4 ways to use time to level up your security monitoring

SIEMs excel at correlating events and firing alerts, but their ingest pipelines can get overwhelmed when scaled. And because most SIEMs rely on general-purpose log storage platforms, even with lower-cost archive tiers, long-term retention at full fidelity remains expensive, forcing teams to choose between visibility and budget.

With AI making the threat landscape more complex and the government issuing mandates requiring companies to report incidents quickly, defenders need tools that help them spot and interpret events faster. The key to doing this is speaking a universal language: time. Time isn’t just a dimension of data. It’s the organizing principle of security operations, turning raw telemetry into a narrative that both humans and machine learning models can reason about.

What’s the problem with the status quo?

SIEMs have to parse, normalize and enrich logs as they’re ingested so events can be correlated across systems. However, this adds latency and increases compute overhead. Once the data lands, it usually sits in log platforms built for fast search… not for cheap, years-long storage. Which is why it’s so common for teams to end up archiving or dropping data they wish they could keep.

That’s a big problem. Security incidents may unfold over seconds, weeks or months, and the details about what happened and when must be precise and well-preserved (both for attack detection and compliance purposes). Storing security data as time-stamped points makes it easier to organize chronologically, query, and store for years without burning the budget. Without that context, even the most sophisticated analytics or AI models are left guessing at cause and effect.

SIEMs are not dead. SaaS logs are not useless. But both can benefit from being paired with time series data. Here’s how:

1. Detect anomalies faster

Most security events start small. You notice a few unusual logins, a traffic spike or abnormal activities in a certain system. Where raw log pipelines add parsing or enrichment delays before data is ready for analysis, time series arrives consistently structured and ready for immediate querying.

This makes it easier to establish behavioral baselines and even apply statistical models like rolling averages and standard deviations to detect anomalies quickly. High-precision timestamps enable defenders to observe rate changes, critical for detecting brute force, lateral movement or exfiltration attempts. Pair those baselines with machine learning detection and you move from reactive alerting to predictive defense.

My team has seen the value of time series security monitoring systems first-hand. We encountered a security incident in 2021 after an engineer integrated a free third-party tool into our pipeline. That tool later got breached and it took four months before we were notified. We were fed up with our SaaS providers failing to alert us to the anomalous behavior, and that frustration only grew when we hit paywalls while trying to access the logs we needed to conduct a thorough investigation. So, we took matters into our own hands.

We built an internal security monitoring tool backed by time series data and saw the power of collecting and transforming SaaS audit log events into structured time series data. For example, we noticed an abnormal download of some of our internal IP during hours that didn’t match the normal working hours of the user whose access token was used.

On another occasion, we discovered an “impossible logins” scenario where an employee’s account was used to connect to several different SaaS solutions from geographically separated locations within a short time window. By aggregating events from them into one ordered time series event stream, we gained visibility that would have been impossible if those connections were viewed in isolation. Investigation into both cases revealed issues that were resolved.

With the right data, the right structure, and the right engine, time series telemetry becomes the foundation for a powerful security monitoring system.

2. Support long-term threat hunting

SIEMs can correlate events across long timeframes, but retaining the data needed to do this is often still expensive on most SaaS log platforms. Time series databases use compression and efficient indexing to store data for months or years on end without reducing its fidelity or breaking budgets. This allows security teams to investigate those pesky “low and slow” attacks that would otherwise fall out of the retention window. It also naturally enables a time machine capability, where we can go back in time months or even years and replay events after adding a new detection rule.

So, hunt away. Find that one IP address that pops up once a week at 4 AM. Spot the one system that started beaconing every 90 seconds only after Patch Tuesday. Identify and correlate unusual access or activities across multiple disparate SaaS solutions which would otherwise go unnoticed. That’s the story you’ll never see if the logs have already been flushed.

3. Automate responses in real-time

Detection is only half the battle. Time series systems handle low-latency ingest, allowing alerts and triggers to be fired in real-time as new data points arrive. When a device needs to be quarantined, access tokens revoked or an attacker’s behavior spun up into a forensics workflow to prevent lateral movement, it can do so in real-time.

Because most SaaS log platforms batch and index events before they are fully queryable, SIEM-driven responses can lag by minutes, depending on configuration and data volume. Time series systems process data points in real-time, reducing that lag.

4. Simplify reporting and program justification

CISOs need metrics like mean time to detect and mean time to respond to secure budgets and demonstrate program performance. Logs are excellent for forensic search, and SIEMs excel at correlation, but neither was designed for continuous KPI tracking and trend analytics over time. That’s where time series databases shine.

They aggregate and visualize performance data, allowing security leaders to demonstrate improvement and make data-driven decisions.

SIEMs remain indispensable, and logs are foundational for investigations and compliance. High-precision time series, continuously ingested and analyzed, enables faster detection, longer retention and real-time response. All without the cost and performance tradeoffs of relying on logs alone.

Time series databases don’t replace SIEMs, but can be a great wingman. They make it possible to rewind and replay events, build accurate behavioral baselines and spot stories that could otherwise get lost in logs. Without this ability to travel back and forth in time and see how entities across the business behave, security operations will remain reactive.

Don't miss