Reducing Dwell Time

C. Glen Combs and Kiel Murray
| 11/22/2019
Reducing Dwell Time

For most online enterprises, cyberbreaches are inevitable. Ever-more devious exploits evade traditional means of detection and move laterally through invaded systems until they reach their intended targets. Preparing for the eventuality of an attack is imperative. Managed detection and response (MDR) systems are perhaps the best hope of quickly identifying and containing these breaches.

Increasing likelihood and cost of breaches

Cyberbreaches have been a constant threat since the inception of online business. While attackers’ motivations have remained relatively stagnant and focused on financial gain, there is some indication that the frequency, intensity, and sophistication of attacks have shifted. The advent of elaborate attack strategies engineered by well-funded nation-states has made combating these attacks even more complex. According to the Verizon 2019 Data Breach Investigations Report, nearly 42,000 security incidents and more than 2,000 data breaches occurred in 2019.

Malicious attackers usually seek financial and personal information of customers, but the techniques used to garner this information have grown more elaborate and thus become more difficult to detect. Legacy security systems are at increased risk as a result.

While even more recent analyses estimate the time of detection at around 100 days, a 2018 data breach study by the Ponemon Institute found that, on average, detection took around 197 days and containment took an additional 69 days. Together, a breach event comprised an average of 266 days from initial invasion to containment. This gap of time between when an attacker gains access to an environment and when the attacker is detected and removed is referred to as dwell time. A critical point to note is that this is a fuzzy statistic. Some organizations measure dwell time from attacker access to detection, while others measure it from attacker access to containment or eradication from an environment. In this case, dwell time is defined by attack detection, also referred to as the breach detection gap.

During such an extensive dwell period, enormous financial and reputational damage can be inflicted. In some cases, attacks have persisted for periods of several years, during which attackers were able to deeply penetrate the systems that they targeted with resulting costs in the millions of dollars.

The estimated costs to organizations afflicted by cyberattacks have risen in recent years, and these costs rise exponentially as dwell times increase. In fact, according to a 2016 Aberdeen Group study, limiting dwell time can reduce a breach’s impact on a business by up to 96%. For example, an attack persisting for more than 100 days can cost upward of $3.86 million dollars. If that same attack were detected within a day of its entry into the system, it might cost $144,000 – only a fraction of the amount had the attack persisted. Fewer systems are affected early on, but as attackers gain additional knowledge of their target, they expand their access in search of additional sensitive information.

Thorough monitoring

Dwell time often increases due to a lack of visibility on key activities. Failure to monitor endpoints might allow certain exploits to evade detection. Once an attack has entered the environment, it can move laterally in search of its goal. If the entry point has not been logged and monitored on a consistent basis, it might be impossible to ascertain where the attack originated. Not knowing the origination point increases the difficulty of tracing which portions of the environment have been compromised.

Diagnosing the extent of an attack becomes even more challenging when monitoring is not centralized. Systems often have a fixed amount of storage for log records. For cases in which logs are frequently overwritten, critical information about an attack might be lost. Forensic analysis and root-cause determination then become that much more difficult. Centralizing the data generated by numerous systems, different connectivity points, and different types of activity is challenging for most internal information technology and information security departments.

Meeting the challenges

MDR can help organizations meet the inherent challenges of thorough monitoring. Traditional security incident and event management (SIEM) systems create enormous amounts of data without necessarily recognizing the patterns indicative of sophisticated modern attacks. They require substantial staff to maintain and analyze the data. Unlike traditional internal SIEMs, MDR allows for many of these tasks to be outsourced, freeing up internal personnel to focus on other business or security priorities.

Modern MDR incorporates endpoint detection and response. By centralizing logging and monitoring, these security systems more easily detect patterns as they emerge and allow for faster response. Rather than addressing potential alerts in retrospect, when the necessary data might have been erased, MDR manages them in real time.

Establishing a threshold for normal behavior at the endpoint allows for easier detection of events that might indicate a threat. Thus, systems can quickly trace attacks to single users who might have unintentionally downloaded a malicious program rather than analyzing after the fact the activities of hundreds or thousands of machines.

MDR systems move beyond a simple demonstration of compliance. As past events have shown, compliant organizations can be breached. An MDR solution can identify the anomalous activity that results when other security controls have failed.

Alert rules

Most SIEMs rely on established alert rules that quickly become irrelevant because of their tendency to generate a high volume of alerts that are impossible to investigate individually and that will most likely result in false positives. Furthermore, attacks are now so cleverly designed that they might escape the notice of all but the most specifically engineered alert rules.

When log entries are analyzed, attacks might look like normal activity. So, the task of an MDR is to strike a balance between an overly tuned monitoring system that does not generate any false positives and a monitoring system that generates an overwhelming number of false positives.

Because MDR providers manage security for multiple clients, they are more likely to pick up on exotic attacks and can fine-tune their alerts to the appropriate level of sensitivity within a given industry. And because alerts are funneled to a centralized security orchestration, automation, and response (SOAR) platform, threat intelligence from the larger security community can be accessed for enrichment.

The unfortunate reality today is that many attacks are detected externally – by either a client, customer, or vendor – after a significant period of dwell time. MDR can provide internal visibility and assist in the detection of and response to these attacks before they are picked up by outside parties.

Planning a response

MDR providers are better positioned to address breaches quickly and effectively because they centralize the information required to begin mitigating the problem and they provide 24/7 staffing capabilities.

Operating and maintaining a SIEM system is a specialized job. Aggregating different types of log sources, normalizing the data, developing and testing alert logic, and investigating potential incidents around the clock can require four or five full-time positions. Working with an MDR provider takes advantage of a centralized skill set, efficient processes, and experience in detecting a wide range of threats across many different organizations to provide protection at the best possible cost.

MDR providers can develop a tailored response plan for potential breaches and make sure that actionable data is regularly collected and aggregated in a usable form. The reduced response time saves costs in terms of both the liability of the attacks themselves and the expensive remediation efforts necessary once an attack has infiltrated a system.