The Dark Secret of Enterprise Security Operations: One Missed Threat Per Week
The enterprise security landscape is a complex web of alerts, threats, and defenses. While defenders have traditionally focused on severity-based security operations, a recent report reveals a hidden truth: the practice of not looking has quietly institutionalized a missed threat per week. This article delves into the implications of this finding and why traditional security models are failing to keep pace with evolving threats.
The 1% Problem: One Missed Breach Per Week
The report analyzed 25 million security alerts, including low-severity and informational incidents. A staggering 1% of confirmed incidents originated from these seemingly innocuous alerts, rising to 2% on endpoints. This translates to approximately 54 real threats annually, or one missed breach per week, under a traditional SOC or MDR model.
These threats are not theoretical; they are real compromises hidden within the low-severity category. The report highlights the limitations of Endpoint Detection and Response (EDR) solutions, revealing that even after remediation, infections can remain active and undetected.
EDR "Mitigation" Unreliable
Of the 82,000 alerts analyzed, 2,600 had active infections, with 51% already marked as "mitigated" by the EDR vendor. This finding challenges the assumption that EDR remediation can be trusted at face value. Without memory-level forensics, infections can go unnoticed, allowing malware families like Mimikatz, Cobalt Strike, and StrelaStealer to operate undetected.
Phishing Evolves: Beyond Email Gateways
The report also sheds light on the evolving nature of phishing attacks. While less than 6% of confirmed malicious phishing emails contained attachments, most relied on links and language. Attackers are leveraging trusted platforms like Vercel, CodePen, OneDrive, and PayPal's invoicing system to send threat emails, making detection more challenging.
The use of Cloudflare Turnstile CAPTCHA and Google reCAPTCHA further highlights the attackers' ingenuity. Attackers are exploiting these mechanisms designed to stop bots to evade security scanners. Additionally, the report identifies four new techniques for bypassing email gateways, demonstrating the operational scale of these attacks.
Cloud Telemetry: Long-Term Access and Persistence
Cloud alert data reveals a strategic approach by attackers. The focus is on long-term access and defense evasion tactics, with relatively few high-impact behaviors. Token manipulation, abuse of legitimate cloud features, and obfuscation are employed to remain undetected. AWS misconfigurations, often classified as low severity, compound this risk, providing attackers with a quiet foothold to accelerate their activities.
The Limitations of Traditional SOCs and MDRs
The volume of alerts and the human analyst capacity bottleneck are significant challenges for traditional Security Operations Centers (SOCs) and Managed Detection and Response (MDR) providers. As telemetry expands across various domains, SOCs face the dilemma of aggressive triage, automating closures, and trusting severity labels. MDR providers, despite their human-scaled operating model, struggle to review a significant portion of alerts.
The deeper issue lies in the feedback loop. When low-severity alerts are deprioritized, missed threats go uninvestigated, and detection rules remain unchanged. This prevents the system from self-improving, perpetuating the cycle of missed threats.
The Power of Full-Coverage Investigation
The report introduces a novel approach: full-coverage investigation. By utilizing Intezer AI SOC, the dataset of 25 million alerts was analyzed with remarkable efficiency. Less than 2% of alerts were escalated to human analysts, achieving 98% verdict accuracy and sub-minute triage times. This methodical approach ensures that every alert receives forensic-grade analysis, regardless of severity.
The benefits are profound. Early-stage threats are surfaced before they progress, and detection engineering benefits from continuous feedback loops. Human analysts gain higher confidence and engage at the decision-making point, shifting their focus from discovery to critical analysis.
A Continuous Security Posture
The implications of full-coverage investigation extend beyond the technical realm. It empowers organizations to adopt a continuous security posture, where threats are addressed proactively rather than reactively. This approach aligns with the evolving threat landscape, ensuring that security measures keep pace with emerging challenges.
In conclusion, the dark secret of enterprise security operations is revealed: the practice of not looking has led to a missed threat per week. By embracing full-coverage investigation and challenging traditional security models, organizations can fortify their defenses and stay ahead of the ever-evolving threat landscape.
