Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

2/29/2016
10:30 AM
Jeff Schilling
Jeff Schilling
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Measuring Security: My Dwell Time Obsession

How I discovered the critical metric to fuel my drive to create the most secure environment possible.

Throughout my military career, I had two- and three-star generals ask — no, demand — that our security and operations center have measurable cybersecurity metrics. They’d challenge me with the same gamut of questions: “How do you know we are making a difference? Are we getting any better? How do we calculate our return on investment if we don’t know what to measure?” 

I retired from the U.S. Army in 2012. I was never able to answer any of those demands for “good” cybersecurity metrics.

One of the metrics I talked myself out of providing was our number of infected hosts. Is a low number good or bad? If it is low, I am paranoid that I am missing threat activity. If the number is high, there’s a bigger problem at hand. No matter the number, you can never find the denominator (i.e., the actual number of infected hosts). 

From there, I considered another metric: number of security events. This caused me concern as well. Most complex environments detect billions of daily security events. It is impossible to characterize them as true positives or false positives. Plus, I can’t be sure of the number of dreaded true negatives. How many events evaded detection by our security sensors?

Nothing felt informative or effective.

After I left the military, I finally figured it out. I was fortunate enough to manage an incident response and forensics team. Everything a forensics teams does in their investigations is in the context of the Kill Chain. This is the seven-step sequence of events that must occur for a threat actor to achieve their objectives (e.g., steal or destroy data). 

While examining the Kill Chain, the idea dawned on me. I could measure the one variable that a threat actor had to have in order to be successful: dwell time in the network. I needed to eliminate or reduce the amount of time they have to complete the Kill Chain. That’s it. If I could limit dwell time, the threat actor would not have what they needed to progress through the Kill Chain.

Dwell time, which is the duration a threat actor has in an environment before they are detected or eliminated by the security team, is something I could measure fairly accurately with a good forensics investigation.

There are a number of well-known dwell time benchmarks to get a good baseline to measure against. Most of the major annual cybersecurity reports now cite the average dwell time number as being over 200 days. We can do better. We must do better.

With this renewed focus, I centered my security strategy around reducing dwell time by: 

  • Leveraging hardened CIS server builds
  • Building an aggressive patching program focused on the most likely targeted servers in our data centers
  • Using on-access scans for anti-malware tools
  • Integrating traffic-shaping at that edge, with IP reputation management, to remove the noise for network intrusion detection and Layer 7 inspection
  • Deploying a ‘zero-trust’ model in provision servers (i.e., only ports and protocols required for operation are open)
  • Leveraging a SIEM with great correlation 

Dwell time is my obsession. Through diligence and careful process, we continue to see this number drop in our customer environments. This change in thinking rallies the team around one standard (measuring the amount of time from detection to eradication) that is quantifiable and can be leveraged to calculate the effectiveness of a security strategy and overall posture.

No metric is perfect. But any other approach has too many unknowns that will overrun you with false positives. Until a new standard is found, dwell time will continue to be my obsession.

Related Content:

 

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jeff Schilling, a retired U.S. Army colonel, is Armor's chief security officer. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of responsibilities include security operation, governance ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/29/2016 | 12:41:25 PM
False Negatives
"Plus, I can't be sure of the number of dreaded true negatives. How many events evaded detection by our security sensors?"

You may want to update with false negatives.
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12551
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the Memcpy function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.
CVE-2019-12552
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, an integer overflow during the initialization of variables could allow an attacker to cause a denial of service.
CVE-2019-3414
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
CVE-2019-10102
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.