Better, but not Good Enough

There is a term in the cyber security world called dwell time.  Dwell time is the amount of time between the time an attacker breaks in and the good guys figure that out.

In 2011 the average dwell time was over 400 days.  According to a just released Mandiant report, that number is now only 100 days.

Over half of the attacks are discovered by the the company that was hacked, but more than a third of the attacks are still discovered by outsiders like the police.

Compare that 100 days to this.  Verizon says that the time from the first attacker action to compromise is measured in seconds.  Or, maybe, in minutes.  That gives the attacks 99 days and change to laugh.

Information for this post came from Dark Reading.

Given this insane difference between the time to compromise and the time to be discovered, what should you be doing.

First, the amount of auditing or logging that companies do needs to increase dramatically.  If you are not auditing the right events then you cannot detect attacks.

Second, there needs to be an effective alerting process.  Effective means not too much.  Not too little.  Like Goldilocks, just right – but if you have to err, unfortunately, err on the side of too much.

Once those alerts are created, there needs to be an effective response plan.  There are plenty of situations were alerts are generated and then ignored or even unseen.

It is not a simple problem, but it is possible.  If we have cut the dwell time from 400 days to 100 days, can we cut it from 100 to 25?  Or less.  Improvement is incremental.

by