Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/8/2018
10:30 AM
Scott Taschler
Scott Taschler
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Breakout Time: A Critical Key Cyber Metric

Why organizations need to detect an intrusion in under a minute, understand it in under 10 minutes, and eject the adversary in under an hour.

Cybersecurity breaches continue to capture headlines worldwide, particularly in the wake of nation-state and criminal cyberattacks that impact a wide-range of industries. March 2018 saw major disclosed breaches from Applebee's (167 restaurants), Orbitz (880,000 payment cards), Saks Fifth Avenue and Lord & Taylor (5 million payment cards), and Under Armour (150 million user accounts). These events remind us that organizations still struggle to implement effective security strategies.

As the targeting of public and private industries continues to plague organizations worldwide, it's obvious that security must be raised to a board-level issue as organizations look to justify increased investment in cybersecurity.

CrowdStrike recently highlighted a new cyber metric based on insights from its 2018 Global Threat Report called "breakout time." Data was compiled from 30 trillion security events collected in 2017 to analyze attacker trends and to develop best-practice recommendations. Breakout time can be used to understand and contextualize the effectiveness of an enterprise security program. 

So, what is breakout time? It's the time it takes for an intruder to begin moving laterally outside of the initial beachhead to other systems in the network. The average breakout time analyzed over the previous year came in at one hour and 58 minutes — that's the tight window during which an organization can prevent an incident from turning into a breach.

Breakout time is so important because the initial machine the intruder compromises is almost never the one he (or she) needs to fulfill his or her objective. The adversary must move laterally so he can burrow deep into the network, perform reconnaissance, and find his targets. One hour and 58 minutes dictates how much time the organization has to detect and eject the intruder. That's why it's important to focus on speed when assessing the effectiveness of any security capability.

Key Metrics Every Organization Should Know
Whether an organization is a large government or private enterprise or a small to midsize business (SMB), protecting data is critical and, in many cases, mandated by regulations. Security is a business imperative that is considered a priority at the executive level. However, many organizations struggle with communicating security as a business issue and finding the metrics to demonstrate effectiveness.

These three key metrics can help an organization estimate its readiness to defend against a breach:

  1. Time to detection of an intrusion
  2. Time to investigate an incident, understanding criticality and scope, and what response actions are necessary
  3. Time to respond to the intrusion, eject the attacker, and contain any damage

The most sophisticated organizations in the world strive to meet the following deadlines:

  • Detect an intrusion within an average of one minute
  • Investigate and understand it in under 10 minutes
  • Eject the adversary in under one hour

Organizations operating under this framework are much more likely to eject the adversary before they "break out" of the initial entry point, minimizing impact.

Organizations that rely on legacy solutions focused on prevention remain the most vulnerable to adversaries. Even a series of layered defenses that is 99.9% effective at blocking incoming threats still misses one in 1,000 intrusion attempts. When attacks slip through the layers of defense, prevention-focused solutions leave IT networks unprotected, leading to data loss and other issues such as damaging reputation, ROI, customer value, and more. Verizon's 2018 Data Breach Investigations Report proves this point, showing that detecting and responding to a successful breach often takes days or longer.

Board Members, C-Levels and Security Visibility
In today's security environment, it's critical for boards of directors and CEOs to have visibility into their cybersecurity breach readiness and risk profiles in order to evaluate the effectiveness of their strategies and the proper level of corporate investment. As security budgets continue to increase — Gartner predicts worldwide cybersecurity spending to reach $96 billion this year — business leaders are looking to understand how their spending is reducing the risk exposure of the organization. Today's boards of directors and the C-suite want more visibility into how their organizations are preparing for an inevitable cyberattack.

Some reasons for this change include:

● More money is being spent on security — but what's the ROI? As security budgets continue to increase, input from CSOs and CISOs is being requested in the boardroom to justify the spending. Security executives must find ways to communicate technical information within a business context and articulate the value of their departments' resources at an executive level.

● Large enterprises have experienced alarming breaches. Boards and CEOs feel their organizations may be in attackers' crosshairs. They now know they are likely to be targeted by sophisticated adversaries at some point and are interested in mitigating risks. They also want to evaluate their options based on quantifiable information, which is where metrics come into play.

● Regulatory violations are costly. According to the US National Conference of State Legislators, 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches. In addition, the European Union has updated the General Data Protection Regulation with more stringent rules and substantial penalties for organizations that fail to notify their stakeholders of breaches in a timely manner.

In cybersecurity, as in business, time is money. Given today's sophisticated threat landscape, it is imperative that C-levels and boards understand the trade-offs between response time and risk. Breakout time is a useful data point that puts your capability today into clear context. The best organizations in the world should strive to beat attacker breakout time and detect an intrusion in under a minute, understand it in under 10 minutes, and eject the adversary in under an hour to effectively combat stealthy cyber threats. Can you compete?

Related Content:

Scott Taschler is a 20+ year veteran of the cybersecurity industry, with a strong focus on optimizing workflows in the security operations center. In his current role as Director of Product Marketing for CrowdStrike, Scott works with organizations all around the globe to ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...