Need to report an incident? +1 (888) 674.9001

Mean Time To Detect: What does that mean to me?

Feb 11, 2022

In our last blog post I provided 4 reasons why you need MDR, right now!. To recap, those reasons are:

  1. Mean Time To Detect
  2. Mean Time To Alert / Notify
  3. Mean Time To Respond
  4. Mean Time To Mitigate / Stop

Today we’re going to discuss the first crucial idea for analyzing your security posture and protecting your network: Mean Time To Detect.

What is Mean Time To Detect?

Mean Time To Detect (MTTD) is pretty much exactly what it sounds like. It’s the average time from the onset of an incident - the moment an attacker has access to your system - to the time it is detected by people or systems. This is a Key Performance Indicator (KPI) in the cybersecurity world because it measures the efficiency and effectiveness of your security posture and solutions as a whole.

Mean Time To Detect is crucial for all organizations, whether they have their own in-house SIEM, managed SIEM, or outsourced Threat Hunting (what Milton does). As IBM outlined in 2021, the average industry-wide Time To Detect (TTD) was 7 months, yes you read that right, 7 months in the case of large breaches. What does that mean? It means there were some that were 2, 4, possibly 5 times as long as that, and there were a large number of cases that were within a few days or weeks.

The longer an attacker stays in your environment, the more likely they will leave behind other goodies, just in case you find the original attack surface and close it down. From lateral movement and privilege escalation to creating backdoors, the longer it takes an organization to detect an incident the more leverage an attacker can gain on a network.

So how do I measure my current MTTD?

This is fairly easy. Take a look in your ticket system at the date and time issues or incidents were logged. From there, review your logs to find the date and time the incident first occurred. The amount of time between the two timestamps is your Time To Detect for that incident. Average those out across all incidents and you have your MTTD.

Pretty simple right!?

Of course, a lot of times in organizations, when critical events occur, it's more complicated than just finding a single entry, you need to correlate information in near real time. For instance, what if you typically do not allow RDP through your firewall, but someone made a change and no one noticed Port 3389 was left open. How would you find out this change occurred?

This exact situation is one that Milton Security Threat Hunters encountered recently. Because of their in-depth knowledge of a customer’s network, the SOC Analysts realized that the RDP port, which was normally closed, was allowing traffic.

Sometimes it's because an attacker used that open RDP to scan your network. And, of course, you watch your firewall logs and notice the unusual scanning activity which leads you back to finding the open RDP port. How long ago was the change made? Was it hours, days, weeks?

Yikes, that’s longer than I thought it would be. How do I reduce my MTTD?

Reducing MTTD is an ongoing process. It’s not one you achieve and then dust your hands and move on to other things.

Obviously, the best way to take your MTTD to zero is by not allowing any issues or incidents. And while this goal is completely unrealistic, you can take big steps in that direction by:

  • Enabling MFA for everyone
  • Block users from using common account names and passwords
  • Make sure that your change management process includes pre and post audits of your network so nothing is accidentally left open to the public

And of course, the more eyes you have watching over your network at all times with the knowledge of what is and is not typical within your unique environment, the quicker any issues or incidents can be brought to your attention.

So what happened with the example from above? Within 10 minutes, the Threat Hunt Team escalated the alert to the customer and found nearly 20 foreign malicious IPs that were receiving callbacks. The port was immediately closed and the IPs were blocked, saving the organization from a potential breach and future malicious activity.

At Milton, we have a trained SOC team that stands watch 24 hours a day, 7 days a week, 365 days a year, backed by an AI and ML driven threat intelligence engine, and abreast of all new and emerging threats. Our Threat Hunters become experts on your unique environment so they know when there’s an anomaly and can investigate and correlate data to ensure your network remains secure and alert you if action needs to be taken.

If you’re ready to see how Milton Security’s Threat Hunt Teams can help reduce your MTTD and increase your overall security posture, start with a risk-free 15-day FREE Proof of Value. Don’t take our word for it - see for yourself.

Free 15-Day Proof of Value