When Two Rights Make a Wrong

Two valid security events combining to expose a hidden compromise

When Two Rights Make a Wrong

The indispensable value of correlation.

Foreword

This piece was written to address a sentiment I’ve encountered often — usually from well-meaning professionals who ask, “If we’ve already invested in top-tier firewalls, DLPs, and other controls, why do we need a SIEM too? Was that money wasted?” The answer is an emphatic no. You haven’t misinvested; you’re simply one step away from unlocking the full potential of those tools.

This post is meant to be a bridge — especially for security managers, budget owners, and even early-career practitioners — to understand how correlation platforms like SIEMs elevate your existing stack rather than replace it.

Sometimes, the real value isn't in adding more; it's in connecting what you already have, more intelligently.

A Scenario in Two Acts

Not every security event screams danger. Many of them look perfectly normal — even "positive" — when viewed in isolation. That is exactly what makes them dangerous.

Consider this simple real-world scenario. A user successfully logs into the corporate environment via VPN. The credentials are valid, time and source IP match expectations. So far, so good. Meanwhile, a building access system reports that the same user’s badge was just used to enter the office premises. Again, this appears benign. The employee showed up to work and authenticated at the door.

Both events, when observed independently, are examples of systems working correctly. When the same events are correlated — seen side by side, in light of each other — the story changes entirely.

A person cannot be in two places at once. Unless, of course, one of those accesses wasn’t actually by that person.

Credential compromise, insider threat, badge cloning — whatever the root cause, only by connecting these dots can you begin to identify what is really happening, or, for that matter, realize that something is amiss.

What Correlation Actually Unlocks

And that is one of the many true powers of a SIEM: juxtaposing the “rights” to discover the “wrong.”

Correlation doesn’t just amplify the value of your SIEM — when leveraged correctly, it elevates the ROI of every log-producing system feeding into it. Badge readers, VPN gateways, endpoint agents — each becomes a puzzle piece that, when fit together, constructs the real picture.

In security, it is often not about what each signal says on its own. It is about what they are saying together. Because sometimes, two rights make a wrong.

— Damanjit Singh Uberoi · Founder, CyberSecure Vertex

← Back to all Field Notes