Cybersecurity expert Ravi Das kicked off this series by explaining why the mean time to detect (MTTD) and respond to (MTTR) are key performance indicators in protecting an organization from Cyber threats. Here, the author elaborates on the significance of those factors and lays out the traditional tools IT teams use to minimize them.
The Significance of the MTTD and the MTTR
For any business, no matter how large or small they may be, maintaining low values for both the MTTD and the MTTR is of prime importance, for the following reasons:
- It shows a strong security posture: By having a lower time to detect and respond, it shows that the company is maintaining a strong security posture. It means that for the most part, they have deployed the right security tools and technologies, and that they have been placed at strategic points to counter most threat variants. It also demonstrates that the CISO and their respective IT Security teams are also taking initiative-taking in terms of filtering for the false positives, and only reacting to the legitimate warnings and alerts, as well as triggering them appropriately.
- Cognizance of the Cyber Threat Landscape: By maintaining lower thresholds for the MTTD and the MTTR, it clearly demonstrates that the IT Security team is efficient in combatting threat variants on an efficient basis. Thus, to a certain degree, this affords them more time to predict what future threat variants could look like going into the future.
- Value to the business: Apart from the technical reasons just described, there is also a qualitative significance as well. For example, once a strong security posture has been demonstrated, it will not prove to not only key stakeholders, but also to employees and customers that the company takes Cybersecurity very seriously, especially in the way of implementing strong controls to help safeguard the Personal Identifiable Information (PII) datasets. The end result of this is that it can greatly fortify a strong brand and reputational image.
- The downtime is reduced: By maintaining lower time values for the MTTD and the MTTR, it means that there is less downtime that is experienced by the IT Security team to detect and contain threat variants. As a result, it also means that they are not bogged down all the time, and that they can address any future security breaches in a timely manner. Of course, this means that should this occur, the business will not suffer steep financial losses when it comes to restoring mission critical operations and processes.
- A strong Incident Response (IR) Plan: The IR Plan is most relevant to the MTTR metric. When this value is lower, it means that the CISO and their respective IT Security team have an extraordinarily strong plan in place, and that is being rehearsed on a timely manner (such as once a quarter), and it is being updated as necessary.
- Compliance: There are numerous Data Privacy Laws that are abounding today, not just here in the United States, but even worldwide as well. Three of the more well-known ones are the GDPR, the CCPA, and HIPAA. All of them have extremely strict provisions and penalties for the protection of the PII datasets. By maintaining low thresholds for the MTTD and MTTR metrics, the IT Security team is proving to the regulators of these Data Privacy Laws that they have the right controls in place and are making efforts to keep them optimized at all times. Further, if the business were to be impacted by a security breach, and if they are subject to an audit by the regulators, the financial penalties may not be nearly as bad, because the IT Security can prove with the historic metrics that they have compiled that lower MTTD and MTTR metrics have been constantly maintained.
Traditional solutions that can be used
There are a number of key measures that a business can make use of to help keep their MTTD and MTTR metrics at a lower threshold. These traditional methodologies are as follows:
- Penetration Testing and Vulnerability Scanning: Both methodologies involve examining the IT and Network Infrastructure from the inside out and vice versa. By conducting these kinds and types of exercises on a regular basis, any gaps or weaknesses can be found and remediated quickly. This will help to ensure that any risks of a security breach from occurring will be mitigated.
- EDR and XDR Solutions: These are acronyms that stand for the “Endpoint Detection/Response” and “Extended Detection/Response,” respectively. Both solutions are now powered by Generative AI technology, and thus, once they are deployed onto the endpoints (such as servers, wireless devices, workstations, etc.), they do a very initiative-taking watch on detecting and thwarting off any threat variants that are inbound to them.
- Threat Intelligence: Both the CISO and the IT Security team need to subscribe to the various threat intelligence feds that are available, with one prime example being that of MITRE. By having this kind of information and data on hand, threat researchers will have more resources to work with to predict future threat variants, which can also greatly supplement the work the IT Security team has done in this regard.
- Software Updates: The IT Security team must be very diligent in making sure that the assets in their respective IT/Network Infrastructure are being updated with the latest patches and firmware updates. This will also ensure that any backdoors the Cyberattacker can penetrate are closed.
- Cybersecurity Training: Apart from the IT Security team, the employees are the proverbial “eyes and ears” of the business. Thus, it is especially important to provide them with timely security awareness training, so that they can maintain strong levels of what is known as “Cyber Hygiene.” For example, if employees don’t click on Phishing email, a security breach can be prevented, which will in turn keep the MTTD and MTTR metrics to a lower value.
Up Next: Proposing a novel solution
Now that the author has reviewed MTTD and MTTR—and the traditional solutions used to minimize them—he will, in the next article, move on to propose a novel solution based on cutting-edge Generative AI tools such as the Digital Person.
Sources/References:
Ravi Das is an Intermediate Technical Writer for a large IT Services Provider based in South Dakota. He also has his own freelance business through Technical Writing Consulting, Inc.
He holds the Certified In Cybersecurity certificate from the ISC(2).