detecting data correlated to suspicious activity in a distributed element of the system; and

reporting data correlated to the suspicious activity from a distributed element to a threat management agent configured to achieve a coordinated response to the threat;

determining, by the threat management agent based on an aggregate of data correlated to the suspicious activity in the distributed system, whether an attack is taking place at least at one distributed element identified by the data correlated to the suspicious activity;

deploying a coordinated countermeasure to the attack including a preventive deployment of a countermeasure to at least one distributed element not initially reporting data correlated to suspicious activity, as directed by the threat management agent, based on the attack determination by the threat management agent;

reviewing, by a threat management agent, of reports of data correlated to suspicious activity from at least one distributed element of the system;

determining by the threat management agent, based on the reports, whether a pattern characteristic of an attack occurred and predicting when a next attack is likely to occur; and

directing deployment of a coordinated countermeasure to the predicted next attack, in a time window based on when the next attack is predicted to occur, wherein the coordinated countermeasure comprises adjustment of at least one distributed element of the system where the data correlated to suspicious activity was not detected.