The XDR Advantage: Eliminate Dwell Time and Gain Visibility

July 27, 2021 | 3 minute read

The average cost of a data breach in 2020 was $3.86 million, according to IBM. It was even more expensive for certain entities. Indeed, that cost rose to $8.64 million when attackers succeeded in breaching an organization located in the United States. It was the same story in the healthcare industry, with the cost of data breaches climbing to $7.13 million for affected entities.

Dwell Time is a Factor

One of the reasons why data breaches have become so costly is because of dwell time, or the average time that an attacker spends on an affected system or within a compromised network before they’re detected. In the research cited above, the average dwell time is 280 days, which gives malicious actors almost a year to conduct reconnaissance on their victims, move laterally to access sensitive assets, and then exfiltrate information—activities that all drive up recovery costs, legal fees, and compliance penalties in the event of a successful security incident.

Attacker dwell time is so high for a few reasons: first is the fact that organizations lack visibility over their network assets. Most (87%) of respondents to a 2020 survey said that they were concerned about their employer’s current security visibility, reported Security Boulevard. Security teams need to know what’s on the network to defend it - but with devices, applications, services and users in the organization constantly changing, it’s difficult for personnel to have an accurate inventory for implementing important preventative steps like running vulnerability scans or risk assessments.

Another reason why dwell time is so high is because threat detection itself has become more difficult. ESG Research explored this topic in a 2020 survey, for example. It found that two-thirds of respondents considered their threat detection and response capabilities to be limited due to their use of multiple independent tools. About the same proportion (64%) identified too many manual processes as a compounding factor.

“Each of these tools must be deployed, configured, and operated daily,” the research firm explained in a blog post. “Furthermore, each tool provides its own myopic alerting and reporting. Security analysts are then called upon to stitch together a complete threat management picture across endpoint security tools, network security tools, threat intelligence, etc. This is a manual process slog that doesn’t scale. Little wonder then why malware is often present on a network for hundreds of days before being discovered.”

Not only that, but the survey also found that organizations struggled to detect and respond to threats because of insufficient security staff skills. More than two-thirds (68%) of survey participants told ESG Research that “a shortage of security staff members and/or limited security analytics and incident response (IR) skills” undermined the effectiveness of those efforts. This gave attackers more room to breathe and explore the networks of their victims, as a result.

XDR as the Way Forward

Organizations need to improve their visibility of their environments as well as streamline their threat detection and response capabilities in a way that maximizes their existing security expertise. They can do this by turning to XDR solutions (Extended Detection and Response).

According to Dark Reading, XDR builds extends the capabilities of EDR solutions (Endpoint Detection and Response) solutions beyond the endpoint and across the network, the cloud, applications and elsewhere in their environments. This provides security teams with the visibility they need to defend their security infrastructure. Simultaneously, XDR leverages automated correlation and machine learning to illuminate malicious behaviors that are harder to spot, thus saving security personnel time when it comes to identifying potential problems and detecting the entirety of an attack chain.

Cybereason XDR takes this paradigm even further so that organizations have all they need to pinpoint, understand, and then stop attacks wherever they are on the network. It does this by taking an operation-centric approach to security that emphasizes malicious operations (Malops™) instead of uncorrelated alerts that lack the context to be actionable.

With insight into Indicators of Compromise (IOCs) and Indicators of Behavior (IOBs), organizations can quickly pick up on more subtle signs of a potential compromise earlier, without having to waste any time on triaging alerts or investigating false positives. This allows security teams to reduce their mean time to respond (MTTR).

Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about Cybereason XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Cybereason Security Team
About the Author

Cybereason Security Team

The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.

All Posts by Cybereason Security Team