MSSP Case Study: Telemetry Without Detection

MSSP Case Study: Telemetry Without Detection | AKATI Sekurity

Abstract

This case study documents six months of continuous managed security operations at a regulated multinational enterprise operating across two geographies. At engagement start, the organisation possessed extensive security telemetry but no correlation capability, no continuous monitoring coverage, and no defined escalation path. AKATI Sekurity deployed a cloud-native SIEM, sequenced log source onboarding by risk contribution, engineered detection content specific to the estate, and staffed continuous analyst triage. Within the observation period, escalation volume declined by approximately half while detection coverage expanded, and the security operations centre identified credential attack techniques, data exfiltration traffic, coordinated anonymisation network usage, and a large-scale identity misconfiguration, none of which had previously been visible to the client. This document sets out the problem, the intervention, the measured impact, and the resulting business benefit. Client identity, sector, infrastructure detail, platform vendors, and absolute alert volumes are withheld under engagement confidentiality; quantitative findings are presented as ranges and relative proportions.

Subject
Regulated multinational, North American headquarters
Engagement
Blackhawk Next Gen SOC, continuous managed detection and response
Estate
Approaching one hundred log sources across two geographies
Observation period
Six consecutive months of operation

1.Problem statement

The subject organisation operates in a sector where system integrity, data confidentiality, and audit defensibility are conditions of its licence to operate. Its security posture did not correspond to that exposure. The deficiency was not an absence of security data. Logs were being generated across the estate in volume. The deficiency was that nothing was reading them.

Four structural gaps defined the position at engagement start. Each is a common failure mode in distributed enterprises that have acquired security tooling incrementally without acquiring the operational capacity to run it.

1.1 Absence of correlation

Log sources were distributed across two geographies with no correlation layer between them. Multi-system attack sequences, which is how intrusions actually progress, were therefore structurally undetectable rather than merely likely to be missed.

1.2 Discontinuous coverage

Detection depended on business-hours staff carrying competing operational priorities. Outside working hours, attacker dwell time was effectively unbounded, and no mechanism existed to shorten it.

1.3 No behavioural baseline

The organisation could not characterise normal activity for identity, endpoint, or cloud layers. Authorised behaviour and intrusion were consequently indistinguishable, and control effectiveness could not be evidenced to a regulator.

1.4 Unmanaged tooling

Remote access utilities and unsanctioned software were operating outside any monitoring boundary, establishing uncontrolled access paths and persistence footholds that no inventory recorded.

Table 1 summarises the position at engagement start against the position at month six. See section 4.

2.Solution

The engagement was designed to generate protective value during implementation rather than upon its completion. This is a deliberate departure from the conventional sequence, in which a monitoring programme delivers no detection until integration concludes. The five components below were executed concurrently rather than serially.

A next-generation cloud-based SIEM platform was deployed to centralise collection and correlation across both geographies. The architecture avoids on-premises collector proliferation and capital expenditure, and removes any dependency on the client provisioning infrastructure before detection can commence.

Rather than a single integration event, onboarding was ordered by each source's expected contribution to detection: identity infrastructure, endpoint detection, cloud productivity, and perimeter were prioritised. Coverage in the primary geography reached approximately three-fifths of in-scope sources during the observation period and continued to increase, with the outstanding backlog itemised in monthly management reporting.

In the secondary geography, the large majority of un-onboarded sources are air-gapped by design. That segregation is an intentional architectural control. It is reported as out of scope rather than counted as coverage, a distinction that materially affects the defensibility of the client's posture evidence.

Use case content was developed and tuned against the organisation's observed threat exposure rather than applied from a standard template. The following detections were operating in production during the observation period:

  • Cloud identity abuse via device code authentication
  • Directory replication attack (DCSync class)
  • Active Directory user enumeration
  • Privileged group modification
  • Unauthorised security-group addition
  • Data exfiltration domain contact
  • TOR usage and multi-user evasion
  • Malware registry persistence
  • Network scanning utilities
  • Unauthorised remote access and RMM tooling
  • Endpoint PUA and malicious binaries
  • Threat intelligence feed correlation

Every alert is investigated by an analyst and classified as Intended Behaviour, meaning authorised, scheduled, or otherwise explicable, or as Unintended Behaviour, before any escalation reaches the client. The client receives investigated cases carrying context and recommended action. It does not receive raw alerts. This classification step is the operative distinction between a security operations centre and a log forwarding service, and it is the mechanism responsible for the volume reduction reported in section 3.

Monthly reporting provides an executive view of posture, trend, and open risk, together with a standing recommendations register. Outstanding items remain visibly outstanding. For a regulated subject, reporting that overstates coverage carries negative value, because it fails at the moment of examination. Reporting is treated here as a deliverable of the service rather than a by-product of it.

3.Impact

Impact is reported in two dimensions: what the security operations centre detected that the organisation could not previously see (section 3.1), and the quality of the signal delivered to the client over time (section 3.2).

3.1 Detections in a previously unmonitored estate

None of the findings below was visible to the client before the engagement. This reflects the absence of a capability rather than any deficiency in the client's team: no system in the environment was constructed to observe these behaviours. Exhibit 1 presents the estate under both conditions.

Estate view pre-engagement
Credential attack technique

Directory replication activity

DCSync-class activity and Active Directory user enumeration were detected and escalated. Both techniques sit directly on the path to full domain compromise, and neither was detectable by any control present in the estate at engagement start.

Coordinated evasion

Multi-user anonymisation traffic

TOR usage was identified, including unauthorised activity spanning multiple users concurrently. This pattern is invisible to single-host or single-log review by construction, and is surfaceable only through cross-source correlation.

Exfiltration

Contact with known exfiltration infrastructure

Detected and escalated across consecutive months. Each occurrence prompted containment and root cause review rather than a repeated remediation cycle.

Cloud

Malicious executables in corporate cloud storage

Suspicious executables uploaded to the cloud productivity tenant were detected and flagged. This channel is unmonitored in most enterprise environments and bypasses perimeter controls entirely.

Principal finding

A service misconfiguration had rendered brute-force detection statistically impossible

Authentication analysis identified a single account generating hundreds of thousands of failed domain logon events within one month, with the ten highest-volume accounts together approaching seven figures. The activity was not an attack. It was a broken service configuration consuming domain controller capacity and, more consequentially, suppressing the signal-to-noise ratio to the point that genuine brute-force activity would have been statistically undetectable beneath it. The organisation believed it possessed authentication monitoring. In practice, the control had been nullified by a configuration error that no party had cause to examine. Identification and reporting restored the control to operational value.

Endpoint

Unauthorised execution, blocked and evidenced

Application control was confirmed to be actively blocking dozens of unauthorised execution attempts across the fleet, including unsanctioned remote-desktop tooling. The finding converts an assumed control into an evidenced one.

Root cause analysis

PUA family traced to introduction vector

A single unwanted-software family was tracked across a handful of endpoints via a known persistence path, with every associated event auto-remediated. Guidance was issued to close the delivery route, addressing recurrence rather than symptom.

Exhibit 1 Detections by category under pre-engagement and monitored conditions. Under the pre-engagement view, the findings exist in the estate but are not observable by any control present. Categories and descriptions are unchanged between views; only observability differs. Interactive.

3.2 Signal quality over the observation period

A decline in escalation volume is only a favourable result if detection coverage does not decline with it. In this engagement coverage expanded: additional use cases entered production during the same window in which escalation volume fell by approximately half. The reduction is therefore attributable to the establishment of behavioural baselines and the suppression of false-positive sources, not to a narrowing of scope.

Intended Behaviour, closed by analyst Unintended Behaviour, escalated

Interpretation

The majority of escalations were classified as Intended Behaviour. This proportion is not a false-positive rate to be minimised; it is the measurable output of analyst validation. Absent that layer, each of those cases would have consumed client resources or, more probably, been disregarded, conditioning the organisation to disregard the cases that mattered.

High-priority escalations remained in the low single digits across the documented quarter, with no reported business disruption and no confirmed breach.

Exhibit 2 Relative escalation volume by behavioural classification across three consecutive documented months. Vertical scale withheld; proportions and month-on-month relationships are accurate. Absolute values withheld under engagement confidentiality.

4.Benefit

The findings in section 3 describe what was detected. This section addresses what the organisation obtained, expressed in terms a board or a regulator would recognise. Table 1 states the position at engagement start against the position at month six.

DimensionAt engagement startAt month six
Visibility
No correlation across the estate. Logs generated in isolation.
Continuous multi-region correlation across identity, endpoint, cloud, and network.
Coverage window
Business hours, best effort, delivered by staff with competing duties.
Continuous 24/7/365 analyst-staffed monitoring with a defined escalation path.
Baseline
No documented behavioural baseline at any layer.
Established baselines yielding an approximately 50% reduction in escalation volume.
Client input
Raw alerts, where observed at all.
Investigated and classified cases carrying context and recommended action.
Audit evidence
No evidence of control effectiveness available to an examiner.
Monthly management-grade reporting with a tracked recommendations register.
Advanced techniques
Structurally undetectable. Credential attacks would have completed unobserved.
Credential attacks, exfiltration attempts, and evasion tooling detected and escalated in production.

Table 1 Security posture at engagement start compared with month six of continuous operation.

4.1 Protective value during implementation

Because onboarding was sequenced by risk contribution, material findings were escalating while integration remained in progress. The organisation was defended during the project rather than upon its completion, which is the interval in which comparable programmes typically carry the greatest unmitigated exposure.

4.2 Capacity returned to the client

The client's team received no unqualified alerts. Volume sufficient to exhaust an internal function was absorbed, investigated, and closed upstream, releasing internal capacity to remediation and engineering rather than triage.

4.3 Defensible posture evidence

Air-gapped sources were declared out of scope rather than reported as coverage, and open items remained open. The resulting reporting record is one that withstands examination, which for a regulated subject is the condition under which security reporting has value at all.

4.4 Root cause rather than recurrence

Each detection was accompanied by causal analysis and corrective guidance covering endpoint hardening validation, cloud storage controls, remote access governance, and user awareness. The engagement drove posture improvement rather than ticket closure.

5.Conclusion

The subject organisation did not lack security data, security tooling, or a competent internal team. It lacked the operational capacity to convert telemetry into detection, and that single deficiency rendered every downstream control unverifiable. Within six months of continuous managed operations, the estate moved from a condition in which advanced attack techniques were structurally undetectable to one in which they were detected, classified, and escalated in production, while the volume of work transferred to the client fell by approximately half.

The principal finding of this engagement is instructive beyond the subject. The most consequential discovery was not an intrusion. It was a configuration error that had silently nullified an authentication control the organisation believed it possessed. Controls that are assumed rather than evidenced are, in practice, indistinguishable from controls that are absent. Continuous monitoring is the mechanism by which that distinction becomes observable.

  • Gartner Representative Vendor, DFIR Retainer, 2025 and 2026
  • Frost & Sullivan DFIR Competitive Strategy Leader, 2024
  • PCI DSS Approved QSA and ASV
  • CREST Accredited
  • ISO 27001 / 27017 / 27018 Certified

Assess your own detection capacity

If your estate generates telemetry that nothing is currently reading, that gap is measurable, and it is closable. AKATI Sekurity can scope what your environment would surface in its first month of monitored operation.

Schedule a consultation

Confidentiality and method note

Client identity, sector, geography beyond region, infrastructure detail, platform vendors, and absolute alert volumes are withheld under engagement confidentiality. Quantitative findings are presented as ranges, relative proportions, and month-on-month relationships. Where a vertical scale is withheld, proportions within and between periods remain accurate as reported. Detection categories, techniques, and outcomes are reported without modification. AKATI Sekurity does not disclose client-identifying data in published material, including to prospective clients and including on request.

Detection volumes are drawn from three consecutive documented months within the six-month observation period, and are described as the documented quarter throughout. Coverage figures reflect the position at the close of the observation period.

AKATI Sekurity is an award-winning Managed Security Service Provider delivering continuous managed detection and response, threat intelligence, governance and compliance, and digital forensics to regulated enterprises worldwide.

Next
Next

MSSP Case Study: Manufacturing Firm Secures OT with 24/7 Endpoint MDR