dwell time

When our team begins an investigation into a security event, there are two things we try to determine first. Firstly, the attacker’s entry point and the date of origin. Secondly, when the event first occurred. These two points can help us to determine something known as “dwell time”.

Dwell time, as defined by Continuum and in the context of IT security, is the number of days a threat remains undetected within a given environment.

Why does this matter as a metric? The amount of time that a system has been compromised impacts the overall severity of the security event several ways:

  1. The longer an attacker was in the system, the more likely that data was accessed and/or the attackers left other ways for themselves to get back in;
  2. The amount of time (and associated money) it takes to forensically review a security event increases in proportion with the amount of dwell time.

Here’s the most important question on dwell time: how do you know, right now, if someone is in your system that shouldn’t be?

The average dwell time is more than two months

Our Security Team has seen dwell times ranging from a few days to more than six months. In a previous blog, I talked about the 2018 Marriott breach. Dwell time in this case is more than four years prior to the breach being public! According to FireEye, the average dwell time in 2018 was found to be 78 days. What could a malicious person do to your system in two and a half months? The possibilities are endless.

Ransomware may be an attacker’s last step

Too many companies find out an attacker has been in their system by getting hit with a ransomware attack. However, that may be the attacker’s last step. We’ve seen a few situations where the only indication of an intrusion is from the attackers firing off a ransomware attack on their way out of the system.

Real-time security solutions help detect intruders in your systems

The key to minimizing dwell time, apart from preventing intrusion into your system, is detecting intruders promptly. That comes down to system logging and analysis. Log files that come from critical systems such as perimeter firewalls and domain controllers can help to provide insight as to potential intruders. Gaining useful information from the log files in a timely manner can be challenging. However this is where a real-time security information and event management system (SIEM) comes into play. With a SIEM solution, the log files from the various systems are correlated and reviewed to determine what is happening based on a given solution.

SIEM solutions are not just for large companies. ADNET sees a need for SIEM and threat detection solutions in business of all sizes and in every industry. There are over 60% of cyber-attacks happening against small and medium sized businesses. It’s only a matter of time before an attack is successful. If your business was under attack, wouldn’t you want to know as soon as possible?