Dwell Time: The Cyber-Threat Peril You Haven’t Considered?

Dwell Time: The Cyber-Threat Peril You Haven't Considered?

What is dwell time? Why does it matter for cybersecurity (or why does it keep cybersecurity professionals up at night)? How can a next-generation SIEM solution help limit or mitigate dwell time? 

Dwell time refers to the period of time after hackers gain access to your IT environment but before your cybersecurity solution detects the problem. You may believe that such dwell time must be limited; after all, surely cybersecurity and threat hunting efforts should find all threats that penetrate your network eventually. 

Unfortunately, the keyword in that sentence is “eventually.” FireEye Mandiant estimates the average dwell time at 56 days. Yet CrowdStrike estimates the average at 95 days. Remember, those represent the averages. Evidence indicates that the SolarWinds Breach actually began in 2019, dwelling for nearly a year before discovery. 

The longer the dwell time, the more serious the breach. Here’s why

Dwell Time: The Peril You Haven’t Considered?

Breaches don’t just cause direct damage. You can think of them as a poisoned arrow; yes, it pierces and hurts immediately, but the real problem lies in the long-term consequences. Legal fees and compliance fines hurt almost as much if not more than any initial financial theft. According to Ping Identity, 81 percent of consumers would stop engaging with a brand online after a data breach. That reputation damage lingers, costing you more over time even if you get the breach under control. 

Why does this matter? SImple: dwell time exacerbates all of these issues. In fact, it adds exponential damage. Imagine the reputational damage among customers and clients if you suffered a breach but didn’t notice for months, if not years. It could deal a serious blow to your relations and ultimately to your profitability. 

Additionally, the more time unchallenged in your IT environment they enjoy, the more direct damage hackers can do in data theft or reconnaissance. Returning to the arrow analogy, imagine leaving the arrow and continuing to try to move. 

So that’s the challenge in a nutshell. Now, what can you do? 

How SIEM Limits Hacker’s Time and Options

SIEM works via log management and security event analysis. It aggregates data from across your IT environment and normalizes it for easier threat detection. Then, it scans for relevant and interconnected security events, looking for any signs of a data breach. If certain thresholds are met, then it can send an alert to your IT security team. 

These alerts speed up necessary investigation times, which in turn speeds up remediation times if an investigation finds a cyber-threat. Again, speed is crucial in mitigating the damage caused by hackers and reducing dwell time. 

Additionally, SIEM through its log management capabilities increases visibility over your IT environment. While you should exercise caution in how you deploy your SIEM, you can use it as an extra set of mechanical eyes over your most sensitive databases. Eventually, hackers go after the most valuable part of any network, and if your SIEM keeps a close watch over those areas, hackers can find no purchase. 

To learn more, check out our updated SIEM Buyer’s Guide

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner