Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
THE HIDDEN DANGER
DEFINING DWELL TIME
Aligning Dwell Time to the Cyber Kill Chain® means that the good guys are attuned to opportunities to counter how the bad guys operate. The Kill Chain represents the lifecycle of a threat (the process the threat actor conducts) from beginning to end.
In this model, phases 4 through 7 represent the opportunity security teams have to disrupt the threat actor’s efforts.
Some vendors like to consider Dwell Time as the time between when the threat successfully penetrated your
environment to when it is first detected. Because even during any response phase a threat actor still has an opportunity to perform Actions on Objectives, it is critical to add this time
into the overall calculation for Dwell Time.
DAYS TO ACTIONSON OBJECTIVES
DWELL TIME AS A CRITICAL SECURITY SUCCESS METRIC
Mid-level threat actorsonly require an average of
to achieve success via targeted attacks.
WHAT IS DWELL TIME?
The time from the point a threat successfully enters your environment to when the threatis completely remediated.
WHY IT MATTERS
Dwell time is a leading metric in measuring the proficiency of a given security strategy and its related processes, policies and controls. For CISOs and CIOs, tying this number to business impact is critical.
4-6 DAYS
191+ DAYS
THREAT ACTORS MOVE FAST
SHOCKINGLY, THE INDUSTRYAVERAGE DWELL TIME IS CURRENTLY
[1]
[2]
CLEANUP IS COSTLY, TIME-CONSUMING
AVERAGE U.S. COST OF A BREACH: $7.35M [2]
The longer a threat actor is ableto operate unfettered in your environment, the more likely the actor is able to achieve Actions on Objectives, the final stage of the Cyber Kill Chain. For businesses, shorter dwell times mean reducedrisk of a data breach, a malware outbreak, or their machines getting ensnared in a botnet or held hostage by ransomware.In turn, this also means lower chances of downtime, regulatory compliance penalties and hefty lawsuits and costs stemming from a cyber incident.
Strongly Agree and Agree responses combined
FY - 2017 FY - 2016
It just takes 5 daysfor a threat actor to accomplish
their Actions on Objective and cause harm to your organization.
Armor leads the industry in measuring, reporting, and reducing any time an actorhave to operate unfettered
in your environment.
Industry Average
THE INDUSTRY AVERAGE IS NO MATCH FOR ARMOR
VSFALSEPOSITIVE
RATE
PERCENT OF MSSPSTHAT OPERATE AT A
FALSE POSITIVE RATEOF 25% TO 99%.[5]
VS VS
3-4%
<1
66%
INDUSTRYAVERAGE
191+
VULNERABILITIESPER DEVICE
VULNERABILITIESPER DEVICE [6]
DAY DAYS
2 10
[2]
SOURCES: 1. “2017 Cost of Data Breach Study: Global Overview,” Ponemon Institute, 2017. 2. “2017 Cost of Data Breach Study: United States,” Ponemon Institute, 2017. 3. “2017 State of Cybersecurity in Small & Medium-Sized Businesses (SMB),” Ponemon Institute, September 2017. 4. “2018 Security Alert Overload And Its Impact On MSSP Business Models, “ Advanced Threat Analytics, 2018. 5. “2017 A Day in the Life of a Cyber Security Pro,” Enterprise Management Associates® (EMA™), Infobrief – April 2017.
18020507 Copyright © 2018. Armor, Inc., All rights reserved. (US) +1 844 682 2858 | (UK) +44 800 500 3167
KNOW YOUR DWELL TIMEDwell Time is more than just a metric; it is a catalyst for a proactive security philosophy built around a common objective. Learn more about architecting
your security operations with Dwell Time in mind.
Get the eBook
Attacker goeslateral in yourenvironment.
THE CYBER KILL CHAIN AND THE COST OF AN INCIDENT
CO
ST
($) O
F A
N IN
CID
ENT
DWELL TIME
0
EXPLOITATION INSTALLATION
COMMAND & CONTROL
ACTIONS ONOBJECTIVES
Minimizing dwell times must be a goal of IT Security teams. Dwell time is a key metricfor determining success of overall security controls and operations.
Data leaves your environment. Your costs experience a step-changedue to the seriousness of the incident.
FY - 2017 FY - 2016
3.774.35
0
1
2
3
4
5
RELATIONSHIPS BETWEEN MEAN TIME TO CONTAIN AND AVERAGE COST [3]
2.833.18
<30 DAYS >30 DAYS
When the threat appears to be getting more targeted, more sophisticated and the consequences more severe,
reducing Dwell Time becomes all the more critical [4]:
Cyber attacks are becoming more
targeted
Cyber attacks are becoming more severe in terms of negative consequences
Cyber attacks are becoming more
sophisticated
0%
10%
20%
30%
40%
50%
60%
60%52%
0%
10%
20%
30%
40%
50%
60%
59%51%
0%
10%
20%
30%
40%
50%
60%
59%51%
THREAT ACTOR’S PROCESS
DWELL TIME
DETECTION ANDIDENTIFICATION
CONTAINMENTPREVENTION INVESTIGATION ERADICATIONRECOVERY ANDPOST-MORTEM
REC
ON
NA
ISS
AN
CE
WEP
ON
IZAT
ION
DEL
IVER
Y
EXP
LOIT
ATIO
N
INS
TALL
ATIO
N
CO
MM
AN
D A
ND
CO
NTR
OL
ACT
ION
S O
N
OB
JECT
IVES
1 2 3 4 5 6 7
Measured in US ($) millions
SECURITY DEFENDERS PROCESS ARMOR, RAYTHEON / WEBSENSE DWELL TIME
DETECTION ANDIDENTIFICATION
CONTAINMENTPREVENTION INVESTIGATION ERADICATIONRECOVERY ANDPOST-MORTEM
DWELL TIME DEFINED BY OTHER VENDORS FIREEYE/MANDIANT, CROWDSTRIKE, MSSPs DWELL TIME
VS