Breakout Time: A Critical Key Cyber Metric Why organizations need to detect an intrusion in under a minute, understand it in under 10 minutes, and eject the adversary in under an hour.
Cybersecurity breaches continue to capture headlines worldwide, particularly in the wake of nation-state and criminal cyberattacks that impact a wide-range of industries. March 2018 saw major disclosed breaches from Applebee's (167 restaurants), Orbitz (880,000 payment cards), Saks Fifth Avenue and Lord & Taylor (5 million payment cards), and Under Armour (150 million user accounts). These events remind us that organizations still struggle to implement effective security strategies.
As the targeting of public and private industries continues to plague organizations worldwide, it's obvious that security must be raised to a board-level issue as organizations look to justify increased investment in cybersecurity.
CrowdStrike recently highlighted a new cyber metric based on insights from its 2018 Global Threat Report called "breakout time." Data was compiled from 30 trillion security events collected in 2017 to analyze attacker trends and to develop best-practice recommendations. Breakout time can be used to understand and contextualize the effectiveness of an enterprise security program.
So, what is breakout time? It's the time it takes for an intruder to begin moving laterally outside of the initial beachhead to other systems in the network. The average breakout time analyzed over the previous year came in at one hour and 58 minutes — that's the tight window during which an organization can prevent an incident from turning into a breach.
Breakout time is so important because the initial machine the intruder compromises is almost never the one he (or she) needs to fulfill his or her objective. The adversary must move laterally so he can burrow deep into the network, perform reconnaissance, and find his targets. One hour and 58 minutes dictates how much time the organization has to detect and eject the intruder. That's why it's important to focus on speed when assessing the effectiveness of any security capability.
Key Metrics Every Organization Should Know
Whether an organization is a large government or private enterprise or a small to midsize business (SMB), protecting data is critical and, in many cases, mandated by regulations. Security is a business imperative that is considered a priority at the executive level. However, many organizations struggle with communicating security as a business issue and finding the metrics to demonstrate effectiveness.
These three key metrics can help an organization estimate its readiness to defend against a breach:
- Time to detection of an intrusion
- Time to investigate an incident, understanding criticality and scope, and what response actions are necessary
- Time to respond to the intrusion, eject the attacker, and contain any damage
The most sophisticated organizations in the world strive to meet the following deadlines:
- Detect an intrusion within an average of one minute
- Investigate and understand it in under 10 minutes
- Eject the adversary in under one hour
Organizations operating under this framework are much more likely to eject the adversary before they "break out" of the initial entry point, minimizing impact.
Organizations that rely on legacy solutions focused on prevention remain the most vulnerable to adversaries. Even a series of layered defenses that is 99.9% effective at blocking incoming threats still misses one in 1,000 intrusion attempts. When attacks slip through the layers of defense, prevention-focused solutions leave IT networks unprotected, leading to data loss and other issues such as damaging reputation, ROI, customer value, and more. Verizon's 2018 Data Breach Investigations Report proves this point, showing that detecting and responding to a successful breach often takes days or longer.
Board Members, C-Levels and Security Visibility
In today's security environment, it's critical for boards of directors and CEOs to have visibility into their cybersecurity breach readiness and risk profiles in order to evaluate the effectiveness of their strategies and the proper level of corporate investment. As security budgets continue to increase — Gartner predicts worldwide cybersecurity spending to reach $96 billion this year — business leaders are looking to understand how their spending is reducing the risk exposure of the organization. Today's boards of directors and the C-suite want more visibility into how their organizations are preparing for an inevitable cyberattack.
Some reasons for this change include:
● More money is being spent on security — but what's the ROI? As security budgets continue to increase, input from CSOs and CISOs is being requested in the boardroom to justify the spending. Security executives must find ways to communicate technical information within a business context and articulate the value of their departments' resources at an executive level.
● Large enterprises have experienced alarming breaches. Boards and CEOs feel their organizations may be in attackers' crosshairs. They now know they are likely to be targeted by sophisticated adversaries at some point and are interested in mitigating risks. They also want to evaluate their options based on quantifiable information, which is where metrics come into play.
● Regulatory violations are costly. According to the US National Conference of State Legislators, 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches. In addition, the European Union has updated the General Data Protection Regulation with more stringent rules and substantial penalties for organizations that fail to notify their stakeholders of breaches in a timely manner.
In cybersecurity, as in business, time is money. Given today's sophisticated threat landscape, it is imperative that C-levels and boards understand the trade-offs between response time and risk. Breakout time is a useful data point that puts your capability today into clear context. The best organizations in the world should strive to beat attacker breakout time and detect an intrusion in under a minute, understand it in under 10 minutes, and eject the adversary in under an hour to effectively combat stealthy cyber threats. Can you compete?
Scott Taschler is a 20+ year veteran of the cybersecurity industry, with a strong focus on optimizing workflows in the security operations center. In his current role as Director of Product Marketing for CrowdStrike, Scott works with organizations all around the globe to ... View Full Bio