Executive Summary
*Hero Banner Source: Meiyijia Official Website
Customer: Meiyijia
Industry: Retail
Location: China
Challenges
- Alert Overload and Delayed Response
- False Positives Triggering Unwanted Business Disruption
- Persistent Threats and Escalation Risks
- Unmanaged Attack Surface
- High Staffing Costs to Support 24/7 Security Operations
Sangfor Solution
- Sangfor Athena Managed Detection and Response (MDR)
About Meiyijia
Meiyijia is the largest convenience store chain in China, operating over 40,000 stores nationwide and serving over 250 million customers per month. The company is widely recognized in the industry for its business philosophy of "leveraging digital technologies to drive business innovation and development."
Meiyijia Convenience Store, Image Source: Meiyijia Official Website
Security Challenges
Before deploying Sangfor Athena MDR (Managed Detection and Response), Meiyijia had implemented essential security tools, including firewalls, WAFs (web application firewalls), endpoint protection, and network detection and response (NDR). They had also configured the necessary policies, such as region- and domain-based management and access control. Despite these security measures, the company's CISO (Chief Information Security Officer) acknowledged that their security operations remained inefficient and that security incidents continued to occur.
The following table summarizes their main security operations challenges.
| Pain Points | Details |
|---|---|
| 1. Alert Overload and Delayed Response | The company's NDR system generated hundreds of thousands of alerts per day, including a large volume during nighttime hours. The IT team had to spend excessive time on the repetitive yet inefficient task of manually reviewing and investigating alerts. As a result, it took several hours on average to confirm and respond to threats. |
| 2. False Positives Triggering Unwanted Business Disruption | To mitigate potential threats during unstaffed hours (evenings, weekends, holidays), the IT team configured numerous automated response playbooks. However, around a dozen (12) false positives and blocking errors each year triggered automated responses that caused service interruptions and system restarts. |
| 3. Persistent Threats and Escalation Risks | The IT team was constantly dealing with threats that kept reappearing after being removed. Because the root cause of these persistent threats could not be identified, they could not be fully eliminated. This left the company concerned about potential escalation, such as remote control or ransomware attacks. |
| 4. Unmanaged Attack Surface | The IT team did not have a systematic process for managing the attack surface and related risks, such as weak passwords and high-risk open ports. During a simulated red team/blue team exercise in 2023, a sales management system was successfully compromised after the red team gained access the administrator password through brute-force cracking. This incident made senior management question why the organization's security posture remained fragile despite significant investment. |
| 5. High Staffing Costs to Support 24/7 Security Operations | Meiyijia operates nearly a thousand stores that use AI digital shop assistants, enabling unstaffed operation at night. However, if key business systems are affected by security issues during this period, customers could potentially be locked inside the stores. To mitigate this risk, the CISO estimated that at least three additional staff members would be needed to provide 24/7 security coverage across three shifts, costing at least USD 210,800 per year, which would exceed the available budget. |
Sangfor Solution
To address their security challenges with a single turnkey solution, Meiyijia turned to Sangfor Athena MDR, a fully managed threat detection and response service that provides 24/7 monitoring, accurate threat detection, and rapid incident response.
Athena MDR is powered by more than 400 security experts and cutting-edge technologies, and operates from ISO/IEC 27001-certified global Security Operations Centers (SOC) in China, Malaysia, and other regions worldwide.
Solution Benefits and Outcomes
Security Posture Summary Before and After Athena MDR Deployment
| Pain Points | Before the Deployment | After the Deployment | Benefits |
|---|---|---|---|
| 1. Alert Overload and Delayed Response | Hundreds of thousands of alerts per day resulted in slow investigations and response delays of several hours. | Average response time dropped from hours to an average of just over 10 minutes, allowing the IT team to redirect 90% of their efforts from alert analysis to high-value business operations. | Fast Alert Verification and Response |
| 2. False Positives Triggering Unwanted Business Disruption | Around a dozen false positive incidents and block errors per year caused service interruptions and system restarts. | Zero block errors and false positive incidents reduced to single digits, ensuring seamless 24/7 business operations. | Reduction in False Positive Incidents and Block Errors |
| 3. Persistent Threats and Escalation Risks | Some threats persisted and were difficult to fully eradicate, with the risk of escalating at any time. | All threats are fully eradicated for all incidents and severity levels, with no potential for damage escalation or recurrence. | Complete Threat Eradication through In-depth Investigation |
| 4. Unmanaged Attack Surface | No systematic risk management process, and a weak password was successfully exploited during a red team/blue team exercise. | Fixed over 3,200 weak passwords, ensuring zero weak passwords within service assets, and helped identify and disable 43 unnecessary high-risk ports. | Effective and Systematic Risk Management |
| 5. High Staffing Costs to Support 24/7 Security Operations | Additional labor cost of USD 210,800 per year was required to support 24/7 security operations across three shifts. | Established 24/7 security operations at only 10% of the cost that would otherwise be required to hire three additional security staff. | 24/7 On-Guard Protection |
1. Fast Alert Verification and Response
With Athena MDR, incident response time has reduced from several hours to an average of around 10 minutes across 2024. This level of efficiency is powered by the MDR platform's accurate threat detection and alerting, combined with expert verification by our analysts. As a result, 90% of the IT team's efforts have been redirected from alert analysis and incident response to high-value business operations, such as improving the operational efficiency of AI-powered stores, without worrying about failing to respond to critical threats in time.
Example:
On August 16, 2024, one of our analysts discovered that one of the customer's servers had been compromised and that malicious image files had been uploaded to it. The Customer Success Manager immediately informed the customer's IT team and promptly blocked the threat. Further analysis revealed that the root cause was the lack of file extension restrictions and insufficient security validation for file content on the "/CaiGouFileServer/UploadHandlerNew.ashx" interface of the server. After the threat was contained, the analyst removed all malicious files and assisted the customer in implementing security enhancement measures.
Figure 1: Security alert updates and details sent to the customer by the Athena MDR team. (Translated from Chinese)
Figure 2: Conversation with the customer to execute a response and perform further verification on the host. (Translated from Chinese)
Figure 3: Multiple suspicious and malicious files seen on the targeted hosts. The uploaded file name also shows a disguised web shell uploaded to bypass file-type filters.
Figure 4: Some of the malicious web shells that were quarantined by the third-party security product. (Translated from Chinese)
2. Reduction in False Positive Incidents and Block Errors
Athena MDR has reduced false positive incidents to single digits and maintained zero block errors, helping to ensure uninterrupted business operations throughout 2024.
Our experts have developed a dedicated approach for continuously reducing false positives. They perform secondary analysis on frequently recurring false-positive alerts and incidents to identify root causes. For example, some SQL injection alerts may be triggered by non-standard development practices, while certain information-gathering or exploit-detection rules may fire because of missing scans. After these findings are confirmed with the customer, exclusion policies are applied to prevent these non-malicious conditions from triggering automated response actions that could disrupt business operations.
Figure 5: The MDR team explains the contents of network packets to the customer for easier understanding. (Translated from Chinese)
3. Complete Threat Eradication through In-depth Investigation
With Athena MDR, threats have been fully eradicated thanks to the MDR platform's ability to reconstruct the complete attack chain, including identifying patient zero, tracking lateral movement, and specific malicious actions. This level of forensic evidence, combined with expert investigation by our analysts, has eliminated any risk of persistence or escalation.
Example:
On January 24, 2024, the MDR platform detected a virus file named cschrm.exe on a specific endpoint. Even after attempts to delete the file and restart the host, the malware persisted. Further investigation revealed that cschrm.exe had originally been named chrome FastNet, which was not related to the Chrome browser. It was also discovered that another file, chromeupdate.exe, was disguised as a legitimate Chrome update program on the same endpoint. Analysis confirmed that chromeupdate.exe was the parent process, and cschrm.exe was created by it. After deleting chromeupdate.exe and its associated files, no further abnormalities were observed following the subsequent system restart.
Figure 6: Sample attack path taken by the adversary and the malicious file.
4. Effective and Systematic Risk Management
Since Athena MDR was deployed, a total of 3,238 weak passwords have been remediated, resulting in zero weak passwords within service assets. In addition, 43 unnecessary high-risk ports have been identified and disabled.
The MDR team has also established a weak password management process for the customer. Monthly reviews are performed to detect and validate weak credentials, with a focus on common defaults such as #username and 123456. After manual verification, identified weak passwords are summarized and reported to the customer. Once the changes are completed, the MDR team retests the relevant systems to confirm the remediation has been effective.
Figure 7: Multiple weak passwords were identified by the MDR team through the MDR platform.
5. 24/7 On-Guard Protection
A dedicated team of security analysts (T1-2), security experts (T3), and incident response specialists are on duty 24/7 to proactively detect and resolve issues. Our team provides full coverage across working and non-working hours (including nights, weekends, and holidays). The customer's IT team only needs to remain on call outside of business hours. This continuous protection has ensured uninterrupted operations for 110 business-critical systems, including nationwide store applications, payment settlement systems, and WMS platforms. As a result, Meiyijia has confidently operated 24/7 unstaffed stores at only 10% of the USD 210,800 that would otherwise be required to hire additional security staff to provide 24/7 security coverage.
Example:
On the evening of August 8, overseas malicious IP addresses attempted to exploit vulnerabilities on one of Meiyijia's key business servers, but the attack was quickly blocked by the Athena MDR team.
Key Takeaway
Meiyijia's experience demonstrates that "having tools" is not the same as "having security."
Before Athena MDR, Meiyijia had invested heavily in firewalls, WAF, and NDR. Yet, risk remained high, threat handling was slow, and the business still suffered from false-positive disruptions and persistent threats. The transformation came not from adding more products, but from adding operational capability — continuous expert monitoring, forensics-level investigations, and systematic risk governance delivered as a service.
By combining advanced technology, mature processes, and human expertise, Sangfor Athena MDR closed the operational gap:
- MTTR dropped from hours to ~10 minutes
- Blocking errors were eliminated, preserving business uptime
- Persistent threats were fully eradicated, not just "cleaned"
- Weak password surface was reduced to zero
- 24/7 coverage at only ~10% of equivalent staffing cost
Most importantly, security is no longer a drag on innovation — it is now an enabler. Meiyijia can confidently scale AI-driven stores, expand unmanned operations, and introduce new digital services without exposing the business to unmanaged cyber risk.
This case shows what many enterprises today are discovering:
MDR is not just cheaper SOC capacity — it is the fastest path from "tool ownership" to "actual cyber resilience."
.jpg){kind=link}