When our team begins an investigation into a security event, the first two things we try to determine are the attacker’s entry point and the date of origin, or when the event first occurred. These two points can help us to determine something known as “dwell time”.
Dwell time, as defined by Continuum and in the context of IT security, is the number of days a threat remains undetected within a given environment.
Why does this matter as a metric? The amount of time that a system has been compromised can impact the overall severity of the security event in several ways:
- The longer an attacker was in the system, the more likely that data was accessed and/or the attackers left other ways for themselves to get back in;
- The amount of time (and associated money) it takes to forensically review a security event increases in proportion with the amount of dwell time.
Here’s the most important question on dwell time: how do you know, right now, if someone is in your system that shouldn’t be?
The average dwell time is more than two months
Our Security Team has seen dwell times ranging from a few days to more than six months. In a previous blog, I talked about the 2018 Marriott breach. In that case, the dwell time was found to have been more than four years prior to the breach being made public! According to FireEye, the average dwell time in 2018 was found to be 78 days. What could a malicious person do to your system in two and a half months? The possibilities are endless.
Ransomware may be an attacker’s last step
Too many companies find out an attacker has been in their system by getting hit with a ransomware attack, but that may be the attacker’s last step. We’ve seen a few situations where the only indication of an intrusion was when the attackers fired off a ransomware attack on their way out of the system.
Real-time security solutions help detect intruders in your systems
The key to minimizing dwell time, apart from preventing intrusion into your system, is detecting intruders promptly, and that comes down to system logging and analysis. Log files that come from critical systems such as perimeter firewalls and domain controllers can help to provide insight as to potential intruders. While gaining useful information from the log files in a timely manner can be challenging, this is where a real-time security information and event management system (SIEM) comes into play. With a SIEM solution, the log files from the various systems are correlated and reviewed to determine what is happening based on a given solution.
SIEM solutions are not just for large companies. ADNET sees a need for SIEM and threat detection solutions in business of all sizes and in every industry. With over 60% of cyber-attacks now happening against small and medium sized businesses, it’s only a matter of time before an attack is successful. If your business was under attack, wouldn’t you want to know as soon as possible?