Understanding Security Gaps in Enterprises
A recent analysis of over 25 million security alerts has highlighted significant gaps in enterprise security operations, revealing that many low-severity threats are often overlooked. This study examined a vast dataset, including inputs from 10 million monitored endpoints and identities, 82,000 forensic investigations, and telemetry from millions of IP addresses and domains.
The findings suggest that attackers are systematically exploiting these gaps, capitalizing on the tendency of security teams to deprioritize low-severity alerts. This pattern underscores the need for a comprehensive look at all alert categories to mitigate potential breaches.
Impact of Ignored Low-Severity Alerts
One of the key insights from the analysis is that nearly 1% of confirmed incidents originated from alerts initially deemed low-severity or informational. Specifically, on endpoints, this figure reached close to 2%. For large organizations, these percentages translate to around 54 significant threats annually that go uninvestigated due to traditional Security Operations Center (SOC) or Managed Detection and Response (MDR) models.
This oversight is not due to detection failures but rather the economics of triage, which makes thorough investigations challenging. Consequently, actual threats remain hidden in the category of alerts that are typically downplayed.
Challenges with Endpoint Detection and Response
Endpoint Detection and Response (EDR) tools, often considered reliable, were found wanting in the report. Out of 82,000 alerts subjected to forensic memory scans, 2,600 revealed active infections, half of which were marked as ‘mitigated’ by EDR vendors. This discrepancy highlights the necessity for memory-level forensic analysis to uncover otherwise invisible threats.
Malware like Mimikatz and Cobalt Strike were prevalent in these scans, indicating that these are not isolated incidents but part of ongoing criminal operations. The reliance on EDR without deeper forensic capabilities could lead to significant security oversights.
Phishing Tactics and Cloud Security Risks
The report reveals a shift in phishing tactics, with attackers increasingly using trusted platforms like PayPal and OneDrive to bypass email security systems. Less than 6% of phishing emails included attachments, relying instead on links and trusted infrastructures.
Cloud security data further showed a focus on evading detection through stealthy tactics. Issues such as AWS misconfigurations, especially around S3, were common but often classified as low-severity, leaving enterprises exposed to long-term risks.
Addressing these gaps requires a shift in how security operations are managed. Technologies like the Intezer AI SOC have demonstrated that comprehensive alert investigation, supported by AI, can significantly enhance detection and response capabilities.
For a detailed analysis, refer to the 2026 AI SOC Report by Intezer, offering insights and recommendations for enhancing enterprise security postures.
