Dwell Time: Why is it so Important?
Dwell time is the amount of time it takes to detect that a hack has taken place and to react. It’s an instrumental metric which not many people are aware of. The amount of dwell time is critical because of the it’s directly correlated to the amount of damage which a hacker can inflict. Look at this way, If I gave you 2 mins to physically destroy the room of a hotel after you’ve had a terrible day you would probably manage to break a couple of things here and there but the damage would be easily recoverable.
Imagine that the dwell time was increased to 30 days. You would rip that hotel room apart and leave no trace of what was. Well according to the DBIR(Data Breach Investigations Report) that’s exactly the case. Hackers typically have 30 days to play around in your system before you’ve actually realized that something has gone wrong. Even with that report being relatively conservative compared to other sources that typical dwell time is between 99 days globally, 106 days in Europe and up to 172 days in Asia.
Why is Dwell Time Typically so High?
1. Sleep
Sounds crazy right? It actually makes a lot of sense. We can’t be by our computers waiting for to respond to hackers 24×7. We’ve all got things to deal with outside work and our personal lives aren’t going anywhere any time soon. The truth is that reducing dwell time is a 24×7 job that most of us don’t have the resources to deal with.
2. Resources
Most companies don’t have their own in house 24×7 SOC and therefore are at the mercy of our schedules. Information security has become a more important issue to deal with in the corporate world but companies need to be of considerable scale to have an in-house 24×7 soc to drastically reduce dwell time.
3. Information Overload
Companies with 50,000 employee’s have complex issues to deal with from a security perspective however smaller 500 man companies have more or less the same issues, just at a smaller scale. That’s a lot of information to deal with, especially for smaller companies. For larger companies unless your security team is well staffed, the situation can get very complex, very quickly leading to long dwell times
How Can You Reduce Dwell Time with Managed Detection & Response?
Disclaimer, reducing dwell time involves a number of different factors such as general information security posture, training employees and remaining diligent with software updates. These are simple steps which will go a long way however due to the rapidly changing cyber security space it’s almost impossible to remain on-top of every new development out there. We’re simply attempting to boil down the factors to the most important points which we think can put you in the best possible situation to reduce dwell time. MDR however is your single best bet to reducing dwell time ensuring that you are in the best position possible to take a hack.
1. We deal with 25 Billion Security events a month
Sounds crazy but it’s true. We monitor a plethora of over 700 enterprises and 43 fortune companies, therefore we get to deal with a plethora of data. This gives us the experience to know what to do and how to react when a breach does occur from whatever point and in whatever way. Experience is paramount in dealing with new age cyber threats. To ensure that we are always up to date with the latest trends, we sift through about 100 TB of data every day from multiple different sources. This make us more effective at keeping your protected.
2. We Leverage AI & Humans
When you’re dealing with that kind of big data it’s impossible to be able to effectively analyze that data in real time and generate quality results. AI is great for known threats i.e threats with a relatively simple digital signature, however for unknown threats such as a watering hole attack that leverages lateral movement, AI can’t be totally trusted to run rampant. Humans are require to leverage the insights that AI provide which is how we are so effective at dealing with breaches.
3. Round the Clock Coverage
Hackers come from all different walks of life and live in all kinds of different time zones. To effectively respond to attacks, we’re on the ball 24x7x365. In most cases we respond in seconds. In situations where the data involved is a little more complex it can take a few hours to correctly analyze the data and take a decision. Adopting MDR means that in the event of a breach you have the best possible chance of mitigating serious damage to your infrastructure and business.