A publicly traded oil and gas company was overwhelmed by ineffective alerts from a managed security service that generated noise rather than protection. Digiss identified the issues and developed a plan to resolve them.
854
Security alerts analyzed across a 15-month period
81%
Of HIGH/CRITICAL alerts were over-rated and should have been deprioritized
6
Systemic service failures identified in the MDR program
9
Actionable remediation items delivered to the client
Background
A Two-Person Security
Team Buried in False Alarms
The client, a publicly traded Houston-based energy company operating in the oil and gas sector, had engaged a third-party provider to deliver a Managed Detection and Response (MDR) service. On paper, the arrangement made sense: outsource 24/7 security monitoring to
specialists so the internal team could focus on higher-value work.
In practice, the service was generating a relentless stream of low-quality, miscategorized security alerts, most of which demanded attention they did not deserve. With only two in-house security professionals to field them, the operational burden had become unsustainable.
The company engaged Digiss not to replace their MDR provider, but to answer a harder question: were they actually getting the protection they were paying for?
The Core Problem
Alert Fatigue
When every alert demands attention, no alert gets the attention it deserves. The MDR service had created the worst possible condition for a two-person security team constant noise masking real signal.
Digiss Scope of Work
✓
Reviewed full MSA and Statement of Work
✓
Analyzed 15 months of historical alert data
✓
Assessed log sources, coverage, and monitored assets
Digiss identified six distinct categories of failure, each compounding the
others. Together, they explain why the MDR service was generating
significant cost while delivering minimal protective value.
Misconfigured EDR Solution
The endpoint detection and response
platform was badly configured, producing
excessive false positives and missing
detections that a correctly tuned
deployment would have caught.
Inadequate Data Source Coverage
Key log sources were not being ingested
by the MDR platform, creating blind spots
in the organization's attack surface that the
provider had no visibility into.
Low-Quality Event Logging
Auditing was configured to capture low-value system noise rather than security-relevant events, degrading the signal-to-noise ratio of everything the SOC received.
Log Retention Failures
Insufficient storage space led to logs being overwritten before meeting retention requirements, compromising both incident investigations and regulatory compliance.
Flawed Alert Correlation
Security events were improperly correlated, leading to isolated alerts for activities that were harmless in context, and missing alerts for actual threats.
SLA Non-Compliance
The MDR provider consistently missed the response and escalation timelines outlined in the Statement of Work, a breach that went unnoticed by the client until this assessment.
Alert Data Analysis
854 Alerts. 15 Months.
The Numbers Tell the Story.
Digiss began by securing a copy of the fully executed
Master Services Agreement, then requested 15 months
of historical alert data. Each alert was re-evaluated
against true severity, actual response actions taken, and
the time elapsed between alert generation and provider
acknowledgment.
The findings were decisive. Across all three severity tiers, the MDR provider had systematically over-rated the urgency of alerts, creating a triage backlog and operational burden that no two-person team could realistically sustain.
Digiss Evaluated Each Alert For
→
True severity vs provider-assigned rating
→
Response actions actually taken by the SOC
→
Time to acknowledge, investigate, and escalate
→
SLA compliance per contractual terms
854
Total alerts investigated and escalated over 15 months
98
HIGH / CRITICAL
116
MEDIUM
640
LOW
HIGH / CRITICAL Alerts
81% over-rated (79 of 98)
Should have been rated MEDIUM or lower
MEDIUM Alerts
78% over-rated (91 of 116)
Should have been classified as LOW and given lower priority
Digiss structured the assessment around the contract
the client had already signed. By anchoring findings to
the Statement of Work, every gap identified carried clear accountability, and every recommendation had a contractual or operational basis the client could act on immediately.
The result was not a report full of generic best-practice guidance. It was nine specific, sequenced actions, each mapped to a root cause and a measurable improvement in service quality.
Digiss Conclusion
"If the efforts to address these issues are deliberate
and measurable, there will be significant improvement
in the value being derived from the MDR service."
01
Contract Review & Baseline Establishment
Digiss obtained and reviewed the fully executed Master Services Agreement, establishing what the client was contractually entitled to receive, before evaluating whether they were receiving it.
02
15-Month Alert Data Forensics
Every alert from the prior 15 months was re-evaluated
for true severity, provider response, and SLA
compliance. This produced a data-driven audit trail, not subjective opinion.
03
Coverage Gap Mapping
Digiss mapped monitored assets against the
organization's actual attack surface, identifying log
sources that were missing entirely from the MDR
provider's visibility.
04
9 Actionable Remediation Items Delivered
Findings were translated into nine specific, prioritized recommendations, each one directly addressable by the client or escalatable to the MDR provider under existing contractual terms.
Outcomes
What the Client
Gained From This Engagement
Digiss found that the MDR service was not providing the monitoring and
incident response capability needed to meaningfully reduce the risk of a
successful cyberattack. Recommendations were structured to deliver value
across four measurable business dimensions.
Auditability & Detectability
Critical systems were identified and configured to record the security events that actually matter, giving the MDR provider the high-fidelity inputs needed to make sound alerting, investigation, and containment decisions. The client moved from logging noise to logging signal.
Stronger Endpoint Protection
The client’s EDR deployment, which had been delivering inadequate value due to misconfiguration and a skills gap at the provider level, was re-scoped. Digiss
recommended a structured EDR solution assessment
against predefined use cases, with a view to selecting the
most appropriate platform for the organization's actual
threat profile.
Demonstrable Return on Investment
The engagement gave the client an expert, independent
view of the current state of their MDR service and a
concrete roadmap toward an optimized future state. For
the first time, they had objective evidence of what they
were and weren't receiving, and a clear basis on
which to hold their provider accountable.
Standards-Compliant Operations
With Digiss's recommendations implemented, the MDR
service will be redesigned, deployed, and operated in
alignment with appropriate technical and regulatory standards, positioning the company to reliably meet its
compliance obligations around security event logging and
incident response.
Is Your MDR Service Protecting You?
Don't Pay for Security Theater. Find Out What You're Actually Getting
If your team is buried in alerts, your provider is missing SLAs, or you
simply don't know whether your MDR investment is delivering real
protection - Digiss can give you the independent assessment you
need to find out.
