Stop Ignoring Dwell Time — It Will Cost You Big Time

Cyber threat actors are constantly developing new Tools, Techniques and Procedure (TTP) to break your first line of defense offered by firewalls, intrusion prevention system, email and web security gateways to gain a foothold in your organization. Once they get in, they craft their moves to cover their tracks and be in stealth inside the organization. When the first line of defense drops its guard against these, the organizations become susceptible to bigger cyber attacks, unaware that the breach even occurred. The success and breadth of the attack depend on how well it can progress within the network, exfiltrating data and remain undetected. We call this duration as “dwell time.” An industry explanation of dwell time is the number of days a threat actor remains undetected within a given environment until remediation. Minimizing dwell time needs to be a priority of security teams.

With today’s data center scaling between on-premise to cloud, it has created a lack of visibility to the traditional monitoring tools. This enables the malicious attack to move laterally and remain undetected for months, creating a dangerous security gap. Traditional security measures focused on prevention and detection are based on north — south traffic and they are not designed to detect lateral east-west movement of these attacks. This, in turn, gives benefits for hackers to operate undetected for months.

One of the most infamous attacks was the Target breach of 2013, where more than 100 million customers were exposed, costing the retailer over $200 million. Most important, they stole 11GB of data over 2 weeks without being detected, and the attackers dwelled undetected inside the company’s network for months before exfiltrating the data. Ponemon Institute report 2016 on Cost of a Data Breach Study, shows when a breach is identified within 100 days, average costs were $5.83 million per breach. However, when a breach goes undetected 100+ days, the average costs went up to $8.01 million, or nearly 40% higher. Another Ponemon study shows the time taken to identify advanced threats is 98 days for Financial Services firms, and 197 days for Retail. Despite these results, 58 percent of Financial Services and 71 percent of Retail organizations said they are not optimistic about their ability to improve these results in the coming year. This is alarming, considering the growth of a number of attacks and how sophisticated the attacks have become in recent times.

Reducing dwell time is more a reactive measure than a preventive measure. Ideally, security tools should block this malicious actor from getting into the network in the first place, but that’s not always possible. As the security tools grow smarter to block, so are the hackers innovative ways to pass through your army of security tools. Some attacks are smart enough to get in your network in stealth but for some attacks, these tools do their due diligence to alert. The security devices deployed to guard your front doors usually also increase the volume and velocity of alerts, which makes it difficult for the security team to find the threat within all the noise.

What would you do to reduce dwell time and strengthen your defense?

Intelligent attacks are often beyond conventional security deployments. So advanced security vendors often have a well-trained behavioral analysis and machine learning engine to detect malicious actors in disguise. Still, attacks are on rise and cyber espionage are hitting daily headlines. What more needs to be done?

Organizations not only need good preventive measures but also needs advanced detection and response measures to minimize the dwell time. Defend your network with multiple levels of security that can not only detect the lateral spread of attacks but can also stop them. In addition to it, an added advantage will be if the security platform can also integrate with your existing security tools and prioritize the threat action that needs to be taken.

A solution that can reduce the dwell time and accelerate remediation will go a long way towards mitigating the ever-increasing cost of today’s inevitable data breaches.

“Success breeds complacency. Complacency breeds failure. Only the paranoid survive.”
-Andy Grove