Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/8/2018
10:30 AM
Scott Taschler
Scott Taschler
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Breakout Time: A Critical Key Cyber Metric

Why organizations need to detect an intrusion in under a minute, understand it in under 10 minutes, and eject the adversary in under an hour.

Cybersecurity breaches continue to capture headlines worldwide, particularly in the wake of nation-state and criminal cyberattacks that impact a wide-range of industries. March 2018 saw major disclosed breaches from Applebee's (167 restaurants), Orbitz (880,000 payment cards), Saks Fifth Avenue and Lord & Taylor (5 million payment cards), and Under Armour (150 million user accounts). These events remind us that organizations still struggle to implement effective security strategies.

As the targeting of public and private industries continues to plague organizations worldwide, it's obvious that security must be raised to a board-level issue as organizations look to justify increased investment in cybersecurity.

CrowdStrike recently highlighted a new cyber metric based on insights from its 2018 Global Threat Report called "breakout time." Data was compiled from 30 trillion security events collected in 2017 to analyze attacker trends and to develop best-practice recommendations. Breakout time can be used to understand and contextualize the effectiveness of an enterprise security program. 

So, what is breakout time? It's the time it takes for an intruder to begin moving laterally outside of the initial beachhead to other systems in the network. The average breakout time analyzed over the previous year came in at one hour and 58 minutes — that's the tight window during which an organization can prevent an incident from turning into a breach.

Breakout time is so important because the initial machine the intruder compromises is almost never the one he (or she) needs to fulfill his or her objective. The adversary must move laterally so he can burrow deep into the network, perform reconnaissance, and find his targets. One hour and 58 minutes dictates how much time the organization has to detect and eject the intruder. That's why it's important to focus on speed when assessing the effectiveness of any security capability.

Key Metrics Every Organization Should Know
Whether an organization is a large government or private enterprise or a small to midsize business (SMB), protecting data is critical and, in many cases, mandated by regulations. Security is a business imperative that is considered a priority at the executive level. However, many organizations struggle with communicating security as a business issue and finding the metrics to demonstrate effectiveness.

These three key metrics can help an organization estimate its readiness to defend against a breach:

  1. Time to detection of an intrusion
  2. Time to investigate an incident, understanding criticality and scope, and what response actions are necessary
  3. Time to respond to the intrusion, eject the attacker, and contain any damage

The most sophisticated organizations in the world strive to meet the following deadlines:

  • Detect an intrusion within an average of one minute
  • Investigate and understand it in under 10 minutes
  • Eject the adversary in under one hour

Organizations operating under this framework are much more likely to eject the adversary before they "break out" of the initial entry point, minimizing impact.

Organizations that rely on legacy solutions focused on prevention remain the most vulnerable to adversaries. Even a series of layered defenses that is 99.9% effective at blocking incoming threats still misses one in 1,000 intrusion attempts. When attacks slip through the layers of defense, prevention-focused solutions leave IT networks unprotected, leading to data loss and other issues such as damaging reputation, ROI, customer value, and more. Verizon's 2018 Data Breach Investigations Report proves this point, showing that detecting and responding to a successful breach often takes days or longer.

Board Members, C-Levels and Security Visibility
In today's security environment, it's critical for boards of directors and CEOs to have visibility into their cybersecurity breach readiness and risk profiles in order to evaluate the effectiveness of their strategies and the proper level of corporate investment. As security budgets continue to increase — Gartner predicts worldwide cybersecurity spending to reach $96 billion this year — business leaders are looking to understand how their spending is reducing the risk exposure of the organization. Today's boards of directors and the C-suite want more visibility into how their organizations are preparing for an inevitable cyberattack.

Some reasons for this change include:

● More money is being spent on security — but what's the ROI? As security budgets continue to increase, input from CSOs and CISOs is being requested in the boardroom to justify the spending. Security executives must find ways to communicate technical information within a business context and articulate the value of their departments' resources at an executive level.

● Large enterprises have experienced alarming breaches. Boards and CEOs feel their organizations may be in attackers' crosshairs. They now know they are likely to be targeted by sophisticated adversaries at some point and are interested in mitigating risks. They also want to evaluate their options based on quantifiable information, which is where metrics come into play.

● Regulatory violations are costly. According to the US National Conference of State Legislators, 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches. In addition, the European Union has updated the General Data Protection Regulation with more stringent rules and substantial penalties for organizations that fail to notify their stakeholders of breaches in a timely manner.

In cybersecurity, as in business, time is money. Given today's sophisticated threat landscape, it is imperative that C-levels and boards understand the trade-offs between response time and risk. Breakout time is a useful data point that puts your capability today into clear context. The best organizations in the world should strive to beat attacker breakout time and detect an intrusion in under a minute, understand it in under 10 minutes, and eject the adversary in under an hour to effectively combat stealthy cyber threats. Can you compete?

Related Content:

Scott Taschler is a 20+ year veteran of the cybersecurity industry, with a strong focus on optimizing workflows in the security operations center. In his current role as Director of Product Marketing for CrowdStrike, Scott works with organizations all around the globe to ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...