Effectively connect people, process and technology to minimize MTTD and MTTR
There’s a reason it’s said that what gets measured gets managed. In order to successfully achieve a goal, you have to be able to measure progress. It’s the only way to know if you’re heading in the right direction.
That’s why any security operations team worth their salt will be paying close attention to both their mean time to detect (MTTD) and mean time to respond (MTTR) metrics when it comes to resolving incidents.
The average dwell time for attackers still sits somewhere within the ranges of 100 – 140 days and frankly, we can do better. Security operations teams need to be fanatical when it comes to lowering these metrics within their organizations.
Significantly reducing dwell time, MTTD and MTTR starts with an understanding of attacks. From there, you need multiple groups working together in harmony enabled by technology to automate and orchestrate incident response processes.
What is MTTD, MTTR and Dwell Time?
Three quick definitions here
- Mean time to detect, or MTTD, reflects the amount of time it takes your team to discover a potential security incident.
- Mean time to respond, or MTTR, is the time it takes to control, remediate and/or eradicate a threat once it has been discovered.
- Dwell time captures the entire length of a security incident – reflecting the duration from when an attacker first enters your network to the time they are removed and you have returned to a known-good state.
Now we’re going to focus on how properly investing in the triad of people, process and technology can reduce these three important KPIs.
People are the biggest factor in reducing MTTD and MTTR
People are always the first layer when it comes to reducing MTTD and MTTR within any SOC. Up and down the chain, your team needs to deeply understand both the processes and the technologies in order to detect and respond to threats quickly. This is accomplished through education and constant training.
For starters, ensure your security team fully understands your incident response processes and life cycles, common attacks and hacker techniques, and best practices for how to defend against them. A firm blue team mindset should be instilled within your team so that when they use powerful technology, its role is to accentuate their abilities. As an example – security orchestration and automation tools can be used effectively by analysts of any skill level, but you’ll get even more out of your investment if your team already has a good foundation for analyzing and making judgement calls about malicious activity.
Consistent training and tabletops are also useful to test your security operations team’s understanding, alertness and procedural readiness to harden and lower your MTTD and MTTR and ensure battle-readiness when it comes to real incidents.
What You Should Know About Driving Down MTTD and MTTR first appeared on Siemplify. Read the full article here.
Author Bio: Matthew Pascucci Is the Cybersecurity Practice Manager at CCSI with over 16 years’ experience in IT focusing on Cybersecurity. Previously he’s worked in the manufacturing, financial, ecommerce, healthcare and service industries developing security programs for his employers.
He joined CCSI to develop a Cybersecurity practice that includes managed security services, penetration testing, and risk assessments for organizations of every size and vertical. Personally, he holds multiple information security certifications and has had the opportunity to write and speak about cybersecurity for the past decade. Matt is a Privacy Advocate and Security Blogger and has hundreds of publicly published articles and presentations. He’s the founder of www.frontlinesentinel.com and a board member on the local chapters of InfraGard and OWASP. Matthew can be contacted via his blog, on Twitter @matthewpascucci, or via email mpascucci@ccsinet.com