Dwell Time is not just a metric. It’s a proactive security philosophy and culture that drives unified change across all security operations to achieve a common objective – Minimize the opportunity a threat actor has to cause harm to your organization.

Our security experts have put together the suggestions below to help you and your security team drive toward operating and measuring your security program by dwell time. It’s important to note that these suggestions are borne out of Armor’s own strategies and design elements of our Spartan threat prevention and response platform. In other words, they are proven.

If you use a managed service provider, it’s imperative you ask them about these same areas and their commitment to and reporting on reducing dwell time.

Reducing Dwell Time

FIGURE 8 - Security Program Designed Around Dwell Time as an Operating Philosophy.

Make sure that all servers are hardened out of the box and adherent to CIS standards. This makes it extremely difficult for threat actors to even initiate their Cyber Kill Chain.


Most major malware outbreaks happen because threat actors can exploit vulnerabilities in unpatched software. An aggressive patching program can eliminate known vulnerabilities and thwart the large number of commoditized exploit kits (along with their accompanying malware payloads) that target them.


On-access scans have the advantage of detecting malware infections much earlier than on-demand or scheduled scans by automatically scanning for malware every time a new connection occurs. Previous scheduled scans can leave you vulnerable for the duration of time between each scan.

Integrate edge-based traffic shaping

By integrating edge-based traffic shaping, you can prevent known-bad infrastructure from connecting to your infrastructure based on the consensus of the cyber threat research community.

Deploy a ‘Zero Trust’ model for server provisioning

A zero-trust model assumes no one (neither outsiders nor authorized end users) can be trusted. As such, apply rigorous segmentation that prevent threat actors from moving laterally with ease. For example, for websites, implement a highly segmented multi-tiered architecture. In this case, a web server would be configured to have limited communications with the application server, which in turn would have limited communications with the database server

Integrate Threat Intelligence for Value

Proactive threat intelligence operations is another critical component to ultimately reduce dwell time, and entails the monitoring and research of activities within and beyond your network edge to identify potential areas of concern and risk and instrument protections before an attack takes place. Looked at in the context of the Cyber Kill Chain, the idea is to “push left” to thwart attackers earlier in the process. Organizations must have this capability to be effective in reducing Dwell Time, either in-house or through their managed services provider.

Use advanced analytics and correlation

Poorly designed Security Information and Event Management systems tend to report thousands of events that are in fact only parts of a handful of events or even just a single event, thereby causing confusion and preventing incident responders from taking the right course of action. If operating security in-house, use a SIEM that correlates information exceptionally well and tells you exactly what’s going on. This enables you to quickly analyze an event and respond accordingly. If you are leveraging a managed services provider, be sure to investigate how their backend “platform” and SIEM function, what types of analysis are performed on incoming event data, how intelligence is collected and applied across their processes, and what response levels are included in their core offering.

Security Orchestration and Automation

Assess your security program’s processes and workflows to identify areas where automation and orchestration could be applied to advantage. If just starting out, automation may make more sense to pursue initially to get some quick wins and experience before embarking on more complex orchestration projects. Research vendor options in this field that may accelerate your organization’s operations. For instance, organizations may be able to automatically triage events and reduce these events from touch by humans, automatically retrieve related threat intelligence information to speed decision-making, and orchestrate various workflows which allow security teams to focus their energies on more critical and complex initiatives. With the challenge in finding and retaining security talent as well as in managing and remediating alerts, security teams must pursue strategies to standardize, automate and even orchestrate processes within their organizations. This is equally true for MSSPs and service providers who must be able to scale processes across large client bases. These organizations must be adopting approaches that work to minimize the response burden for their customers as much as possible as many organizations simply do not have the expertise and resources to respond effectively to incidents within the five day window required for a determined threat actor to realize their objectives.

Perform Continuous Threat Hunting

It’s important to recognize that “Detection” doesn’t just mean the myriad of devices that organizations have invested in and installed in their environments. Detection also entails regular Threat Hunting performed to identify potential threats that the technologies in place may have missed. It’s a critical component of the Dwell Time equation. Without regular threat hunting, organizations lack the additional assurance that a threat or threat actor has not gotten past your traditional controls and isn’t already present in the environment.