How do organizations ensure they're defending their infrastructure? This article discusses dwell time in security programs and how it relates to your security practices
Dwell time describes the length of time that an adversary has undetected access in a particular network until the time they are entirely neutralized. It's determined by adding Mean Time to Identity (MTTI) and Mean Time to Contain (MTTC) and is usually measured in days and also is referred to as the detection gap. It also gives visibility into the first-mover advantage which gives the adversary an edge in their opportunity to access networks and sensitive data to meet their objectives. This is a foremost matter for all organizations as security incidents are involved.
Dwell Time = Mean Time to Identity (MTTI) + Mean Time to Contain (MTTC)
Source: IBM Security Cost of a Data Breach Report, 2019
The shortest mean time to identify an adversary in 2019 was 206 days.  For those respondents not using BAS technology, the meantime, to contain an adversary inside their organizations' networks was nearly 73 days. FireEye Mandiant incident response services reported that global median dwell time in 2018 was 78 days, which was down from 101 days in 2017 and 416 days back in 2011.
Source: Fireeye M-Trends Report, 2019
Why is a high number in dwell time critical? The answer is simple: A higher dwell time number leads to the increased potential for widespread loss and costs, and more extended time of detection also refers to the persistence of the attack, which often is called a 'silent failure' because SecOps teams are unaware that the breach has occurred. In contrast, these failures indicate an environmental drift condition in organizations, and that adversaries are releasing their malicious payloads faster.
Bypassing security tools with increasing persistence for long periods is far too common. At the same time, sophisticated tools, tactics, and procedures (TTP) are used to deliver malicious payloads which take veiled action silently to enable illegal activity.
Source: IBM Security Cost of a Data Breach Report, 2019
More often than not, organizations think that because next-generation tools are in place and because they are responding more effectively to adversary actions and collecting more facts, organizations are faced with the inability to effectively manage these facts. Security stacks with current controls are still being bypassed, and this demonstrates why interpreting dwell time data continues to be an issue for organizations. The IBM Security Cost of a Data Breach Report  explains the undetected breach lifecycle of undetected adversarial actions in 2019 as an average of 314 days versus a breach caused by system problems or human error was faster to resolve in an average of 243 and 242 days, respectively.
Why is it important for organizations?
One critical repercussion of having longer dwell times is that it allows adversarial actions to persist and gain an advantage in fulfilling their objectives. Areas such as lateral movement tactics through the network will make it hard to detect the actions of adversaries in order to neutralize them and it's much more challenging to detect these actions in large networks. These complexities allow adversaries to amplify their success.
Adversaries aren't going to retreat and if you don't find them quickly with security readiness processes in place, the damages could be severe. That's why you need to understand adversary behavior and the TTPs that provide necessary defense actions with necessary mitigations and response capabilities at small intervals.
Internal vs External?
Does the endless discussion still exist on what is more effective when it comes to detecting a security breach? In our experience at Picus, SecOps teams that don't have an adversarial context against a particular TTP are not positioned to be in the first place to respond to adversaries. The more important question now is, before the next attack occurs, how can you prepare for it so that it doesn't become the next breach, and what do you know about how to be prepared for it?
The Verizon DBIR Report states that 60% of breaches take months to detect and this often means that current security programs don't cover the current threat landscape risks and have not identified current adversarial methods. Due to the false sense of security, SecOps teams are unlikely to waste time actively looking for something arbitrary and teams often fall victim to 'silent failure' in their security readiness. In this context, it shines a bright light on Breach and Attack Simulation Technologies that enable security tools to augment and become dynamic in the identification and mitigation of imminent threats.
Attack Simulation is a Silent Defense
Every single organization will experience a breach or security incident. At some point, every SecOps Team becomes involved with analyzing adversary actions and kill chain processes to figure out what happened after the fact, once the adversary successfully completes an attack campaign. Despite the reassurance that organizations maintain their security posture by having a variety of different security technologies in place, they still have produced too much noise. SecOps teams face the challenge of keeping up with ad-hoc security management and product updates and misconfiguration without having visibility into which vulnerabilities are actively exploited by adversaries.
Given the power of low and slow multi-purpose attacks, adversaries move stealthily around networks and they find sensitive assets and exfiltrate data. It's not unusual. This is the reason why continuous security validation technology is growing. It is ideally suited to validate security control effectiveness to prevent and detect attackers in their lifecycle. Continuous Security Validation is different from traditional security tools because of the proactive approach rather than a reactive one.
Quantifying ROI Perspective and Role in Defensive Strategy
ROI of security controls can be notably challenging and tied to a current security posture and attack surface reduction which can be questioned. Cybersecurity has been a game between utilizing SecOps teams and adversaries. At the same time, the cyber threat landscape is evolving, so Breach and Attack Simulation (BAS) technologies allow security tools to shift and take back control, gaining visibility, improve the capability of security readiness and change to enhance the security maturity process.
Breach and Attack Simulation is seen as a primary one-off standalone technology to provide complete in-depth strategy, and it's meant to augment the value of security controls. The granular detail gathered by BAS technology on adversarial activity is used for precise security control simulation within an organization's current infrastructure, revealing and mitigating threats that are looming in disguise. Attack plans are thwarted before they can do any real damage and imminent threats of a similar nature are prevented as a result.
Ways to Minimizing Dwell Time
Attacker Eye Visibility: Rather than focusing on every single risk from security tools, security plans should maintain distinctive actions on real risks. This addresses facts and eliminates false positives that don't address a real threat.
Prioritize Exploitable Vulnerabilities: Only a small number of vulnerabilities are exploitable. SecOps should identify exploitable vulnerabilities in the first place and make sure they get the priority.
Faster Response: Utilization of continuous security validation and prioritization of imminent threats can significantly reduce "alert fatigue" and will result in better response times.
Adapt to Threat Landscape: Security programs must access actionable insights and adapt to the current threat context continuously which will allow them to paralyze the adversarial kill chain before the attack has become weaponized.
Despite the full range of use cases available that BAS technology addresses, a clear majority of organizations are planning to assess BAS technology to detect adversaries as early as possible in the attack lifecycle. Picus BAS technology, using threat modeling, aligns with this new paradigm. We contextualize imminent threats that we are protecting against. This does not require you to know every detail of every threat that exists in the wild.