In this series, Cybersecurity expert Ravi Das has explained why the mean time to detect (MTTD) and respond (MTTR) are key performance indicators in protecting an organization from Cyber threats, as well as traditional tools used to minimize those factors. He also proposed a novel solution based on cutting-edge Generative AI tools.
Although this article has primarily focused upon the MTTD and the MTTR metrics, the proposed solution also has extraordinarily strong bearings and implications for yet closely related metric, which is known as the “Dwell Time.” It can be defined as follows:
Dwell time represents the length of time a Cyberattacker has free reign in an environment, from the time they get in until they are eradicated.1
In other words, it is the time that lapses between the MTTD and the MTTR metrics. It is illustrated below:
A simpler illustration of this is also demonstrated below:
The Dwell Time can be calculated as follows:
Σ MTTR + Σ MTTD
It is important to note that the time value for the Dwell Time Metric is typically measured in hours, days, weeks, and months. But that value is strictly dependent upon the time values for the MTTR and the MTTD metrics, but in the end, they both must be the same unit to calculate the Dwell Time. For example, if the MTTD was seven hours, the MTTD was four days, then the latter would have to be converted over to hours as well. For instance, it would be 108 hours (24 hours X 4 days). Thus, in this case, the Dwell Time would be as follows:
Σ MTTD of 7 Hours + Σ MTTR of 108 Hours = A Dwell Time of 225 hours
While the primary goal should be to keep the Dwell Time down as minimally as possible (along with the MTTD and the MTTR metrics), this value will vary given the above example. As a result, it should not be the only metric that is evaluated, as it is only the summation of the MTTD and the MTTR metrics. The primary goal of the CISO and their IT Security team should be to keep the MTTD and the MTTR metrics as low as possible first, as detection and response to a threat variant is of the upmost importance in this regard.
The importance of the interrelationships between the MTTD, MTTR, and the Dwell Time Metrics can be best measured in terms of the financial cost to a company. This is best exemplified in the illustration below2:
As it is seen above, while the financial cost of the Dwell Time has been coming down on a Year Over Year (YOY) basis, there is still a long way to go until the impacts will be negligible a business, even if this is ever possible, given the dynamic nature of the Cyber Threat Landscape. This further supports our hypothesis (as stated earlier), that the primary focus must be for the IT Security team to quickly detect
and respond to a threat variant. Once the time values of these come down, the potential fiscal impact will also be greatly reduced as well.
For more details about the Dwell Time, and its impacts on other aspects of Cybersecurity (such as the “Cyber Kill Chain Model” developed by the Lockheed Martin Corporation), visit the link here.
The Limitations of The Proposed Solution
The primary benefit derived by this proposed solution is the reduction of the MTTD and the MTTR metrics, which is now roughly seven months, to a matter of just a few minutes. But as with any scientific study, there will be limitations, and we anticipate the following, especially if it is simulated in a testing environment, by making use of the products from the vendors as detailed for each component. They are as follows:
- Theory: As has been stated throughout this entire article, the proposed solution is only in theory right now. While the goal is to have this to have this in an actual production environment, there is also the risk that this may not even work at all.
- Attack Surface: If this proposed solution does indeed make it to the production environment, there is the realism that this also increases the attack surface for the business that could potentially use it. This stems from primarily two key areas:
-
- The number of components that are needed, and the interconnections between them.
- The components in the proposed solution will be deployed as Software as a Service (SaaS) based offerings, which could be hosted on different servers. Thus, this will increase the attack surface as well, given the risks that any Cloud based deployment presents.
- Points of Failure: If this proposed solution does make it to a production environment, given the number of components and the total number of interconnections between them, this simply means that there are more points of failure as well. If one component breaks down, it could very well have a cascading effect on the entire solution.
Final Thoughts
In the world of Cybersecurity, given the explosion of Generative AI, there is now a trend for the IT Security team to rely solely upon technology to detect and contain the various threat variants that come out. But however, technology also has its limits as well, and there is only so far where you can push them until the Return On Investment (ROI) becomes negative.
In the end, it takes a combination of both human intervention and technology to fend off detection and fend off the threat variants.
Finally, many businesses are now making the move to what is known as the “Zero Trust Framework.” This can be defined as follows:
Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorized, and encrypted before granting access. Micro segmentation and least privilege access principles are applied to minimize lateral movement. Rich intelligence and analytics are utilized to detect and respond to anomalies in real time.3
There are two key themes in the above definition:
- Micro segmentation: Rather than relying upon the traditional model of Perimeter Defense, there is a movement now to divide the IT and Network Infrastructure into different “segments” or “zones.”
- “Always Trust, Never Verify”: This simply means that each “segment” or “zone” (as just previously described) has Multifactor Authentication (also known as “MFA”) deployed into it. This is where an individual (such as an employee) must go through at least three more layers of authenticating mechanisms (and they all must be unique and different from each other) before they will be allowed to gain access to the shared resource in that “segment” or “zone.” This is illustrated in the diagram below:
In this case, the Authentication Mechanisms could be a Password, a Challenge/Response Question, and RSA Token, or even a Biometric Technology (such as Iris Recognition and/or Fingerprint Recognition). One of the main benefits of the Zero Trust Framework is that the MTTD and the MTTR can be greatly reduced. The primary reason for this is that the Cyberattacker now has a much more limited space in which to penetrate and deploy the malicious payload, as opposed to roaming about the entire IT and Network Infrastructure.
Sources/References:
- Armor eBook: Dwell Time as A Critical Security Success Metric
- Zero Trust Model – Modern Security Architecture | Microsoft Security
Ravi Das is an Intermediate Technical Writer for a large IT Services Provider based in South Dakota. He also has his own freelance business through Technical Writing Consulting, Inc.
He holds the Certified In Cybersecurity certificate from the ISC(2).
