Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

2/29/2016
10:30 AM
Jeff Schilling
Jeff Schilling
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Measuring Security: My Dwell Time Obsession

How I discovered the critical metric to fuel my drive to create the most secure environment possible.

Throughout my military career, I had two- and three-star generals ask — no, demand — that our security and operations center have measurable cybersecurity metrics. They’d challenge me with the same gamut of questions: “How do you know we are making a difference? Are we getting any better? How do we calculate our return on investment if we don’t know what to measure?” 

I retired from the U.S. Army in 2012. I was never able to answer any of those demands for “good” cybersecurity metrics.

One of the metrics I talked myself out of providing was our number of infected hosts. Is a low number good or bad? If it is low, I am paranoid that I am missing threat activity. If the number is high, there’s a bigger problem at hand. No matter the number, you can never find the denominator (i.e., the actual number of infected hosts). 

From there, I considered another metric: number of security events. This caused me concern as well. Most complex environments detect billions of daily security events. It is impossible to characterize them as true positives or false positives. Plus, I can’t be sure of the number of dreaded true negatives. How many events evaded detection by our security sensors?

Nothing felt informative or effective.

After I left the military, I finally figured it out. I was fortunate enough to manage an incident response and forensics team. Everything a forensics teams does in their investigations is in the context of the Kill Chain. This is the seven-step sequence of events that must occur for a threat actor to achieve their objectives (e.g., steal or destroy data). 

While examining the Kill Chain, the idea dawned on me. I could measure the one variable that a threat actor had to have in order to be successful: dwell time in the network. I needed to eliminate or reduce the amount of time they have to complete the Kill Chain. That’s it. If I could limit dwell time, the threat actor would not have what they needed to progress through the Kill Chain.

Dwell time, which is the duration a threat actor has in an environment before they are detected or eliminated by the security team, is something I could measure fairly accurately with a good forensics investigation.

There are a number of well-known dwell time benchmarks to get a good baseline to measure against. Most of the major annual cybersecurity reports now cite the average dwell time number as being over 200 days. We can do better. We must do better.

With this renewed focus, I centered my security strategy around reducing dwell time by: 

  • Leveraging hardened CIS server builds
  • Building an aggressive patching program focused on the most likely targeted servers in our data centers
  • Using on-access scans for anti-malware tools
  • Integrating traffic-shaping at that edge, with IP reputation management, to remove the noise for network intrusion detection and Layer 7 inspection
  • Deploying a ‘zero-trust’ model in provision servers (i.e., only ports and protocols required for operation are open)
  • Leveraging a SIEM with great correlation 

Dwell time is my obsession. Through diligence and careful process, we continue to see this number drop in our customer environments. This change in thinking rallies the team around one standard (measuring the amount of time from detection to eradication) that is quantifiable and can be leveraged to calculate the effectiveness of a security strategy and overall posture.

No metric is perfect. But any other approach has too many unknowns that will overrun you with false positives. Until a new standard is found, dwell time will continue to be my obsession.

Related Content:

 

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jeff Schilling, a retired U.S. Army colonel, is Armor's chief security officer. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of responsibilities include security operation, governance ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/29/2016 | 12:41:25 PM
False Negatives
"Plus, I can't be sure of the number of dreaded true negatives. How many events evaded detection by our security sensors?"

You may want to update with false negatives.
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16317
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
CVE-2019-16318
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
CVE-2019-16307
PUBLISHED: 2019-09-14
A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKe...
CVE-2019-16294
PUBLISHED: 2019-09-14
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
CVE-2019-16309
PUBLISHED: 2019-09-14
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.