Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Reducing Time to Detection: Breaking the One-day Barrier

To Consistently and Significantly Reduce Time to Detection, Security Teams Must Combine Sophisticated Threat Defenses with Skilled Security Researchers

To Consistently and Significantly Reduce Time to Detection, Security Teams Must Combine Sophisticated Threat Defenses with Skilled Security Researchers

Breaking down barriers. It’s what humans do – breaking the sound barrier, breaking the four-minute mile, conquering the Earth’s highest mountain. Once these records are broken, these feats become nearly routine. Military aircraft break the sound barrier every day. High-school track stars can run four-minute miles. More than 4,000 people have climbed Mt. Everest.

For security professionals it has become increasingly obvious that the barrier to break involves time to detection (TTD), the window of time between the first observation of an unknown file and the detection of a threat. Based on various studies and research, the current industry measures for TTD are between 100 to 200 days. But under this scenario, once a breach is detected the damage has already been done. Credit card data, bank account information, credentials – whatever valuable digital assets you need to protect – have been compromised.

Detecting BreachesGiven the reality that some attacks will get through defenses, our ability to quickly detect a compromise and then stop the exploitation of an attack is today’s true measure of security effectiveness. What does it take to break the TTD barrier and get it down to below one day so we can act and remediate faster?

First, we need to more quickly identify commodity malware. The industrialization of hacking and the greater use of commodity malware play an important role in our ability to narrow the window on TTD. As soon as a threat becomes industrialized, it becomes more widespread and thus easier to detect. Recent examples include Cryptowall 3.0, Upatre, and Dyre.

We also need to bring together as many sources of intelligence as possible along with massive amounts of data and telemetry to correlate behaviors and traffic patterns to identify zero-day threats. This analysis must be continuous to retrospectively detect malware – files that initially seem benign or are unknown, but later exhibit malicious behavior. This capability is critical in combatting a rise in evasive activity, as demonstrated by the Angler exploit kit.

Additional retrospective security capabilities include the ability to see a file’s trajectory across the enterprise, understand the scope of the attack, quarantine all affected devices, and execute automated or hands-on remediation before reattaching the device to the network. Retrospective security is critical to accelerate TTD and as well as remediation.

But it isn’t all about technology. To consistently and significantly reduce the median TTD we must combine sophisticated threat defenses with skilled security researchers. These experts bring the ability to proactively analyze the global threat landscape, continuously monitor and correlate information to detect emerging threats, identify new sources of intelligence, adapt defenses, and strive for operational excellence.

Still, some threats go unnoticed and remain unchecked in the race to deflect the onslaught of zero-day attacks. That’s where systemic response can help – the ability to trigger a system-wide response capable of correlating and analyzing all information to find, block, and contain threats everywhere, instantly, across the entire security infrastructure.

The desire to break down barriers and leave them in our wake is human nature. We understand what’s required and have the technology and skills to break the one-day barrier in TTD. Now let’s work together to make it routine.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.

Funding/M&A

Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...