How We Switched to Time-Series Telemetry for SaaS Apps TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsCybersecurity OperationsCan a Global, Decentralized System Save CVE Data?Can a Global, Decentralized System Save CVE Data?byRobert Lemos, Contributing WriterNov 18, 20254 Min ReadApplication SecurityMalicious Npm Packages Abuse Adspect Cloaking in Crypto ScamMalicious Npm Packages Abuse Adspect Cloaking in Crypto ScambyElizabeth Montalbano, Contributing WriterNov 18, 20255 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllCyberattacks & Data BreachesCoyote, Maverick Banking Trojans Run Rampant in BrazilCoyote, Maverick Banking Trojans Run Rampant in BrazilbyAlexander CulafiNov 13, 20254 Min ReadThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCybersecurity OperationsCybersecurity AnalyticsCyber RiskСloud SecurityCommentaryNews, news analysis, and commentary on the latest trends in cybersecurity technology.How We Ditched the SaaS Status Quo for Time-Series TelemetryFree the logs! Behind the scenes at InfluxData, which turned to its own in-house security monitoring platform, DiSCO, to protect its supply chain after its third-party tool was breached.Peter Albert, CISO at InfluxDataNovember 18, 20254 Min ReadKittipong Jirasukhanont via AlamyFour years ago, a security incident sent our engineering team on a new course: After the scramble of gathering logs and getting more frustrated with the limited visibility that comes with software-as-a-service applications (SaaS), we ultimately took security observability into our own hands. During this journey, time-series telemetry kept proving its value over and over — to the point that our engineers decided to use the telemetry to power our in-house security monitoring platform, DiSCO. With the right data, the right structure, and the right engine, time-series telemetry can form the foundation of a powerful security monitoring system — one capable of cutting through the opacity of third-party SaaS and cloud services. DiSCO, or Digital Supply Chain Observability, is an ongoing project for InfluxData's security team as we explore how to use time-series data for security monitoring and alerting. Here's how DiSCO was born.A Lesson in Blind SpotsIn 2021, one of our engineers integrated a third-party tool, Codecov, into our build pipeline. Because it was a no-cost service, it flew under the radar of legal and security reviews. Later that year, Codecov was breached, and it was one of its customers that identified the incident. By the time we found out, it had been four months since the breach occurred. Related:Hybrid Clouds Provide a Practical Approach to Post-Quantum MigrationIf my credit card is used fraudulently, I get notified within minutes. So why can't SaaS providers flag anomalous access from unfamiliar IPs or strange locations? This incident highlighted one of the biggest security concerns we had already been working to resolve around SaaS: How do we secure a supply chain that we can't observe?The brutal truth is that most SaaS providers either don't offer audit logs or lock the logs behind premium licensing walls. These account types are often three times the cost of a base plan and designed for teams with thousands of users. We use several SaaS applications, and paying for the premium tier for each one just doesn't work for us. Besides, we weren't asking for much. All we wanted to know was: Who is using the service we already pay for? Free the logs!How DiSCO Uses the LogsIt took months (and, in some cases, years) of negotiation, but we finally gained access to audit logs for a few critical SaaS applications without blowing the budget. But obtaining the data was only step one. Now we needed to do something with it.A full security information and event monitoring (SIEM) system to process those logs would have been overkill because we didn't have the headcount or the time to deploy and manage it properly. However, we did have access to our own time-series database, InfluxDB. While InfluxDB was initially designed for high-precision metrics collection, it wasn't that difficult to extract the critical data elements out of log files and load them into the platform. We could then visualize rudimentary trends, such as failed and successful login attempts. Related:Cloud Break: IoT Devices Open to Silent Takeover Via FirewallsAnd that is what DiSCO lets us do: to collect, aggregate, and analyze audit logs in near real-time across our SaaS and cloud systems. DiSCO collectors pull raw audit log data from each SaaS provider and pass the files to our open source collection agent, Telegraf, which buffers and writes out the data to InfluxDB with structured tags, time stamps, and context. Our inference engine — DiSCO Inferno — compares real-time events against a growing knowledge base of expected behavior modeled from employee usage of our corporate SaaS portfolio, including usual locations, typical login times, and known IP addresses. To address privacy concerns, DiSCO replaces usernames with randomly generated universally unique identifiers (UUIDs) before any processing, such as anomaly detection or alerting, occurs. Alerts are routed to Slack, PagerDuty, and email, while Grafana handles visualization. And because DiSCO runs on our time-series platform, we can replay historical data whenever we enhance our parsing or expand the knowledge base, enabling forensic depth on par with many commercial SIEMs without the cost or overhead. Related:Can a Global, Decentralized System Save CVE Data?What DiSCO Lets Us See Leveraging the time-series engine, DiSCO provides visibility into potentially significant events, including:Login or API access from unusual geographical locations.Unusual volumes of data pulled by service accounts."Impossible travel" logins from two distinct locations within minutes.Cross-SaaS correlations, i.e., activity on one platform from one location, followed immediately by access to another from a different geo.Access outside expected working hours or location patterns.Frequency-based anomaly detection and outlier usage.Historical replay for forensics, independent of third-party retention policies.DiSCO is providing us visibility into how our systems are being accessed and surfacing behaviors we would have otherwise missed. While I wish the process hadn't started with one of my worst security nightmares coming to fruition, proving the value of time-series was a pretty good result — not to mention my pride in leading a team that transformed resolving a critical problem into innovation.About the AuthorPeter AlbertCISO at InfluxDataAs the Chief Information Security Officer (CISO) at InfluxData, Peter Albert is responsible for ensuring the security of InfluxData's information systems and services. With more than 30 years of experience in the security, technology, and telecommunications industries, Peter brings tremendous technical leadership and operational expertise to the company.Prior to joining InfluxData, Peter spent 3 years at IOActive, a premier, boutique security consultancy, where he advised various Global 1000 companies on their security program. Before that, he was responsible for managing global operations and expansion of the QualysGuard global SaaS infrastructure, overseeing its worldwide security operation centers (SOCs). He has also held various leadership positions in architecture, engineering, and operations with iPass Inc. and General Magic.Having grown up in Silicon Valley, Peter joined his first start-up at age 16 managing databases.See more from Peter AlbertMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeLatest Articles in DR TechnologyNew Startup Mate Launches With AI-Driven Security Operations PlatformNov 17, 2025|2 Min ReadHardened Containers Look to Eliminate Common Source of VulnerabilitiesNov 14, 2025|4 Min ReadAI Security Agents Get Persona MakeoversNov 7, 2025|5 Min ReadSora 2 Makes Videos So Believable, Reality Checks Are RequiredNov 6, 2025|6 Min ReadRead More DR TechnologyDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

How We Switched to Time-Series Telemetry for SaaS Apps

InfluxData’s Chief Information Security Officer (CISO), Peter Albert, recounts the pivotal moment that led to the company’s shift from relying on Software-as-a-Service (SaaS) security monitoring to building their own, time-series telemetry-based solution, DiSCO. The story begins with a breach involving a third-party security tool, Codecov, highlighting the significant blind spots inherent in traditional SaaS offerings. Initially, the engineering team struggled with the fragmented and often inaccessible log data provided by these services, leading to prolonged investigations and a lack of real-time visibility.

The core issue identified by Albert was the lack of audit logs or the restrictive access control surrounding them within many SaaS environments. Premium log access, required to observe activity, carried a substantial cost – often three times the price of a basic plan – and was frequently unavailable to smaller organizations. This created a significant security challenge: how to monitor a supply chain where observing usage was difficult or impossible. The team realized they were essentially flying blind, reliant on the transparency of third-party providers.

To address this, InfluxData leveraged its existing time-series database, InfluxDB, initially designed for monitoring metrics. They repurposed this technology to extract and analyze the raw audit logs from their SaaS applications. This led to the creation of DiSCO (Digital Supply Chain Observability), a system designed to collect, aggregate, and analyze logs in near real-time.

DiSCO utilizes a collector that pulls raw audit data from various SaaS providers and transmits it to a central agent, Telegraf, which then structures and writes the data to InfluxDB. The system employs an inference engine, DiSCO Inferno, which compares real-time events against a dynamic knowledge base. This knowledge base, built from observed employee usage patterns – including location, login times, and IP addresses – is constantly evolving. Crucially, to protect user privacy, DiSCO replaces usernames with universally unique identifiers (UUIDs) before any analysis occurs. Alerts are generated and routed via Slack, PagerDuty, and email, while Grafana provides visualization capabilities.

The resulting system offers considerable benefits. It enables the detection of anomalous events, such as logins from unusual geographical locations, deviations from established usage patterns (like “impossible travel” logins), and cross-SaaS correlations. DiSCO’s implementation allows for historical data replay, effectively broadening forensic capabilities, mirroring the depth offered by commercial SIEM solutions without the associated costs and overhead.

Ultimately, the transition to time-series telemetry wasn’t just about fixing a security problem; it was a strategic decision driven by the limitations of the SaaS landscape and InfluxData’s technical capabilities. The story underlines the importance of proactive security observability and the potential of time-series data to provide deeper insights and control over a complex, distributed ecosystem of SaaS applications.