Creating a Hostile IT Environment: How to Reduce Dwell Time

How can your enterprise reduce dwell time? By creating a hostile IT environment through continuous monitoring, detection, and response capabilities. 

Dwell time is one of the least understood challenges for enterprise cybersecurity, and simultaneously one of the most damaging factors in a cyber-attack. Dwell time refers to the amount of time a hacker or other malicious actor spends in a victim network before detection and response. To put that in analog terms, it refers to the time the crook has before the cops show up to ruin their heist. 

Unlike their analog counterparts, hackers on average enjoy far more time to perform their crimes. While in an ideal situation dwell time only lasts a few minutes, it can also last hundreds of days at a time. Research from Attivo Networks and Armor indicates that finding an average dwell time can prove challenging, but 100 days appears to be the peak of the bell curve. Some breaches can go on for longer, possibly over years. 

Every day a hacker spends in dwell time on your business’ IT environment, the more damage it does to your bottom line, your reputation, and your network. So your focusing should be on how to reduce dwell time. 

The solution to this problem stems from continuous monitoring, detection, and response. Let’s take a look at how the three biggest cybersecurity categories handle this critical goal. 

Creating a Hostile IT Environment to Reduce Dwell Time

Endpoint Security: EDR

To provide continuous monitoring and reduce dwell time, endpoint security provides endpoint detection and response (EDR). EDR focuses totally on the endpoint, monitoring every connected device as it operates in the environment. If a threat penetrates the digital perimeter and infects a connected endpoint, the solution sends an alert to your IT security team, thus improving investigation and response times.

EDR works to reduce dwell time on devices, which can become host to long-term malware like cryptocurrency miners and bot programs. It creates a hostile IT environment even at the gateways to the network. 

SIEM: UEBA

User and entity behavior analysis (UEBA) from SIEM keeps an eye on both the human and non-human users in your environment, ensuring they follow established baseline behavioral patterns. Therefore, it can detect and alert your IT security team to any of the following: abnormal logon/logoff times, files accessed by unauthorized employees, and unusual email usage. Any of these could indicate a compromised account, an insider threat, or a hacker exploiting a recognized application or program. 

UEBA creates a hostile IT environment for hackers by pulling aside any disguises hackers might try to wear in your network. It can reduce dwell time by giving hackers essentially no place to hide. 

Identity Management: Continuous Authentication

Identity Management’s detection and response capabilities stem from the idea that authentication doesn’t end at the login portal. Instead, through tools like behavioral biometrics, you can observe that users act and even type befitting their individual profiles, preventing hackers from impersonating them. While multifactor authentication portals can deter and deflect most attackers, you always need to be ready for the hackers that do slip through your defenses. 

Ideally, your enterprise should employ all three of these capabilities to create the most hostile IT environment to hackers possible, and thus reduce dwell time considerably. If you’re not sure where to start, why not check out the Identity Management Buyer’s Guide or the Solutions Suggestion Engine?