Intrusion detection is the art of detecting unauthorized activity. In the computer world, it means detecting unauthorized connections, logons, and resource accesses, or attempts at the same. Intrusion detection is part of the reason why nearly every computer device has an event‐logging system. The two have been forever linked since James P. Anderson’s groundbreaking 1980 paper called “Computer Security Threat Monitoring and Surveillance” (http://csrc.nist.gov/publications/history/ande80.pdf).

While computer systems have been good at generating lots of events, humans and their evaluating alert systems haven’t been so good at making sense of them. To most computer users, event log files are full of thousands of events that muddy up any chance for true maliciousness to be detected.

The best report on the gap between badness entering a system and being detected is captured in Verizon’s annual “Data Breach Investigations Report” (http://www.verizonenterprise.com/verizon‐insights‐lab/dbir/). The 2016 report (http://www.verizonenterprise.com/verizon‐insights‐lab/dbir/2016/) showed the following disturbing long‐term trends:

• The average time from an initial compromise by a hacker to the exfiltration of private data or logon credentials is usually measured in minutes to a few days.
• Most attackers (70% to 80%) are in the system for long periods of time (months) before discovery.
• Discovery of a breach by internal resources only happens about 10% of the time. ...