The Hidden Security Gap

Easy Targets: Why Expensive Security Tools Alone Are Not Enough

Cybersecurity, Cybersecurity tools, Security controls, EDR, Endpoint Detection and Response, Endpoint Security, why security tools alone are not enough, common security implementation gaps, real cybersecurity incident analysis, Security tools, Cyberattack
Facebook
X
LinkedIn
Reddit
WhatsApp

Many cyber incidents do not happen because organizations lack the right security solutions. They happen because existing defenses are only partially implemented. Companies that overlook deployment gaps often create a false sense of protection.

When security leaders are asked about their top priorities, the answers are usually familiar: Endpoint Detection and Response (EDR), Identity and Access Management, network segmentation, cloud security and vulnerability management. On paper, many teams know exactly what a robust security architecture should look like. In real world environments, however, failures often do not result from missing security controls, but from the assumption that systems are protected even when critical safeguards have only been partially deployed.

Ad

The Real Risk: Incomplete Security Coverage

For years, discussions about which EDR platforms, firewalls or cloud security solutions offer the best protection have shaped the cybersecurity market. These decisions matter, but they are rarely the most critical factor. Across many environments, essential security controls are never fully deployed, consistently enforced or regularly reviewed.

That is precisely where attackers look for opportunities.

Security programs typically fail not because organizations lack controls, but because coverage is inconsistent. The underlying causes are often recurring issues: missing processes, weak policy enforcement, limited resources and the absence of regular validation.

Ad

A security measure only works where it actually exists. An EDR platform cannot monitor an endpoint where it has never been installed. Multifactor authentication does not protect accounts that have been excluded from enforcement. Network segmentation cannot prevent lateral movement if forgotten subnets still provide broad internal access.

Attackers do not always need to overcome an organization’s strongest defensive layers. Instead, they search for the overlooked system, service account or device that security teams have missed.

A Real World Incident

A real incident response case demonstrates how even small security oversights can create a chain reaction. The first warning sign was an attempted credential access attack on a monitored endpoint. The SOC team responded immediately, isolated the device and discovered that a PowerShell command had originated from a second internal endpoint that was not being monitored.

The device was still actively used within the organization, but the EDR solution had never been installed on it. Due to the lack of visibility, the root cause analysis was limited from the start.

At that point, the recommendations for the affected company were extensive: reset all accounts, patch critical vulnerabilities, remove unnecessary login permissions for service accounts, include all subnets in vulnerability scans, review firewall rules and enforce MFA across the environment.

The customer confirmed that passwords had been reset and EDR had been deployed across supported endpoints. The remaining actions, however, were still in progress.

Five days later, the hypervisor was encrypted by ransomware.

What Actually Went Wrong

The attacker authenticated again, this time using a service account. The subsequent investigation revealed that only user passwords had been reset after the initial incident. Service accounts had been excluded. Recommended login restrictions for those accounts had also not been implemented.

However, the core issue was located elsewhere.

The company had overlooked a small subnet containing a single telephone system. It had no meaningful restrictions in place, and multiple internet accessible ports remained open, including administrative and SSH access. A later assessment uncovered numerous critical vulnerabilities, including a remotely exploitable SSH vulnerability.

The system had never been patched since its deployment years earlier, making it the initial entry point for the attack.

“A security measure only works where it actually exists.”

Paul Moll, WatchGuard Technologies

From this foothold, the attacker moved laterally through the network. The attack path eventually led from an unmanaged endpoint operated by an external service provider directly to the hypervisor.

The involved third party had no direct role in managing the hypervisor. However, insufficient segmentation and inadequate access controls enabled the attacker’s movement. The situation was further complicated because the hypervisor shared credentials with the telephone system, and those credentials had already been compromised through the vulnerable device.

The hypervisor itself was no longer supported and had been outdated for years.

Attackers Exploit What Organizations Overlook

This real world example reflects a common pattern in security incidents. Most breaches are not caused by a single catastrophic failure. Instead, they result from a combination of smaller oversights that accumulate over time.

Faced with growing cyber threats, many security leaders ask whether they need the most expensive solutions available. The more important question, however, is whether existing controls are fully deployed, properly enforced and regularly validated.

In the described incident, even an average EDR solution would likely have detected activity on the unmanaged endpoint, provided it had been installed.

No security solution can protect systems it cannot see.

Security maturity therefore depends not only on selecting the right technologies, but also on operational discipline and consistent execution.

Practical Recommendations:

➤ Close implementation gaps: Even incomplete security controls can create a comprehensive but misleading sense of protection. Organizations should regularly verify what is actually covered. Only then can they identify the gap between their intended security posture and reality.

➤ Act on security recommendations immediately: Guidance from internal security teams, MDR providers, MSPs or MSSPs must be treated as a critical part of incident response and addressed without delay. If immediate implementation is impossible, compensating controls should be introduced.

➤ Apply consistent segmentation: Users should never have unnecessary access to critical systems. Third party devices, partner solutions and black box technologies must not operate with unrestricted network access. Segmentation reduces blind spots.

➤ Avoid credential sharing: Login credentials should always be unique to individual systems and users. Sharing access information must be prevented.

➤ Treat third parties with the same security standards: External providers, suppliers and specialized devices often fall outside traditional security processes. They should not. Any connection to the corporate network must meet basic security requirements.

➤ See MDR and MSSP providers as strategic partners: A strong service provider does more than deliver alerts. It helps organizations investigate incidents, prioritize risks and reduce exposure. This requires taking recommendations and warnings seriously.

Conclusion: Resilience Starts with the Basics

The organizations that recover fastest from cyberattacks are not necessarily those with the most sophisticated security stacks. Often, they are the ones that consistently apply fundamental security practices completely and correctly.

Security weaknesses are frequently administrative or procedural in nature. They often hide in systems that nobody checks anymore. Yet these are exactly the weaknesses attackers target.

Ultimately, an organization’s security posture is not defined by the security tools it has purchased. It is defined by the controls that are actually implemented, enforced and maintained over time.

Paul Moll, WatchGuard

Paul

Moll

Senior Field Marketing Manager Central Europe

WatchGuard Technologies

Image Source: WatchGuard Technologies
Ad

Artikel zu diesem Thema

Weitere Artikel