Moving house isn’t usually the metaphor you’d reach for when talking about security logging and detection, but in my recent move, I couldn’t help but draw the parallels.
Packaging, tracking, and discovering the really important items in your environment (as opposed to the clutter), all mirrored the challenges we wrestle with through logging strategies and detection engineering.
This October also happens to be Cyber Security Awareness Month in Australia, and the first week is dedicated to event logging, the foundation of detection (cyber.gov.au). The Australian Signals Directorate (ASD) is highlighting the message that you can’t defend what you can’t see. That message hit home as I verified packing lists, checked labels on boxes, and worried about important items vanishing into the moving abyss, like the keys to the old house.
Because whether you’re building a SOC or unpacking a moving truck, effective logging and visibility is your first line of defence.
In our case, the move wasn't a mere relocation. It was a full-blown merger of two households. Imagine two distinct companies, each with their own control systems (“What? You put glasses upside down in cupboards?”), governance quirks (“bed time is 8:30pm”), and tech stacks (i.e. two fridges, three vacuum cleaners, and several sets of mismatched cutlery). The merger meant deduplication of all the items in the house, aligning standards, and ensuring the integrity of every single item as we moved. We needed to account for every item, whether it was secure, and how quickly we could determine if something went wrong with packing.
All told: seven humans, including five kids, two adults, and one greyhound (plus a healthy sprinkling of neurodiversity to keep things lively), attempted to cohabit for the first time peacefully while not losing the good stuff. Spoiler: we failed, at least temporarily (although the Greyhound loved it).
Logs Everywhere
When you’re moving, every box is a log entry. Some are high-fidelity (“Books – Prescott’s office”) and others are basically garbage collection from the third kitchen drawer (“Stuff”). But like any log collection pipeline, you quickly discover:
- You log too much (do we really need six boxes of tangled USB cables?)
- You log too little (which box did the PS4 cord go in?)
- Your logs are inconsistent (“Toys” means Lego to one adult and soft toys to another).
Just like in detection engineering, the quality of your logs is everything. Garbage in, garbage out.
We thought we had a good system and even hired external consultants to help with the packing and labelling. What we didn’t account for was supply chain issues and interoperability of the standards.
What one thing meant to the hired packers meant something entirely different to the box movers. They had no idea which was bedroom 1, or whether the lounge room was upstairs or downstairs. A good part of the initial stages was just re-moving boxes that ended up in the wrong location or me yelling madly to put a box in the right place while keeping an eye on the time and budget slipping away. And yes, I should have listened more to my partner and got it right in the first place.
Detection Rules in Action
With seven people in the house, detection had to be tuned carefully. Too many alerts and you’re in constant incident response mode (“Mum, I can’t find my toothbrush!”). Too few alerts and the situation escalates until you step on Lego barefoot at 3am.
We found ourselves writing real-time correlation rules on the fly as I stood in the rain directing traffic:
- If box says “Lounge” AND is not heavy → it probably has pillows and goes downstairs.
- If box says “Master” AND is from House #1 → it goes in the blue room
- If child goes quiet for more than 7 minutes → investigate immediately.
- If both adults say “I thought you had it” → initiate full-blown hunt operation.
Like a SOC, we tuned out false positives (every “missing” toy that turned up under the couch) and focused on high-severity alerts (the dog trying to eat bubble wrap).
Incident Response and Forensics
When we couldn't put the lamp where we wanted because there was no power outlet nearby, the incident required lateral thinking to MacGyver a solution. When we unpacked the wifi router and found it missing a power cord, we had to revert to the backup wifi router, you guessed it... located in another box. And like all incidents, our forensics depended on, yep, the logs.
“Did we log which box the power cable went in?”
“No.”
“Well, good luck rebuilding from scratch.”
Threat Hunting and Long-Term Monitoring
The kids developed stealth capabilities during the move. They learned to open boxes faster than we could tape them, destroying the labels and at various points running around with boxes on their heads leaving them in different parts of the house. At one point, a carefully sealed “Office Supplies” box contained a Transformer, two biscuits, and a guinea pig. (OK, I made that one up but this is why detection-in-depth matters.)
We instituted regular sweeps (threat hunts) to track missing items. Sometimes they surfaced (yay, the kid's wallet!). Other times, they disappeared into the great logging abyss like those keys to the old house we were still looking for...
The Closing Takeaway
Weeks later, the house is mostly settled, detection rules are tuned, and logs are gradually being archived, a.k.a. unpacked.
(Well, apart from those boxes in the store room we didn’t unpack after the prior move and probably never will.)
But one thing remains unsolved.
We still haven’t found the old house keys.
Somewhere in the data lake (read: garage), they’re waiting to be surfaced. Until then, they’re the perfect reminder:
- No matter how good your logging strategy is, something critical will go missing.
- Detection and response is an ongoing practice, not a one-off setup.
- And sometimes, the best you can do is laugh, adapt, and hope you don’t get locked out.