Connect with us

Hi, what are you looking for?


Incident Response

Reducing Time to Detection: Breaking the One-day Barrier

To Consistently and Significantly Reduce Time to Detection, Security Teams Must Combine Sophisticated Threat Defenses with Skilled Security Researchers

To Consistently and Significantly Reduce Time to Detection, Security Teams Must Combine Sophisticated Threat Defenses with Skilled Security Researchers

Breaking down barriers. It’s what humans do – breaking the sound barrier, breaking the four-minute mile, conquering the Earth’s highest mountain. Once these records are broken, these feats become nearly routine. Military aircraft break the sound barrier every day. High-school track stars can run four-minute miles. More than 4,000 people have climbed Mt. Everest.

For security professionals it has become increasingly obvious that the barrier to break involves time to detection (TTD), the window of time between the first observation of an unknown file and the detection of a threat. Based on various studies and research, the current industry measures for TTD are between 100 to 200 days. But under this scenario, once a breach is detected the damage has already been done. Credit card data, bank account information, credentials – whatever valuable digital assets you need to protect – have been compromised.

Detecting BreachesGiven the reality that some attacks will get through defenses, our ability to quickly detect a compromise and then stop the exploitation of an attack is today’s true measure of security effectiveness. What does it take to break the TTD barrier and get it down to below one day so we can act and remediate faster?

First, we need to more quickly identify commodity malware. The industrialization of hacking and the greater use of commodity malware play an important role in our ability to narrow the window on TTD. As soon as a threat becomes industrialized, it becomes more widespread and thus easier to detect. Recent examples include Cryptowall 3.0, Upatre, and Dyre.

We also need to bring together as many sources of intelligence as possible along with massive amounts of data and telemetry to correlate behaviors and traffic patterns to identify zero-day threats. This analysis must be continuous to retrospectively detect malware – files that initially seem benign or are unknown, but later exhibit malicious behavior. This capability is critical in combatting a rise in evasive activity, as demonstrated by the Angler exploit kit.

Additional retrospective security capabilities include the ability to see a file’s trajectory across the enterprise, understand the scope of the attack, quarantine all affected devices, and execute automated or hands-on remediation before reattaching the device to the network. Retrospective security is critical to accelerate TTD and as well as remediation.

But it isn’t all about technology. To consistently and significantly reduce the median TTD we must combine sophisticated threat defenses with skilled security researchers. These experts bring the ability to proactively analyze the global threat landscape, continuously monitor and correlate information to detect emerging threats, identify new sources of intelligence, adapt defenses, and strive for operational excellence.

Still, some threats go unnoticed and remain unchecked in the race to deflect the onslaught of zero-day attacks. That’s where systemic response can help – the ability to trigger a system-wide response capable of correlating and analyzing all information to find, block, and contain threats everywhere, instantly, across the entire security infrastructure.

Advertisement. Scroll to continue reading.

The desire to break down barriers and leave them in our wake is human nature. We understand what’s required and have the technology and skills to break the one-day barrier in TTD. Now let’s work together to make it routine.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...


Cloud company Rackspace has completed its investigation into the recent ransomware attack and found that the hackers did access some customer resources.