Dwell Time: A Security Metric to Obsess Over

Jeff Schilling has an obsession with dwell time. The Armor CSO explains his infatuation with the security metric on Dark Reading. Simply, dwell time is the number of days a threat actor remains undetected within a given environment until remediation.

In 2014, the reported industry average dwell time was 205 days. Thankfully, one popular incident response firm saw their customers’ dwell time drop to 146 days. This is a trend in the right direction, but there’s still a clear problem. Even mid-level threat actors only require an average of four to six days to achieve success in a targeted attack.

And once they’re in, it takes them less than a day to map a network and credentials, hide their tracks, create a back door and exfiltrate data. We can see why 146 days is still far too long. (Armor’s dwell time is at two days and dropping.)

While this data is alarming, it’s still not a widely used number in the industry. So, out of the untold number of security data points to collect, monitor and analyze, why did Schilling lock in on this one? In his words: it’s simple and it works.

“I could measure the one variable that a threat actor had to have in order to be successful: dwell time in the network,” Schilling wrote on Dark Reading. “I needed to eliminate or reduce the amount of time they have to complete the Kill Chain. That’s it. If I could limit dwell time, the threat actor would not have what they needed to progress through the Kill Chain.”

Want to know more about dwell time?
> Watch the on-demand webinar.

While Armor focuses on many metrics, this one baseline helps Schilling’s 24-7 security operations center (SOC) improve their processes to drive the number down. The goal of the entire company is get the number down to hours, then minutes. And Armor’s dwell time goes down each and every month.

“Through diligence and careful process, we continue to see this number drop in our customer environments,” Schilling wrote. “This change in thinking rallies the team around one standard (measuring the amount of time from detection to eradication) that is quantifiable and can be leveraged to calculate the effectiveness of a security strategy and overall posture.”

And as Schilling wrote, no metric is perfect. But Armor is proving dwell time to be highly effective in protecting customers, their data and their brands.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals