Security operations are full of noise. That’s not news to anyone attending Black Hat. What’s more surprising is that much of the noise is generated by the very systems meant to reduce it. Detections lack context. Alerts are piling up without explanation. Automation stalls because no one trusts the signal.
Even with all this, the goal remains the same: help defenders focus on what matters, fast.
The industry has made real efforts to complete this goal. We’ve added more logs, better rules, layered enrichment, and machine learning. We’ve trained LLMs to summarize alerts. We’ve adopted detection-as-code to manage logic more reliably. But somehow, we keep circling back to the same problem: Is this alert real? Does it matter? What do I do next?
Detection logic across most modern security tools is still built around events, not entities—around when something happened, not who did it. That approach starts to fall apart in cloud-first, fast-moving environments where identities shift constantly.
That’s why, at Black Hat 2025, we’ll be showing the need for entity-centric detection at booth #5812.
Why traditional detection needs a new foundation
Traditional detection logic was built for a different era, when infrastructures were static, users worked from known locations, and most threats followed recognizable signatures. In that world, event correlation worked. You could just match enough log lines across a tight time window, and you could usually figure out what was happening.
But today, infrastructures are ephemeral, access patterns are unpredictable, and attackers increasingly mimic legitimate behavior. What’s suspicious in one context might be harmless in another.
Event-centric models can’t see that nuance. They can’t remember what came before. They can’t infer intent.
And so, analysts are left to pivot between tools, correlate signals manually, and try to stitch together a narrative from a trail of disjointed logs.
The current state of security is calling for a better foundation.
Entity-centric detection: A smarter model
Entity-centric detection begins with a simple premise: risk lives in the actor. That means users, hosts, service accounts, cloud workloads, and anything else that initiates behavior or carries access.
Instead of triggering on isolated events, the detection system builds and maintains a memory of each entity to detect normal patterns, risky ones, and if anything has changed. And when something deviates from that baseline, the system raises a flag and connects the dots to properly explain what happened.
Imagine this: A developer runs system info on a host for the first time. A few minutes later, they access an S3 bucket they’ve never touched. Then, the host initiates outbound communication to an unfamiliar IP range.
Traditional detection might generate three separate alerts, which, in isolation, are very low in “actionability.” Analysts would need to connect the dots to get to the bottom of the issue. Maybe they would. Maybe they wouldn’t.
In an entity-centric model, all of this activity is connected by design. The system knows it’s the same user. It sees the deviation from typical behavior. It understands the timeline. It elevates the risk score. And it delivers a single, cohesive signal, giving automation enough context to take action without hesitation.
Entity-centric detection complements and elevates the below features of other detection models.
- Signature-based detection is great for identifying known threats. But it’s brittle. One tweak in a payload or a shift in TTPs, and it fails. Tied to an entity, though, it gains memory and relevance.
- UEBA brought behavioral context to detection, but too often in black-box implementations. Analysts couldn’t read the rules, couldn’t tune them, and couldn’t trust them. An entity model restores explainability.
- Event correlation, as built into most legacy SIEMs, still drives detection today, but it lacks long-term awareness. It sees patterns, but not escalation. Timelines help, but only when tied to persistent actors.
Entity-centric detection changes where the logic lives and anchors everything to the entities that actually matter.
The current operating environment has become more complex. Cloud services spin up and vanish in minutes. Identities shift across providers and geographies. And threats hide in normal behavior.
With this outdated detection logic, analysts spend too much time triaging irrelevant alerts, automation engines sit idle, and SOCs operate in reactive mode because their tools don’t understand context.
Entity-centric detection is built to close that gap.
By anchoring logic to the people, hosts, systems, and services that actually carry risk, we shift from flat, transactional detection to something that remembers and explains how and why a risk happened.
This model is necessary for modern operations, as the cost of not having it is missed threats, broken automation, and a security stack that can’t adapt to the speed of the business.
What you’ll see at Black Hat
At our booth, we’re running live scenarios through Sumo Logic Cloud SIEM’s entity-centric detection engine. You’ll see:
- Entity tracking across identity providers and telemetry sources: We map and follow users, hosts, workloads, and service accounts across your environment, regardless of where the signal originates.
- Rolling 14-day behavior windows: Every entity maintains its own recent activity history. You’ll see how we detect what’s typical, what’s rare, and what’s escalating.
- Smart signal deduplication: Instead of repeated alerts for the same behavior, we group related signals into a single, meaningful detection.
- Automatic, explainable risk scoring: Detections are prioritized based on severity, rarity, and behavioral context, so you can focus on what matters.
- Behavioral detection rules analysts can tune: See how our detections are built on clear logic, not black-box AI.
- Timelines and relationship graphs: Watch full attack paths unfold in real time, no pivoting between tabs.
- Integrated automation: High-confidence detections trigger playbooks instantly, with no enrichment step required.
Come see the actual product, responding to real-world threats in real time.
The future belongs to entities
Every vendor will say their system is smarter, and every tool will claim to be faster. But at some point, we have to stop optimizing the old model and start building a better one.
Entity-centric detection offers a newer, more modern approach to detection. It reduces noise, connects the dots, and detects threats that actually matter, so analysts can spend more time responding.
Sounds interesting? Come see it in action at booth #5812 at Black Hat.
