On Mandiant's MTrends Report

Key takeaways + the increasingly critical role of network security analytics

Every year Mandiant releases its MTrends report, a well-regarded staple of the security industry that details everything from the current threat landscape to the latest trends in threat response. Security practitioners look to this report to help them determine where the puck is going, so I wanted to share with you some of the findings I believe are most compelling—and discuss the ways in which network security analytics will play a critical role in the changing security paradigm.

As the report makes evident, the industry has been laser focused on detection efficacy, but it's been clear to me for a long time that detection alone isn't getting it done. Stats show only about 50 percent of alerts get investigated (at best). Not only that, but dwell time is going up: most (if not all) public breaches in the last year had at least three months of dwell time.

One of the most interesting statistics from this year's report is that dwell time has actually increased year-over-year. In 2016, the global median dwell time was down to 99 days. In 2017, that number crept back up to 101 days. Still not as long as 2015, but headed in the wrong direction.

With another wave of major breaches over just the past few weeks, from the City of Atlanta, to Boeing, Saks, and others, this report puts hard numbers to what was already obvious: threats are getting more sophisticated, and traditional security models are falling far short. Luckily, there is an alternative.

Let's dive into some key quotes:

"A growing deficit in information security personnel is expected to dramatically exacerbate the current considerable skills gap over the next five years."

Cyber security faces two major challenges related to people. Demand for security professionals exceeds the supply (and is only getting worse). At the same time, the skills gap among cyber security professionals continues to increase.

My favorite quote from this section of the MTrends report (emphasis mine): "During the initial compromise phase, key indicators of malicious activity are often overlooked or mischaracterized as benign due to an implicit trust that malicious activity will be flagged by detection mechanisms. However, detection systems often miss indicators of malicious activity due to poor configuration by inadequately trained staff. Another common trend is the lack of appropriate event investigation because the security analysts lack the experience to identify a legitimate threat from a constant stream of potential indicators."

Security organizations need innovative ways to scale their existing resources and shore up the skills gap. ExtraHop Reveal(x) solves both these challenges at once by providing machine learning-driven anomaly detection, full visibility, and investigation automation.

By using machine learning to determine normal baselines and identify attack patterns, security teams needn't rely on human expertise to configure detection systems or to distinguish legitimate threats from benign anomalies. Reveal(x) only surfaces the most legitimate threats in the context of the most critical assets, so security teams can stay focused on investigating and remediating what matters.

"We continue to see organizations struggle with consolidated visibility across all enclaves of their environments."

The MTrends report also looks at the six core information security domains. The visibility challenge is a major issue for Incident Response and Network, Cloud, and Data Center Protection teams, one that materially contributes to deficits in cyber security.

Re: incident response teams in particular, the report identifies "lack of authority, lack of visibility and a lack of instrumentation" as the primary reasons that attack activity went undetected, unmitigated, and unresolved. Many of these teams simply don't know what they have running or how the pieces fit together. ExtraHop's deep roots in networking and IT operations allow us to address this issue with unique, cross-tier visibility.

"Forty-nine percent of Mandiant customers with at least one significant attack were successfully attacked again within one year."

These days, breached organizations follow an industry standard script for public disclosure. They acknowledge the breach, assure everyone that it has been contained, and offer carefully worded statements regarding the extent of the breach: "We have no evidence that it spread to XYZ." These responses typically also reaffirm the organization's commitment to security, which the public takes as an implicit promise that it won't happen again.

As it turns out, it does happen again—a lot. Once threat actors know that a system can be compromised (and where its weak points are) it becomes an obvious target for another attack.

Network security analytics and AI can play an important role in addressing retargeting. Analysis of network traffic provides visibility across the entire application payload, and unlike logs, network traffic can't be compromised or altered. It's the definitive record of what's happening in an environment. AI applied to network traffic takes this visibility a step further, continuously learning normal behavior versus attack patterns (which, over time, reduces the number of alerts security teams receive while increasing efficacy).


If an alert fired and no one investigates it… Does the alert matter? If you know you can't find the talent to do the investigations…. What do you do?

More senior security execs than I can count have told me, "If I had an alert, I'm not sure my team would know what to do with it." Reveal(x) offers the context, precise data, and automation Security Operations needs to uplevel their SOC/CIRT team skill set and reduce dwell time. You can learn more about ExtraHop Reveal(x) here.

Subscribe to our Newsletter

Get the latest from ExtraHop delivered straight to your inbox.