The Hidden Risks of Security Control Failures: What Security Teams May Unintentionally be Missing  

 We know you’ve invested heavily in your security controls like Secure Email Gateways (SEGs), Endpoint Detection and Response (EDR) tools, and Managed Detection and Response (MDR) services. We also know from first-hand experience doing thousands of security tests for our customers that even best-in-class technologies and security provider vendors can and do fail—often silently. 

For CISOs, CIOs, and security teams, understanding why security controls fail is critical to ensuring defenses remain effective against countless adversaries.  

 Let’s explore common failure points, their root causes, and actionable strategies to address these challenges head-on. 

Why Do Security Controls Fail? 

 Security controls fail for a variety of reasons, including misconfigurations, outdated rules, and human error. Most organizations have three primary control layers—prevention, detection, and response—and here’s where they often break down. 

 Secure Email Gateway (SEG) Failures 

 SEGs are often the first line of defense, designed to protect organizations from email-based threats by filtering out phishing emails, malicious attachments, and spoofed communications. However, these systems can fail due to: 

• Filter Misconfigurations: Improperly set rules or outdated policies allowing harmful emails to bypass filters. 

• Evolving Adversary Tactics: Sophisticated phishing campaigns that evade detection. 

• Authentication Misalignments: Misconfigured SPF, DKIM, and DMARC settings enabling spoofed emails. 

A 2024 report by Cofense revealed a staggering 104.5% increase in malicious emails bypassing SEGs. This rise highlights the difficulties SEGs face in keeping up with the rapidly evolving tactics of phishing campaigns, which can lead to potential security breaches when these malicious emails reach end-users. For most enterprises, relying on “good enough” email security is no longer a viable option. 

Threat Detection Tool Failures 

Detection tools like EDR, XDR, SIEM, and NDR solutions are critical for identifying malicious activities. If you’re like most CISOs we’ve talked to, you’re probably dealing with challenges from each one such as: 

Tool Misconfigurations: Often the result of improper setup, incomplete tuning, common misconfigurations include: 

• Relying on out-of-the-box rules or having overly broad rules and low alert thresholds, resulting in excessive alerts and alert fatigue. 

• Having overly specific rules and excessively high alert thresholds that miss threats. 

• Failure to update detection rules to account for new adversary TTPs or changing environments. 

• Not applying vendor patches and updates.  

• Inadequate integration with critical data sources and other detection and response platforms. 

• Lack of continuous tuning for ongoing optimization. 

According to OnDefend’s assessments (2023-2024), 7 out of 10 attack simulations identified security tool misconfigurations or exploitable control failures. 

Unintentional Changes: Tools often experience configuration drift, where the settings gradually deviate from the optimal state due to: 

• Changes to rule thresholds that were made for a specific incident but not reverted.  

• Modifications to alert configurations to reduce sensitivity, leading to missed detections. 

• Updates to the network like new cloud workloads not included in the monitoring scope or changing network topology.  

• Third-party vendor software updates and patches that might invalidate custom rules or APIs or introduce a new vulnerability. 

• Third-party vendor or partner actions, such as an administrator updating system configurations without coordinating with the security team. 

In Vectra AI’s 2024 State of Threat Detection and Response research report, they found that “77% of SOC teams say they push aside important security tasks more than twice a week so they can tune, monitor, and maintain existing security tools and some teams even say this is a daily occurrence.” 

Threat Response Failures 

 Threat response failures of security monitoring teams, such as Managed Detection and Response (MDR), Network Detection and Response (NDR), etc. often result from a combination of the following: 

• SOC teams or third-party providers may lack the necessary bandwidth due to a high volume of alerts and dependency on manual investigation processes instead of automation. These teams may have skill shortages or lack expertise in handling sophisticated attacks. 

• Poor coordination between third-party providers and internal teams can delay or disrupt the incident response process. 

• Unclear or outdated protocols lead to inconsistent containment efforts. 

• Failure to adapt their services to the expanded attack surface as organizations adopt new technologies or add new assets to the infrastructure.  

In fact, 5 out of 10 of attack simulations conducted by OnDefend resulted in no response or a delayed response outside SLA requirements. 

Understanding the Root Causes of Failure 

1. Lack of Continuous Validation: Static tests or annual audits are no longer enough to address evolving ransomware tactics. Continuous validation is essential to ensure controls remain effective against modern threats. 
2.  Over-Reliance on Vendors: While MDR and NDR providers enhance security, they must be validated regularly. Vendors can fail to meet SLA targets or adapt to new threats in real-time. 
3.  Complexity of Modern Environments: Hybrid infrastructures, remote work, and supply chain dependencies introduce additional points of failure. Ensuring end-to-end visibility is critical for detecting and responding to threats across diverse environments. 

Proactive Strategies for Preventing Failures 

1.  Implement Continuous Testing: Use Breach & Attack Simulation (BAS) tools like BlindSPOT or services like Ransomware Defense Validation (RDV) to simulate real-world ransomware attacks and validate prevention, detection, and response capabilities. Continuous testing ensures your security controls are optimized to counter known and evolving threats. 
2.  Prioritize SEG Configurations: Regularly audit and fine-tune SEG rules, ensuring SPF, DKIM, and DMARC settings are correctly configured to prevent spoofing and phishing attacks. 
3.  Measure Key Metrics: Track and improve quantifiable metrics such as:
   • Email Filtering Accuracy: How effectively SEGs block malicious payloads. 
   • Mean Time to Detect (MTTD): The speed at which detection tools identify threats. 
   • Mean Time to Respond (MTTR): How quickly threat response teams neutralize threats. 
4.  Validate Vendor Performance: Conduct incident response simulations to evaluate third-party vendors’ adherence to SLAs. Hold vendors accountable with clear performance metrics and requirements. 
5.  Build Resilience with Playbooks: Update incident response playbooks regularly to address new ransomware tactics. Conduct tabletop exercises to ensure all teams understand escalation and containment protocols.

Case Study: How a Healthcare System Identified, Prioritized, and Remediated Control Failures  

A prominent U.S. healthcare system faced significant challenges with its email gateway, detection tools, and response providers. Despite investing in state-of-the-art SEGs, EDR solutions, and internal teams working with third-party response providers, simulated tests by OnDefend uncovered critical vulnerabilities: 

• SEG Findings: Nearly 22% of 655 simulated phishing attempts bypassed filters. 

• Detection Gaps: Simulated attacks based on Conti and Black Basta ransomware showed detection gaps, with key alerts never being detected by the healthcare systems EDR or SIEM.  

• Response Gaps: Internal teams and third-party vendors failed to meet SLA targets during response simulations. 

Results: After addressing these issues, the organization improved its email filtering accuracy to 97% and reduced MTTR to under 21 minutes, significantly reducing risk exposure.  

Final Thoughts: Turning Failures into Opportunities 

 Every security control failure is a chance to improve. By continuously testing, validating, and optimizing your defenses, you can transform your organization from reactive to resilient. You’ve already invested in the best and it’s time to find out if your controls are working right now. Don’t wait for the bad guys to find out first.  

 We also know how very little bandwidth you have, which can make it seem impossible to do all of this with the resources you currently have. We solved this problem for you. With OnDefend’s Ransomware Defense Validation (RDV) services, our expert teams take care of the continuous testing and validation using our proprietary BAS tool, BlindSPOT.  

 Discover and fix hidden gaps in your defenses. Schedule a call with OnDefend today to learn more.