When news of the UNC3886 intrusion against Singapore’s government infrastructure broke, it was, on the surface, just “another attack” in an already noisy threat landscape. But the scale of the response – more than 100 cyber defenders across six agencies over 11 months – is a telling reveal about how modern defence is evolving, and why visibility and telemetry are becoming the backbone of future security architectures.
Speaking to Enterprise IT News, Gigamon Security CTO Ian Farquhar said Singapore’s mobilisation of more than 100 cyber defenders across six government agencies over 11 months was, in fact, a sign of efficiency rather than weakness.
“Given the sophistication of the tactics, techniques and procedures that UNC3886 is documented as using, they did a pretty good job with that level of resourcing and scale,” he said.
For Ian, the episode also highlights a systemic gap in security architectures.
“You can’t defend what you can’t see,” he stressed. “Most enterprise network architectures, be that physical, container, cloud, virtual, do not have strong, inbuilt visibility mechanisms. They’re designed to get data from one system to another, not to allow security to look at that data.”
He warns that attackers are increasingly bypassing traditional telemetry sources such as endpoint detection and response (EDR) and logs by targeting the network infrastructure itself.
“Why did Salt Typhoon go for the network devices? Because they don’t run EDR, and once you compromise the device, you can turn off logging. So you have completely taken out visibility,” he said, referring to another Chinese‑nexus actor that has compromised telecommunications providers worldwide.
Telemetry and institutional memory
To close those gaps, Ian argued that organisations must adopt “deep observability” – generating rich telemetry from the network layer itself, independent of agents running on endpoints.
“What deep observability is, is to take the traffic flowing around the networks… it’s generated outside of the workloads themselves. It’s not agent-based,” he explained. “If you are looking at it from the network, [attackers] were noisy in the most ridiculous way. That just demonstrates, what does visibility mean if you can’t see the primary mechanism your attack is travelling across?”
This visibility then feeds into large‑scale data lakes, which he describes as essential “institutional memory” for cyber defence. Telemetry from logs, EDR and network observability is ingested and retained for one to two years or more.
I think we’re even going to see countries, particularly in Southeast Asia, set up data lakes and just do analysis of traffic entering and leaving the country.
Ian Farquhar
“This data lake is to be not only our source of visibility, but our source of historical context,” Ian said. “If I find I have an attacker in my environment, the first question I want to ask is, how did they get in and when did they get in? And the second question is, what did they do between now and then?”
Once telemetry is in the data lake, threat feeds can be used to match known attacker techniques, while artificial intelligence and large language models mine for anomalies.
“We use AI to mine that database for things that look atypical, that look weird, that look unusual,” he said. “This turns out to be something that AI does extraordinarily well, much, much better than humans can.”
Gigamon’s role
Gigamon’s role in this equation is to generate and deliver high‑fidelity network metadata from complex, hybrid infrastructures – spanning high‑speed physical networks, containers, multiple public clouds and virtualised environments – into whichever data lake platform customers choose.
“Customers will choose the data lake based on their best needs… We don’t care. We are going to provide them a standardised interface for generating that high‑fidelity, application‑aware network metadata,” Ian said.
He believes this interoperable, data‑driven model will increasingly extend to the national level, especially in regions like Southeast Asia, where governments are grappling with cross‑border scams and state‑linked actors.
“I think we’re even going to see countries, particularly in Southeast Asia, set up data lakes and just do analysis of traffic entering and leaving the country,” he said, while acknowledging the need to balance this against privacy and data sovereignty concerns.
Make attacks costly
Ultimately, the goal is to change the economics of cyber crime.
“If the cost of an unsuccessful attack is almost zero, they’re just going to keep doing it,” Ian said. “What defenders need to do is to drive up the cost of an unsuccessful attack. Make it difficult. Make it costly.”
In that effort, he insisted, visibility is no longer optional: “We need to assume compromise. That means multiple forms of telemetry, deep observability and a data lake that lets you actually remember what happened. Otherwise, you are defending with a blindfold on.”