery uncooked occasions for later interpretation, context might be constructed nearer to the place conduct happens.
The technical element is much less essential than the architectural shift. Perception is generated earlier. Correlation occurs earlier than knowledge leaves the workload. Indicators arrive pre-shaped, not as disconnected fragments.
This has sensible penalties.
First, it reduces noise and operational value. Aggregating repeat occasions into compact data lowers storage and processing overhead. Extra importantly, it limits alert fatigue. Groups cease responding to remoted anomalies and begin responding to contextualized danger.
Second, it permits suggestions loops. When sure combos constantly correlate with actual incidents, insurance policies might be tuned. Detection thresholds grow to be grounded in noticed exploit paths, not summary rule units. Safety strikes from reactive alarm administration towards a clearer mapping of precise assault floor.
In complicated, AI-driven environments the place workloads are ephemeral and identities are fluid, legibility is the true management. Quantity alone doesn’t create safety. Context does.
Safety observability is evolving past uncooked telemetry. The subsequent part is about understanding how low-level occasions relate to 1 one other throughout programs and identities. Poisonous combos are one approach to operationalize that shift.
The aim just isn’t extra alerts. It’s fewer, higher ones — indicators that replicate how attackers truly function.
Concerning the essayist: Jeremy Colvin is a senior engineer at Isovalent.
How Pirated Software program Turns Useful Staff Into Malware Supply Brokers – Cyber Tech
3 hidden dangers of transferring VDI to the cloud and the way organisations keep away from them – Cyber Tech
What’s Fb Market? Newbie’s Information – Cyber Tech
About The Author
admin
Azeem Rajpoot, the author behind This Blog, is a passionate tech enthusiast with a keen interest in exploring and sharing insights about the rapidly evolving world of technology. With a background in Blogging, Azeem Rajpoot brings a unique perspective to the blog, offering in-depth analyses, reviews, and thought-provoking articles. Committed to making technology accessible to all, Azeem strives to deliver content that not only keeps readers informed about the latest trends but also sparks curiosity and discussions. Follow Azeem on this exciting tech journey to stay updated and inspired.
