We Need to Talk About Dwell Time (And How to Shrink It)

Note: Learn how you can reduce dwell time in this white paper: Inverting the Investigation Workflow.

Dwell time is the dirty metric nobody wants to talk about in cyber security. It signifies the amount of time threat actors go undetected in an environment, and the industry stats about it are staggering. In 2017, Mandiant reported that the average dwell time of a threat in a corporate environment was 99 days. And that's just an average. Many organizations have discovered threats that had lurked in their environments for years before being discovered.

The reason this critical metric doesn't get as much discussion as it deserves is clear: talking about dwell time requires accepting the uncomfortable truth that current, prevention-based security methods are not working, and security programs are woefully ill-equipped to deal with threats that have circumvented perimeter security and entered the network.

The security industry as a whole needs a new approach.

Why Is Dwell Time Growing in Importance?

Take it as fact that every single network will experience a breach, or already has. That means at some point every security team will be tasked with either trying to find a threat that is lurking in the network, or conducting painstaking forensics to figure out what happened after a lurking attacker causes catastrophic damage. Traditional security program metrics-of-success like Time-To-Detect and Time-To-Respond become essentially irrelevant when the detection and response both come long after the damage has been done.

Enough stories about this have gone public that the general populace is starting to understand that 100% perimeter security is impossible. Just about every news story about a data breach in the past year was rapidly followed by the revelation that the breach was much larger than initially reported, and that the attack leading up to the breach had happened months and months ago without the knowledge of the breached company.

That's like a department store allowing an entire floor to burn down, and then telling the public: "Forensic evidence tells us the fire started months ago, but we didn't know it was burning until we lost the whole floor."

...And then a month later: "Actually three other floors you didn't know about also burned."

Just like that fire, it's unacceptable for a modern company not to know about a threat inside their network immediately. Businesses that want to survive need to reduce dwell time, and be able to report exactly how they're doing that. This will be the primary metric of success for next generation security programs.

Four Ways to Start Reducing Dwell Time

Invest in these capabilities to quickly cut back dwell time and strengthen your overall security posture—including talent development and retention among stretched-thin security teams (e.g. all security teams):

  1. East-West Visibility: The ability to actively monitor and analyze traffic inside your own network. This is where threats dwell, and right now it's an open field for attackers. Once they're inside a network, a sophisticated attacker can move laterally to find the most valuable assets to steal or attack with relative ease. East-west visibility has long been used by IT operations teams to diagnose performance issues in the network, but this capability is just as crucial for security teams. Using an analytics platform that can analyze network data in motion (wire data), security teams can apply behavioral analytics in real time to detect abnormal behavior much sooner than they would using an asynchronous forensics method relying on stored logs. Here's why the NSA agrees east-west visibility is key.

  2. Prioritize Critical Assets: Rather than investigating every single alert from a bevy of security tools, security programs should maintain a clear inventory of what their most valuable assets are, and how they're being accessed. This makes it easier to focus security program resources on threats against the most critical assets, and deprioritize alerts that are likely to be false positives that don't represent a real threat. More on how this works.

  3. Automation: Automating away high-friction, low-yield steps in the analytics and investigation process frees up time for human security analysts to focus on the threats that matter. By automating the discovery and prioritization of abnormal behavior, as well as the data-capture required for investigating that abnormal behavior, security programs can reduce the strain on their team members and minimize the "alert fatigue" that often leads to burnout.

  4. Analytics-First Approach: By applying analytics to data in motion, rather than storing data for later forensic use, security programs can gain access to insights and detect abnormal behavior much sooner, allowing them to cut attackers off before real damage is done.

These four capabilities will be foundational to the next-generation SOC. Investing in them now will pay dividends as the scale and complexity of attacks continues to increase, and as pushing dwell time towards zero becomes a central goal of forward-thinking security leaders. Here's a look at how ExtraHop delivers on all four counts.

Want in-depth tips on how to get started with these strategies on your own? "Inverting the Investigation Workflow" is your best friend!

Subscribe to our Newsletter

Get the latest from ExtraHop delivered straight to your inbox.