Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Enterprise risk index findings: what are security teams missing now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: In-memory attacks doubled versus file-based infection rates and only 20% of threats matched existing AV signatures, according to SentinelOne’s Enterprise Risk Index, based on filtered telemetry from more than one million deployed agents in the second half of 2016. The result is a reminder that detection and response models need to move beyond static file inspection and signature dependence.

NHIMG editorial — based on content published by SentinelOne: Enterprise Risk Index findings on in-memory attacks and antivirus coverage

By the numbers:

Questions worth separating out

Q: What breaks when security teams rely on antivirus alone for endpoint protection?

A: Antivirus breaks down when attacks do not present as stable files on disk.

Q: Why do in-memory attacks matter for IAM and NHI programmes?

A: In-memory attacks often become an identity problem after execution starts, because attackers use the foothold to steal credentials, abuse tokens, or move through privileged sessions.

Q: How can security teams know whether endpoint policy enforcement is actually working?

A: They should test whether policy holds without custom scripts, local workarounds, or manual exceptions.

Practitioner guidance

  • Correlate endpoint telemetry with identity events Join process execution, privilege changes, and authentication logs so that suspicious runtime behaviour can be evaluated alongside account, token, and session activity.
  • Measure control coverage by behaviour, not signatures Track how many detections come from process lineage, command execution, and memory anomalies rather than signature matches, then use that ratio to identify blind spots in your stack.
  • Harden privileged sessions against post-execution abuse Shorten standing privilege exposure, require just-in-time elevation where possible, and make sure privileged access monitoring can see suspicious child processes or script execution.

What's in the full report

SentinelOne's full research covers the operational detail this post intentionally leaves for the source:

  • Agent telemetry and threat mix breakdowns from the second half of 2016 across more than one million deployed agents.
  • The specific in-memory attack patterns observed in production environments and how they differed from file-based vectors.
  • Board-level metrics framing and the benchmark model the report proposes for cyber security investment decisions.
  • The full discussion of why agnostic endpoint protection is positioned as necessary for mainstream attack methods.

👉 Read SentinelOne's Enterprise Risk Index analysis of in-memory attacks and AV blind spots →

Enterprise risk index findings: what are security teams missing now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Static inspection is no longer a defensible security boundary. The ERI reinforces a structural problem in endpoint defence: if a control only sees files, it will miss a growing share of attacks that execute in memory or mutate before on-disk detection is possible. That is not an edge-case weakness, it is a category limitation. Practitioners should treat file inspection as one layer inside a broader runtime detection model.

A question worth separating out:

Q: Who should own response when runtime attacks reach privileged access?

A: Accountability should sit across endpoint security, IAM, and PAM, because runtime attacks often cross those boundaries in minutes. The right owner is the team that can contain execution, revoke access, and investigate identity activity together before lateral movement completes.

👉 Read our full editorial: Enterprise risk index data shows static AV is missing most threats



   
ReplyQuote
Share: