7.1 Introduction

Keeping cloud infrastructures, systems, and networks secure is a continual race against attackers. The growing number of security incidents indicates that current approaches to building systems do not sufficiently address the increasing variety and sophistication of threats and do not block attacks before systems are compromised. Organizations must resort to trying to detect malicious activity that occurs, so efficient intrusion detection systems (IDSs) are deployed to monitor systems and identify misbehavior. However, IDSs alone are not sufficient to allow operators to understand the security state of their organization, because monitoring sensors usually report all potentially malicious traffic without regard to the actual network configuration, vulnerabilities, and mission impact. Moreover, given large volumes of network traffic, IDSs with even small error rates can overwhelm operators with false alarms. Even when true intrusions are detected, the actual mission threat is often unclear, and operators are unsure what actions they should take. Security administrators need to obtain updated estimate summaries regarding the security status of their mission‐critical assets precisely and continuously, based on alerts that occur, in order to respond effectively to system compromises and prioritize their response and recovery actions. This requirement is ...