How Defenders Notice
Attackers depend on one thing above all: not being seen. The longer they go unnoticed inside a system, the more they can read, copy, or quietly break. A break-in that gets caught in an hour does far less harm than the same break-in caught half a year later.
So a large part of defense is not building higher walls — it is simply noticing. Defenders keep records of what their systems are doing and watch those records for anything out of the ordinary. This is called logging and monitoring, and it is how a breach gets caught in hours instead of months.
Picture a shop with security cameras and an attentive manager. The cameras don't lock any doors, and the manager doesn't stop anyone at the entrance. But between them they spot the shoplifter slipping something into a bag and cut the loss short. Logging and monitoring play that same role for a computer system — they don't block the attacker, they reveal one.
What Is a Log?
A log is a running record of things that happened on a system — a kind of diary the computer keeps about itself. Each entry notes an event and when it occurred: someone logged in, a file was opened, a setting was changed, a payment went through.
On their own, individual entries look dull. "User Olivia signed in at 9:02am." "A report was downloaded at 9:15am." But that dullness is the point. Logs are the raw material for noticing anything wrong, because you can only spot the strange entry if you have a record of all the ordinary ones to compare it against.
Logs also become the evidence trail later. If a breach is confirmed, the logs are what investigators read to work out what the attacker touched and when. No record means no way to reconstruct what happened.
From Logs to Alerts
A busy system can produce millions of log entries a day — far too many for a person to read. So the watching is done by software. Monitoring is software that reads the stream of logs continuously and looks for patterns that don't fit the normal picture.
When something stands out, the monitoring software raises an alert — a flag that says "a human should look at this." An alert might fire because Olivia's account signed in from a new country at 3am, or because one account suddenly downloaded thousands of files in a minute. Neither is proof of an attack, but both are unusual enough to deserve a second look.
That word — unusual — matters. An alert flags suspicious activity, not a confirmed attack. Many alerts turn out to be harmless: Olivia really was travelling. Sorting the real warnings from the false alarms is a genuine part of the work, and a system that cries wolf too often is its own kind of problem.
Why Detection Speed Decides the Damage
Attackers rarely break in and grab everything in one motion. More often they slip in quietly and stay, exploring and collecting over days, weeks, or months. The stretch of time between getting in and being noticed is called dwell time.
Dwell time is one of the clearest measures of how bad a breach turns out to be. A short dwell time means the attacker was caught early and took little; a long one means they had the run of the place. This is why defenders treat detection speed as a goal in itself — every hour shaved off the noticing is an hour the attacker doesn't get.
Why Noticing Sits Beside Blocking
Earlier in the course we saw that prevention can fail — no wall holds forever. Detection is the honest answer to that fact. Because some attacks will get through, defenders invest in seeing them, not only in blocking them.
So security is partly about visibility, not just barriers. Prevention tries to keep attackers out; detection assumes a few will get in anyway and makes sure they can't move around unseen. The two work together — the locks on the doors and the cameras watching the aisles.
- "Good prevention means you don't need detection." Prevention sometimes fails, and defenders assume it will. Detection is how you catch what got through the walls — it is a partner to prevention, not a backup you can skip.
- "Logs are just technical noise." Logs are the evidence trail. They are what makes noticing a breach possible in the first place, and what lets investigators reconstruct it afterward.
- "An alert means a confirmed attack." An alert flags suspicious activity for a human to judge. Many alerts are false alarms, and telling the real ones apart is part of the job.
- It explains why dwell time — how long an attacker went unnoticed — is a key measure of how much damage a breach does.
- It shows that security is partly about visibility, not only walls: seeing an attacker matters as much as keeping them out.
- It sets up the next topic — once monitoring raises a real alert, a team has to actually respond to it.
Knowledge Check
What is a log, in the sense used in security?
- A running record of events on a system, with timestamps
- A rule that blocks suspicious users from logging in
- A method for keeping stored data secret from anyone who gets into the system
- A confirmed alarm that an attack is happening right now
Monitoring software raises an alert when an account signs in from a new country at 3am. What does that alert mean?
- Something unusual happened and a human should look into it
- An attack has definitely been confirmed and is underway
- The account has been automatically locked and the attacker has been fully shut out
- The activity was normal and can safely be ignored
Why do defenders care so much about how quickly an attacker is noticed?
- The longer they go unnoticed, the more they can take
- Noticing fast magically reverses any damage already done
- Fast detection removes the need for any locks or passwords
- It keeps the log files from growing too large to store
How does detection relate to prevention?
- Detection catches attacks that prevention failed to stop
- Strong prevention makes detection completely unnecessary
- Detection blocks attackers at the door so they never get in
- They compete, so a team must pick one or the other
You got correct