Dwell time, or the time between when an attacker gains access to a network and when their activity is finally detected is a significant indicator for both the potential impact of a cyberattack on the organization and the overall effectiveness of an organization’s security program efficacy.
For example, the Cost of a Data Breach Report 2021 found that attackers spend an average of 287 days inside victim networks before they’re detected, which dramatically drives up the cost of a breach event.
The study revealed that organizations spent an average of $4.87 million on data breaches that took them longer than 200 days to detect and remediate. By contrast, organizations lost only $3.61 million to breach events detected and remediated in fewer than 200 days.
From these findings, one can easily see that reducing dwell time for attackers reduces the cost of a breach event for victim organizations. The closer we can get to detecting an attack at the earliest stages–within hours instead of months–the better. So why is it taking organizations so long to answer the question, “Are we under attack?”
Reducing the Mean Time to Detection
The dwell time discussed above owes its existence to organizations’ lagging defensive capabilities. In particular, many organizations are dealing with a cybersecurity skills shortage that limits the number of analysts available to handle the volume of alerts generated by today’s security stack.
This means fewer analysts are around to triage, investigate, and address potential issues by detecting earlier and remediating faster before they can escalate into a full-scale security event.
Many organizations are turning to technology as a force multiplier to improve their team’s Mean Time to Detect (MTTD) and Mean time to Respond (MTTR) to an attack. But they’re not always doing so in a way that positively contributes to the strength of their security program. Some organizations are not using a multi-layered strategy to prevent malware infections, fileless attacks, and vulnerability exploits on their endpoints, opting instead to stick with traditional, outmoded signature-based antivirus.
Signature-based tools are reasonably good at blocking already known commodity malware. Still, they do little to protect an organization against novel, polymorphic, and repacked malware strains, and are completely useless against vulnerability exploits, zero-days or fileless attacks. Organizations would be better served by deploying a NextGen antivirus solution that leverage AI/ML detections to spot malicious code and exploits that signature-based tools cannot.
More so, it is highly recommended that organizations deploy an Endpoint Detection and Response (EDR) solution that can detect the attacker activity on the endpoint that comes well before any malware delivery and hunt for threats before they become full-blown attacks.
Some EDR providers are further limited in that they can’t ingest all available endpoint telemetry. As such, they are forced to filter some or most of the intelligence required to detect faster and remediate sooner. “data filtering” where they eliminate telemetry even though it might be helpful for detection.
Even if your organization has a robust EDR tool that does not require data filtering, EDR solutions are not helpful for detecting advanced attacks that originate or extend beyond endpoint devices into other parts of an organization’s infrastructure. As well, even with an EDR solution deployed, analysts still have to manually correlate threats against the endpoint with intelligence from other aspects of the network, like cloud workloads or compromised user credentials.
Leveraging XDR to Optimize Your Security Stack
Organizations need to optimize their security stack to provide multi-layered protection leveraging automated capabilities while also gaining increased visibility across the entire network to leverage the context and correlations required to end attacks earlier.
This is where Extended Detection and Response (XDR) comes in. XDR takes the strategic advantage that EDR provides for the endpoint and applies it across the organization's network. XDR provides the continuous threat prevention, detection, and response required to detect attacks at the earliest stages like initial ingress, lateral movement, identity abuse, and data exfiltration by correlating threat intelligence across endpoints, application suites, cloud workloads, and user identities.
XDR optimizes an organization’s security stack in three ways:
- Maximizing Integrations Across the Security Stack: XDR saves time and effort by automating the delivery of actionable, context-rich intelligence from telemetry ingested across the entire security stack without requiring analysts to do the heavy lifting required to triage every alert generated. Analysts can quickly understand the earliest signs of compromise and end malicious operations faster through native integrations with email, productivity suites, identity and access management, and cloud deployments. This is the power of the “X” in XDR.
- Detecting the Entire Malicious Operation: The correlative power of XDR allows security teams to adopt an operation-centric approach to detection by revealing the entire MalOpTM (malicious operation) from root cause across every affected device, system, and user. With XDR, analysts can focus on ending attacks in progress rather than spending valuable time trying to manually piece together the attacker’s actions and activities by sorting through an unorganized and uncorrelated mass of alerts generated by disparate security tools, each designed to only reveal an isolated aspect of the entire attack. This is the power of the “D” in XDR.
- Predictive Automated Response: Understanding the full intent of an attacker’s behaviors and how they are related across the different elements of an organization’s network through an operation-centric approach means analysts are empowered to predictively anticipate the attacker’s likely next moves and preemptively block the attack progression with automated or guided remediation, depending on the security policies in place. Only an operation-centric approach can reduce attacker dwell time from months to minutes. This is the power of the “R” in XDR.
- Proactive Threat Hunting: Finally, XDR enables organizations to engage in proactive threat hunting. This activity is important as it allows organizations to search for suspicious chains of behavior that can surface attacks sooner and minimize the damage that those operations might cause. With XDR, security teams can pivot between events and hunt for threats without needing to craft complex queries. They can also incorporate lessons learned from successful hunts into custom detection rules and logic for future threat hunting engagements based on an operation-centric approach. This is the power of unifying all three aspects of XDR in one solution.
The AI-Driven XDR Advantage
An AI-driven XDR solution enables organizations to embrace an operation-centric approach to security that delivers the visibility required to be confident in their security posture across all network assets and the automated responses required to halt attack progressions at the earliest stages.
In addition, an AI-driven XDR solution should provide Defenders with the ability to predict, detect and respond to cyberattacks across the entire enterprise, including endpoints, networks, identities, cloud, application workspaces, and more.
Cybereason is dedicated to teaming with Defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about AI-driven Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
