5 Days

Five days. By Armor estimates, it takes just five days for a threat actor to perpetrate a successful breach of your security defenses and complete his or her objective of stealing data from your environment. Those same five days can change an organization’s fortunes for the worse and put the security team, including the CISO and even the CIO, on very thin ice.

However, security teams across organizations from the smallest business to the largest enterprise–and the security industry-atlarge– seem to be skirting the issue. We talk about how dwell times need to come way down from their 100+ day averages but we don’t implement the changes needed to really do so. In fact, we define dwell times in different ways. And we certainly don’t report on dwell times openly.

FIGURE 1 - Components of Dwell Time

It’s high-time that security teams and security providers redefine how they measure the performance of their security programs (architectures, policies and processes) against today’s cyber threats. “Dwell Time,” as defined as the time from the point a threat successfully enters your environment to when the threat is completely remediated, represents the best measure of the overall effectiveness of your security team in combating threats.

Executive Highlights

Dwell Time is more than just a metric; it is a catalyst for a proactive security philosophy built around a common objective.

Organizations should pursue reductions in Dwell Time as defined by the period from when a threat successfully enters the network environment to the time the threat is completely removed from that environment.

Dwell Time should align to the entire lifecycle of an attack as best represented by the Cyber Kill Chain® (Lockheed Martin). Phases 4 through 7 represent the opportunity security teams have to disrupt the threat actor’s processes.

MSSPs, Managed Detection and Response (MDR) providers and Managed Security-as-a-Service providers should retool their processes, systems and infrastructure to align to and report on Dwell Time for their customers. They should also report on Dwell Time as a standard industry metric and critical security outcome.

Continuous Threat Hunting is critical to identifying unknown threats missed by traditional technologies and tools, and is a key component of any efforts to reduce dwell times.