Dwell Time As A Critical Metric

Dwell Time represents a powerful metric for security teams to use in today’s cyber threat landscape to assess the entire operational process of your security program from architecture to engineering to operations and Incident Response. Dwell Time is also a transparent measure to assess how well your team, or the services of a service provider, prevents, detects and neutralizes threats.

No other measure is as comprehensive or meaningful for organizations today than Dwell Time. Regardless of whether your organizations has an established in-house security program or you leverage a managed service provider, you should be assessing the performance of your
security program by this measure.

Defining Dwell Time

Dwell Time, at its core, is an admission that proactive controls have failed.

Though one would expect that “Dwell Time” would be pretty straight-forward and understood across the industry, there are actually competing definitions on what Dwell Time refers to.

One cited definition, is that which FireEye/Mandiant called out in their 2014 white paper, “Using Metrics to Mature Incident Response Capabilities,” where they defined Dwell Time to mean:

Most simply, Mandiant calculates the Dwell Time and the Containment Time of an incident. The Dwell Time refers to the length of time from the initial compromise through the point of notifying affected stakeholders. The Containment Time refers to the period between collecting live response data and the eventual remediation. Organizations may choose to define remediation as simple containment (preventing the threat from communicating or moving laterally) or full restoration of service (threat eliminated and systems returned to normal).

Crowdstrike followed this lead and similarly defined Dwell Time as: “…the period between when a malicious attack enters your network and when it is discovered.”

FIGURE 2 - Dwell Time as defined by FireEye/Mandiant, CrowdStrike and some MSSPs.

However, other organizations, including Armor advocate for a different definition of Dwell Time.

In 2015, both Armor and separately Raytheon with Websense, published pieces on the need to define Dwell Time as more encompassing than what Mandiant had published. Raytheon and Websense, in their piece, “Cyber Dwell Time and Lateral Movement: The New Cybersecurity Blueprint,” defined Dwell Time as:

Cyber dwell time begins when an attacker enters your network and continues until you eject them or they leave (presumably after having completed the intended actions).

FIGURE 3 - Dwell Time as defined by Armor, Raytheon and Websense.