Understanding incident metrics has become increasingly important with today’s fast-paced cyber threat landscape becoming more and more complex. Speed and efficiency in security operations are the two most vital components and can make all the difference between a moderate compromise and a catastrophic data breach. This is why metrics such as Mean Time to Respond (MTTR) and Mean Time to Detect (MTTD) have become highly relevant in the cyber security industry.
It is no longer a question of IF but WHEN a business will get breached and how they will prepare to minimise their attackers dwell time. The current average dwell time for attackers sits somewhere within the ranges of 100-140 days.
Dwell time is the measurement that captures the entire length of the security incident – from when the security threat enters your network to the time it’s been remediated. This can sometimes be referred to as the breach detection gap.
What is MTTD and MTTR?
Let’s briefly clarify the two measurements and their role in the cyber security industry:
- Mean Time to Detect (MTTD) is the average time it takes your business to discover a potential security threat.
- Mean Time to Respond (MTTR) is the average time it takes your business to contain, remediate and/or eradicate the threat once it’s been discovered.
Why is it important to measure your security operations effectiveness?
As they say, what gets measured gets managed, which is why security teams are very well aware that MTTD and MTTR are some of the most important metrics to follow. Measuring the effectiveness of your security operations will help you focus your efforts on areas where improvements will provide the highest gains. Last but not least, displaying your progress can help you prove the value of your program to your board.
Unfortunately, comparisons between organisations can be a lot like comparing apples to oranges as there are no industry standard approaches to measuring MTTD and MTTR. The key performance indicators depend on several factors, including the size and complexity of your network, expertise, industry and more.
Best strategies to drive down your MTTD and MTTR
Reducing MTTD and MTTR is the primary goal of a resilient security operations program, which starts with applying a series of techniques, including:
- Understanding cyber attacks
TTPs is an acronym that everyone in the industry should be familiar with – tactics, techniques and procedures – but not everyone understands how they aid counterintelligence and cyber security operations. TTPs define how threat actors orchestrate and manage attacks. Knowing these patterns and behaviours allows Analysts to strengthen alerting, identify additional vectors of attack, and provide invaluable support to the investigative process by understanding likely compromised hosts, contextualising events and aiding in the identification of appropriate mitigation processes. - Optimising your incident response plan
The key to success in a cyber security incident extends beyond the tools you leverage in your environment. Having a solid IR plan will ensure your business is prepared to respond in the event of an incident. Go beyond the implementation of policy and identify your most sensitive assets, define which critical security events your teams should focus on and get buy-in from management to ensure you are prepared for security breaches. - Know normal
Taking the time to understand what is normal will make the abnormal stick out. This will enable Analysts to catch changes in network and endpoint activity that could indicate a security breach. It has the added benefit of allowing Analysts to fine-tune technologies and decrease alert fatigue. - Streamlining decision making
Security Orchestration, Automation and Response (SOAR) tools allow security teams to connect disparate systems into one centralised point of authority. This enables security teams to make faster and more efficient decisions. SOAR can be used to escalate alerts, provide additional context and notify the right people and tools to neutralise and remediate incidents. - Use machine learning to enhance threat hunting
Develop a comprehensive methodology to simulate threat actor activity within your environment. Test these hypotheses against collected data and leverage technology to automate those searches. - Conducting regular Offensive Security assessments
From vulnerability scanning to Penetration Testing, these tests are designed to simulate threat actors breaching an environment. Frequent testing results in a stronger security posture, as Incident Response plans and technologies are further refined and improved. - Performing regular Security Awareness Training (SAT and Phishing Campaigns)
People are frequently the weakest security link and the biggest factor in driving down your MTTD and MTTR. Security Awareness Training can never be a “one and done”, to be successful it needs to be an ongoing process.
Driving down your MTTD, MTTR and dwell time is easier said than done, You could do it yourself or rely on our experience, technologies and methodologies to improve your incident management. Our 24x7 Security Operations Centre provides your business with tactical day-to-day security monitoring, response, vulnerability management and up to the minute threat analysis.
We’ve developed our own Security Operations Maturity Assessment, find out in just 3 minutes how mature your organisations Security Operations are. Your results will include an overall score, individual ratings for each section and advice on what to focus on next.
If you liked this article, you may also like:
Cyber Security Operations: it's not not about the tools alone
