New analysis of alerts across endpoint, cloud, identity, network, and phishing telemetry finds that nearly one percent of confirmed incidents originated from alerts initially labeled as low-severity. At endpoints, that figure rose to almost two percent.
While those percentages may seem low thy mean that for a typical enterprise generating hundreds of thousands of alerts annually, this can translate into approximately 50 real threats and potential cyber breaches per year that are likely never investigated.
The research from AI SOC platform Intezer is based on analysis of more than 25 million security alerts across live enterprise environments. It shows that what most organizations view as ‘acceptable risk’ is no longer justified in an era in which AI-driven forensic analysis can operate at enterprise scale.
“Security teams have normalized the idea that some risk must be accepted because it is impossible to investigate everything,” says Itai Tevet, CEO and co-founder of Intezer. “Our research shows that this acceptance is increasingly misaligned with how modern attacks unfold. When genuine threats consistently emerge from alerts we have trained ourselves to ignore, the definition of acceptable risk needs to be reexamined.”
Among the findings over half of all endpoint alerts were not automatically mitigated by their endpoint protection solution. Of these non-mitigated alerts, almost nine percent were confirmed as malicious. Additionally, 1.6 percent of alerts that underwent live forensic endpoint scanning were found to have active compromise even though endpoint security tools indicated the threat had been mitigated.
The report also shows that phishing has evolved from attachments to browsers and trusted platforms. Fewer than six percent of malicious phishing emails contained attachments. Most relied on links, language, and abuse of legitimate services such as code sandboxes, cloud file sharing, and CAPTCHA mechanisms to evade detection.
Cloud misconfigurations remain a persistent and widespread problem too. The majority of cloud posture findings involve legacy or default configurations, particularly in Amazon S3, including missing encryption, weak access controls, and lack of logging.
The full report is available from the Intezer site and you can register for a webinar that will present the findings on February 4th at 12 noon ET.
Image credit: Techa Tungateja/Dreamstime.com
