Security Data Paradox: When More Data Means Less Visibility

Security teams are drowning in data, yet many struggle to extract actionable insights. As threats grow more complex, the demand for visibility has never been greater. But more data does not always mean better security outcomes. 63% of daily alerts are low priority or false positives, causing SOC analysts to report spending nearly a third of their time on incidents that pose no real threat. At the same time, 58% of analysts report that false positives take more time to resolve than actual threats. Without the right tools and methods to interpret this information, more data just means more noise. This results in a visibility paradox: the more security data that is collected, the harder it becomes to spot real threats.

How Threat Actors Exploit the Visibility Paradox

Threat actors are capitalizing on this paradox. Recorded Future’s analysis of tactics, techniques, and procedures (TTPs) shows that threat actors are exploiting everyday traffic patterns and system behaviors to operate undetected, effectively hiding in plain sight.

• 250% Spike in Camouflaged Communication: The use of the application layer protocol (T1071) for command-and-control operations, disguised as routine network traffic, increased by over 250% between 2023 and 2024. Nearly half of all data exfiltration incidents tracked by Recorded Future in 2024 involved this technique.
• Use of Malicious Infrastructure to Blend in with Web Traffic: Multiple threat actors are taking advantage of specialized malicious traffic-distribution systems that rapidly rotate URLs to evade static blocking mechanisms. This allows malicious infrastructure to mimic legitimate web activity and bypass conventional defenses.
• 33% Increase in System Information Discovery: Between 2023 and 2024, there was an uptick in the use of discovery tactics that allow threat actors to map and understand the target environment. System information discovery enables defense evasion techniques that commonly appear in ransomware, like disabling or modifying tools or modifying registry.

Threat actors often rotate through indicators such as IP addresses, file hashes, and domains, reducing the effectiveness of static detections. Without careful tuning, alerts triggered by suspicious discovery or C2 behavior can generate high levels of false positives on legitimate processes or normal network traffic.

Automation and Specialization Create Even More Noise

Two trends are likely to fuel an increase in this activity. First, threat actors are specializing more than ever, allowing for sophisticated exploits across specific areas of the cyber kill chain. The rise of initial access brokers and recent discoveries of specialized access and C2 infrastructure highlight this shift. Second, threat actors are increasingly using AI tools. While malware isn’t autonomous yet, threat actors are exploiting LLMs and machine learning to automate and randomize delivery infrastructure, such as by registering thousands of unique domain names daily for malicious use. The volume and randomness make these domains extremely difficult to detect or block.

Beat the Paradox by Making the Most of Data

Behavior-based detection, rather than static indicators, is pivotal to catching these threats. However, collecting enough data to understand behavior can exacerbate the visibility paradox if defenders don’t have a strategy for making sense of their alerts. This is where better analytics and intelligence-driven hunting can help:

• Understand what is normal in your systems: Detecting subtle anomalies requires a deep understanding of baseline network behavior, also known as baselining. Without this, deviations can go unnoticed.
• Integrate your tools: Avoid alerting silos. Centralizing and enriching data in a unified platform, such as - Recorded Future’s Collective Insights tool, helps surface more meaningful signals.
• Test alerts with intelligence-driven hunts: Purple teaming, a method of vulnerability assessment that combines data from red- and blue-team exercises to improve network defense, helps to verify detection capabilities. Red teams can use real-world threat intelligence to simulate the most relevant threats to your company based on activity observed in your industry or region.

The Bottom Line for Security Leaders

The organizations that will succeed in the years ahead won't be those collecting the most data, instead it will be the ones best equipped to turn that data into action. Recorded Future helps security teams beat the visibility paradox by providing the tools, automation, and intelligence needed to cut through the noise and focus on real threats before they impact your business. Ready to learn more? Join us at RSAC 2025 and be the first to test our new malware protection capabilities to transform data into accelerated detection and response.