There’s a Hole in Enterprise Cyber Defense: Detection-based Protection is Not Enough