Dwell time, also known as breach detection gap, can be the most important determinant of the impact your company will experience from a cyberattack. What is dwell time or breach detection gap? In simple terms, they represent the amount of time between a system breach, and when an attack is discovered.
A decade ago, cyberattacks were similar to “smash and grab” assaults on retail stores. Criminals would break in through brute force, attempt to get as much as they could, and get out before law enforcement arrived.
Today, cybercriminals have changed their strategy to be as stealthy as possible so as not to draw attention to their breach. When this is successful, the attackers can do reconnaissance overtime to find the most valuable assets in the network and devise strategies to obtain those assets without being detected. By being able to dwell on systems, they can find ways to escalate their credentials to get even more valuable assets, and they often leave a backdoor access point so they can return later.
Studies vary, but it is widely reported that the average number of days of dwell time is over 197 days1 in the United States before enterprise security teams detect a threat on their system and an average of 69 days to contain the threat and return the network to normal. Dwell times thrive in companies that are cybersecurity resource-poor. For some small- and mid-sized businesses, dwell times can be more than 800 days2.
What makes this situation so frustrating is that it’s nearly impossible for security analysts to manually prioritize and sift through vast amounts of log data to find a security breach. Without a SIEM (Security Incident and Event Management) tool and the skills to use it, small and mid-sized companies are at a profound disadvantage in their attempts to remain uncompromised.
While it’s true that the longer the dwell time is, the greater the impact on a business, the reverse is also true. A research report by the Aberdeen Group3 showed that decreasing dwell time to 30 days reduced impact by 23 percent. When dwell time was only seven days, the effect was reduced by 77 percent, and taking dwell time down to one day resulted in a 96 percent reduction in business impact.
Reducing Dwell Time
So, how should a security team reduce dwell time? It sounds simple but start with good underlying security including regular patching and security updates, two-factor authentication for system logins, and restricting admin access. These efforts make it more difficult for a hacker to access the system, which increases the likelihood that they will look for an easier target.
Beyond that, hardening your infrastructure using tools like encryption, intrusion detection, unified threat management devices, and 24x7x365 monitoring of your networks, servers, and endpoint devices make you less vulnerable to attacks.
While these steps may not deter an advanced attacker, it will help to reduce the amount of network traffic “noise” that can come from unskilled attackers and automated scans. The key is to be able to spot anomalies, and if there is less noise on your system, you’ll be better able to pick out the network spikes and other indicators of an attack.
Finally, having a well-thought-out Incident Response Plan can reduce the amount of time and effort required to recover from a breach. When everyone that has a role in resolving an attack has a clear plan of action, dwell time, and the impacts of a breach will shrink.
The challenge of taking all these steps, of course, includes the cost of advanced cybersecurity tools and the skills shortage in the industry today. SilverSky can help with both issues. Our trusted, experienced cybersecurity experts are here to provide you with the services you need to keep your company safe in an uncertain world.
2 Infocyte, Mid-market Threat and Incident Response Report
3 Aberdeen, Cybersecurity: For Defenders It’s About Time