MSSP Case Study: Manufacturing Firm Secures OT with 24/7 Endpoint MDR

MSSPMDR

Nov 18

About the Customer

The client is a large-scale enterprise in the heavy industry and manufacturing sector. Their operations are supported by a complex, multi-generational IT environment, where endpoint integrity is mission-critical for both corporate functions (finance, logistics) and plant operations, including critical Operational Technology (OT) environments.

Table 1: Customer Overview
            
                        Category
                        Details
                    
                        Industry
                        Heavy Industry / Manufacturing
                    
                        Challenge
                        Managing a high-risk, heterogeneous endpoint fleet (including legacy OS), quantifying the "unknown asset" problem, and triaging high-volume behavioral alerts 24/7.
                    
                        Solutions Used
                        24/7 MSSP, Managed Endpoint Detection & Response (MDR)

The Challenge

The client's primary security challenge was not a lack of tools, but a lack of specialized, 24/7 resources to manage the data they produced. The firm's IT team was responsible for a fleet of over 160 endpoints, which included a mix of modern and high-risk legacy operating systems that directly support its Operational Technology (OT) infrastructure.

This environment generated three core business risks:

High-Risk Attack Surface: A significant portion of the fleet was running on legacy operating systems (e.g., Windows 7, Windows 8.1), which no longer receive security patches. This created a persistent, high-risk target for exploits, which could be used as a pivot point to attack the OT environment.
Alert Fatigue & Data Overload: The EDR (Endpoint Detection and Response) solution generated hundreds of behavioral alerts monthly. The internal team lacked the "eyes-on-glass" capacity to investigate every anomaly 24/7, creating a high probability that a genuine threat—such as an initial intrusion targeting OT assets—could be lost in the noise.
Asset Visibility Gap: A large, unknown number of devices were not consistently connecting to the management console, creating a "ghost fleet" of unmonitored, unpatched, and high-risk assets.

The AKATI Sekurity Solution

The manufacturing firm engaged AKATI Sekurity's 24/7 MSSP to provide a high-touch Managed Detection and Response (MDR) service. This solution layers 24/7/365 human SOC analysis on top of the client's existing next-generation antivirus (NGAV) and EDR platforms. This model is critical in a converged IT/OT environment, where the cost of a false positive (e.g., wrongly shutting down a plant-adjacent system) is as high as the cost of a missed detection.

Our service delivery is focused on four key pillars:

24/7 Triage: Continuously monitoring the high-volume EDR alert stream to filter false positives and benign-but-anomalous activity.
Threat Hunting: Proactively investigating suspicious behavioral patterns that automated systems might miss.
Active Quarantine: Immediately isolating confirmed threats (malware, backdoors, PUPs) to prevent lateral movement and impact.
Data-Driven Reporting: Providing actionable intelligence on asset hygiene, risk exposure, and threat trends, transforming raw security data into business-level insights.

Quarterly Data & Threat Analysis

Our analysis of the client's endpoint data from Q1 to Q3 2025 reveals several critical trends.

1. Endpoint Fleet & Hygiene Analysis

The single most critical risk identified was not active malware, but a significant asset hygiene and visibility deficit. Analysis of the total endpoint fleet revealed that 35-40% of all registered devices were consistently offline for extended periods (30+ days), with some offline for months or years.

These "ghost assets" represent a critical blind spot and a substantial financial and operational risk, particularly as any of these unmonitored devices could be a compromised entry point into the wider corporate or OT network.

Chart 1: Endpoint Fleet Visibility & Risk Profile

Chart 1: Endpoint Fleet OS & Visibility ProfileOperating System Distribution
Asset Visibility Status

2. MSSP Triage Funnel: Signal vs. Noise

The primary value of the MDR service is managing the high-volume, noisy data from EDR platforms. Prevention tools (NGAV) block known threats, but EDR (Optics) flags suspicious behaviors, which are often legitimate administrative tasks.

Over a 6-month period, the EDR platform generated over 450-500 behavioral alerts. Our 24/7 SOC team triaged 100% of these, validating that the vast majority (90-95%) were benign-but-anomalous. This filtering process allowed our team to isolate the small handful of genuine, high-risk threats, eliminating alert fatigue for the client.

Chart 2: 6-Month Threat Detection Volume (Behavioral vs. Prevention)

Chart 2: MSSP Alert Triage Volume

Behavioral EDR Alerts

475

Prevention NGAV Alerts

3. Behavioral Alert Taxonomy

Analysis of the high-volume EDR alerts reveals clear patterns. The vast majority of "noise" came from three categories of legitimate, but anomalous, system behavior that an automated-only system might incorrectly flag as malicious.

Chart 3: Top Behavioral (EDR) Alert Categories by Volume (Q2-Q3 2025)

Chart 3: EDR Alert Breakdown
            
        
SVCHost Suspicious Parent
45% - Legitimate apps spawning system processes
Internet Browser With Suspicious Parent
35% - Apps opening browser windows
EDR Security Masquerader
15% - Benign processes with similar names
Other (Incl. DDE/Scripting)
5% - Various other behavioral alerts

4. High-Fidelity Threat Analysis: Quarantined Payloads

By filtering the noise, the SOC team was able to identify and quarantine a range of genuine threats. These payloads demonstrate a clear intent by attackers to target the client's supply chain, financial operations, and by extension, its OT security posture.

Sample of Confirmed Malicious Payloads Quarantined by MSSP

Table 2: Confirmed Malicious Payloads
            
                        File Name (Obfuscated)
                        Classification
                        Analyst Insight & Business Risk
                    
                        Order PO_pdf.exe
                        Malware - Trojan
                        
                            A classic social engineering payload. This executable masquerades as a PDF Purchase Order, designed to trick procurement or finance staff into executing it. The goal is credential theft or initial access for ransomware.
                        
                        REQUEST FOR QUOTATION...exe
                        Malware - Trojan
                        
                            A highly targeted attack vector. This file is weaponized to mimic a legitimate Request for Quotation (RFQ), exploiting the company's position in the manufacturing supply chain to compromise a user.
                        
                        Arrival Notice.exe
                        Malware - Backdoor
                        
                            A payload disguised as a shipping notification. This backdoor is designed to grant the attacker persistent, remote access to the compromised endpoint, allowing for long-term data exfiltration or lateral movement.
                        
                        rsTest_SEC-438_13.exe
                        Malware - Infostealer
                        
                            A clear data theft tool. This payload is classified as an infostealer, designed to programmatically find and exfiltrate sensitive data, such as browser passwords, financial documents, or intellectual property.
                        
                        MSPSDK.dll
                        Malware - Backdoor
                        
                            A stealthy, file-less threat. This malicious DLL is designed to be loaded by a legitimate process, providing persistent remote access and evading simple file-based scanners.
                        
                        NSISPromotionEx.dll
                        PUP - Adware
                        
                            A Potentially Unwanted Program (PUP) bundled with a software installer. While not overtly malicious, these programs introduce privacy risks, degrade system performance, and can create security vulnerabilities.

Conclusion

The engagement successfully transitioned the client from a reactive security footing to a proactive, data-driven defense. The 24/7 MSSP service not only quarantined active, high-risk threats (Trojans, Backdoors) before they could cause business impact, but also provided critical, C-level intelligence on its converged IT/OT risk profile.

By identifying the systemic risk of the 35-40% "ghost fleet" of offline devices and the 15-20% legacy OS footprint, our MSSP team turned raw security data into a clear business case for asset lifecycle management and a data-driven risk-reduction strategy to harden its OT security by first mastering its IT endpoint environment.

Key Terms Explained:

MSSP (Managed Security Service Provider): An external organization that provides 24/7 cybersecurity monitoring, management, and response services.
MDR (Managed Detection and Response): An advanced MSSP service focused on actively hunting for, detecting, and responding to cyber threats that have bypassed traditional defenses.
OT (Operational Technology) Security: The practice of securing computing and communication systems used to manage, monitor, and control industrial operations, such as manufacturing production lines or critical infrastructure.
EDR (Endpoint Detection and Response): A security solution that continuously monitors endpoints (laptops, servers) for suspicious behavior and records activity to provide high-context data for threat investigations.
Alert Triage: The SOC process of investigating, prioritizing, and sorting high volumes of security alerts to filter out false positives and identify genuine, actionable threats.

About the Author: This article was written by AKATI Sekurity's 24/7 i-SOC and Managed Detection and Response (MDR) specialists. Our team helps organizations monitor, hunt, and respond to advanced threats across converged IT and Operational Technology (OT) environments. Our analysts specialize in manufacturing, critical infrastructure, and high-availability sectors across ASEAN and North America.