How to Reduce Cyber Threat Dwell Time on Your Network

How to Reduce Cyber Threat Dwell Time on Your Network

According to the Ponemon Institute and SIEM solution provider IBM, the average time an enterprise’s security team needs to detect a threat dwelling on their network is 197 days—well over 6 months. After detecting a threat, it can still take an average of 69 days for enterprise security teams to actually contain it and return normalcy to the network.

The longer an attacker—whether external hacker or insider threat—dwells on your enterprise’s network, the more damage it can do to your most vulnerable and most valuable digital databases. Additionally, dwell time can harm your business processes, your enterprise’s reputation, and your customers’ trust. In fact, there may not be a way to calculate the full financial consequences of a cyber attack with dwell time. In 2018, the average cost of a data breach is $3.86 million, but this itself may not be the full picture.  

Chances are a blow to your business of this magnitude would cripple your operations and growth for months or year. Depending on circumstances, it may even permanently shut your doors. Your enterprise needs to take reducing cyber threat dwell time seriously.

Why does it take so long for enterprises to detect a threat? What can they do to increase their threat detection time and limit dwell time? Here are a few thoughts:  

Dwell Time Thrives in Resource-Poor Environments

SIEM and security analytics solutions are essential components of any enterprise’s cybersecurity strategy for reducing dwell time. However, it is only half of the equation. The other half is the human intelligence and expertise centralized in your enterprise security team. Without human cybersecurity expertise, your enterprise won’t be able to make sense of the myriad security alerts and log information indicative of a threat provided by your solution. This could allow for a longer threat dwell time. However, because of the current cybersecurity staffing crisis, finding human cybersecurity intelligence is easier said than done.  

According to the 2018 Black Hat USE Attendee Survey, 65% of InfoSec professionals don’t have the qualified staff members to handle their enterprise’s digital threats. 66% said they don’t have the skills and training to perform all of their responsibilities. There may be as many as 2 million unfilled cybersecurity jobs by next, according to Cisco.

If your enterprise is serious about reducing threat dwell time, then it needs to invest in finding cybersecurity intelligence externally or in fostering your internal intelligence through training programs and rewards initiatives. The alternative is letting hackers outwit your solution.

Additionally, you should make sure you invest in a strong SIEM or security analytics solution. Your human intelligence needs the right weaponry to fight digital threats.     

Don’t Allow Threats to Conceal Themselves

Cyber attacks are usually designed not to attract attention to themselves. This is part of the appeal of next-generation threats capable of slipping past digital perimeters or exploiting natural processes: if they can conceal themselves from the prying eyes of your security team, their dwell time increases substantially.

Even with the extensive security alerts your SIEM and security analytics solutions provide, it can be extremely difficult to distinguish between a legitimate threat and a false alarm. Compounding this issue especially is the volume of false alarms threat detection solutions can generate; security teams may be flooded with hundreds of alerts a day but only a few of them correlated together indicates a substantial threat.  

Threat actors know this and often design their cyber attacks to exploit it as much as possible thereby increasing their dwell time. Therefore, you need to make sure your employees can recognize some of the more common early warning signs of a cyber attack: unusually high system activity, unusual port or application activity, unexpected user account lockouts, unexpected slowdowns or shutdowns, etc.

Of course, other attacks may present different symptoms, may present multiple symptoms, or they may present no symptoms at all. That is not what is important for your goal of reducing cyber attack dwell time. What matters here is instilling a sense of vigilance and awareness in your employees. Giving them the tools and motivation to follow up on their suspicions will help you find threats faster and more consistently. Nothing scares a criminal more than an alert mark.  

Incident Response Plans Are Essential to Dwell Time Reduction

Your employees, as is often stated by security experts, are your enterprise’s largest attack vector. Phishing attacks are designed to take advantage of your employee’s trust and ignorance of cybersecurity best practices to gain access to your databases. The overwhelming majority of successful enterprise cyber attacks start with a phishing attack…and human neglect. Further, once a phishing attack has access to your network, it can prove difficult to distinguish their malicious activity from everyday business.    

Yet, as partially illustrated above, your employees could become an essential part of your threat detection platform—so long as you can harness them via an incident response plan. An incident response plan will help your employees stay on alert for potential digital threats. Furthermore, an IRP will give them a clear channel of communication to your security team about their suspicions of potential cyber attacks.

With such communications in place, dwell time should evaporate. Your enterprise will always be poised to strike at potential threats and remediate them as quickly as possible. A good incident response plan will, of course, require practice and revision, but that sacrifice is well worth limiting hackers’ effectiveness.

As a side note, your employees should also have the knowledge and processes of checking if an email is legitimate or a phishing attack. Sometimes prevention really is the best medicine.

Reducing dwell time may seem like a minor concern. But by making your network an inhospitable place for the malicious actor, you can discourage attacks in the first place and make those attacks that do come through minimal bumps in your growth. Seems well worth it to us.

Other Resources from Solution Review: 

The 10 Coolest SIEM and Security Analytics CEO Leaders

5 Tips for Setting Up a Security Operations Center (SOC)

Get Your Employees to Embrace SIEM Best Practices!

4 Tips to Make Data Breach Detection Easier For Your Enterprise

Enterprises: Don’t Become Complacent in Your Cybersecurity!

How to Make Your SIEM Solution Deployment Easier for Your Enterprise

Comparing the Top SIEM Vendors — Solutions Review

How UEBA Can Prevent Insider Threats in your Enterprise

SIEM vs Security Analytics: What’s the Difference?

Should Risk Analytics Bridge the Cybersecurity Talent Gap?

What’s Changed? The Gartner 2017 Security Information and Event Management (SIEM) Magic Quadrant

The 25 Best Security Analytics and SIEM Platforms for 2018

Are C-Level Leaders on the Chopping Block over Cybersecurity?

   

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner

Leave a Reply

Your email address will not be published. Required fields are marked *