Practically every cybersecurity and IT professional recognizes that it’s not a matter of “if” their organization will be the victim of a cyberattack or breach, it’s “when.” And that’s not surprising considering there were almost 4,000 reported data breaches in the first half of 2019 – that’s more than 20 per day.
But what many of these security professionals and experts previously disagreed on was the amount of time their organizations needed to identify and respond to these breaches. Did it need to happen immediately? Could it wait a few hours, or even days?
To help answer this question, the researchers at CrowdStrike analyzed data from thousands of attacks and breaches. As a result, they developed a metric, which they refer to as Breakout Time. What is Breakout Time? It’s the measurement of the amount of time it takes an adversary to begin taking action on their objectives during an attack. More specifically, Breakout Time calculates the time from the initial infection point of a given incident to when the adversary is able to successfully move laterally within the victim organization’s network, ultimately landing on the asset they are targeting during their campaign.
During an attack, the initial event, and most frequently the asset that is compromised from this event – patient zero – is not the desired target. So, the adversary begins to their reconnaissance, exploring avenues for how they can move laterally across the network, where they can begin the process of compromising other systems. Once the adversary is able to successfully crawl around the victim’s network, penetrating deeply into the environment, they find ways to effectively obfuscate their behavior and hide from operators who may be hunting them. Over time, they then begin to scope out potential targets for exfiltration or other ways to execute any number of nefarious activities that are part of their campaign.
So, how long does an organization have? According to CrowdStrike, which first reported its Breakout Time findings in its 2018 Global Threat Report, they have approximately one hour and 58 minutes. That’s the time it takes an adversary to establish a beachhead and begin to jump from the machine that’s initially compromised and begin moving laterally through a victim’s network.
Clearly, this is not a lot of time. Compounding the problem even further, with the Ponemon Institute reporting that the average cost of a breach can approach $4 million in their 2019 Cost of a Data Breach Report, it’s essential that organizations detect and respond to the intruder before that clock runs out.
But how can IT and security professionals ensure that they’re detecting and responding to breaches before the Breakout Time is up? They can follow the 1-10-60 rule.
1-10-60 metrics the guide to rapid response
According to CrowdStrike Co-founder and CTO, Dmitri Alperovitch, there are three “outcome-driven metrics” that IT departments and cybersecurity professionals should hold themselves accountable to that can effectively be the difference between a minor intrusion and a massive, costly data breach.
These three metrics are:
- Time to Detection — organizations should set a goal of allowing only one minute to detect an incident or intrusion (automated).
- Time to Investigation — the length of time it takes to find out if the incident is legitimate and determine next steps (containment, remediation, etc.). The best organizations can execute this process within 10 minutes.
- Time to Remediation — the period of time needed to eject the intruder and clean up your network, which may involve coordination with the business owner of that asset. The best organizations aim to perform these activities within 60 minutes.
If an organization can follow the 1-10-60 rule – detecting a breach within one minute, investigating the breach and determining its legitimacy in 10 minutes, and eliminating the threat within 60 minutes – they can beat the Breakout Time clock and successfully mitigate any material damage from being done to their network and organization.
For even more information about Breakout Time and the 1-10-60 rule, watch this incredible video of Dmitri Alperovitch, who breaks it all down:
One of the best ways to protect your organization is to understand the full scope of the threat you’re facing. To download a copy of the 2019 OverWatch Mid-Year Report and learn more about the threat landscape in 2019, click here.