Dwell time, also known as the breach detection gap, describes the delta between the initial breach occurring and it being detected. Within cybersecurity, we are laser focused on reducing the dwell time to thwart attacks before they can cause any harm. Despite relentless innovation in detection capabilities, we have to acknowledge that by definition it's a cat-and-mouse game where the attacker always has the advantage.
As defenders, we are playing catch up with real world consequences. Just in the past few months we've been reading about breaches at MediBank, Uber, and Plex. These incidents remind us that a breach is inevitable and, especially in the MediBank case, costly.
The future of detection
Innovation into machine learning (ML) and artificial intelligence (AI) by Endpoint, Detection & Response (EDR) vendors has given blue teams a significant leap in capabilities in the past decade, but there is a limit to this technology.
Detection can still be evaded.
For example, a change in the malware code language, agent tempering, or fileless malware significantly affects detection rate. Our defensive tools will get smarter to solve for these gaps, but this will just push attackers into developing more creative workarounds.
With every change in behavior or code, EDR vendors need to adapt which result in an increased mean time to detection (MTTD).
So where does this leave us? Companies have invested over $28 billion into endpoint security with a focus on detection while breaches still stay undetected. In fact, on average, it takes an organization 277 days to identify and contain a breach according to the 2022 Cost of a Data Breach Report from IBM.
A lengthy dwell time gives attackers the opportunity to spread through the network undetected, establish persistence, create secondary backdoors, and eventually exfiltrate data or deploy ransomware.
Don't dwell on it: EDR is needed to respond to threats
But calling out a weakness doesn't render EDR as ineffective. In fact, we can argue that EDR is more important than ever now that we are trying to consolidate data from all sources into one single security platform with XDR.
It's also important to call out the last letter in EDR - response. Hunting for threats without a capable EDR solution in place is next to impossible.
The ability to respond to an incident at scale is the only way of clearing an attacker out of a comprised environment, and this is where we have to rely on EDR when it comes to clearing threats from our endpoints.
A new paradigm - breach containment
Defense in depth, the practice of adding independent layers of security controls, is our best move forward. This way, when detection falls short, we have other layers of defense in place.
This doesn't mean we should stop focusing on reducing dwell time; we just need to escape the rat race and implement new layers of defense that are not dependent on detection. Investing in breach containment is our most effective move forward.
By implementing Zero Trust Segmentation (ZTS) to all our endpoints with Illumio Endpoint, we can proactively prevent future attackers from spreading from a single compromised endpoint to the entire network. By focusing on containment, we extend the allotted time our EDR solution has to detect a breach before it turns into a disaster, reframing the way we think about MTTD and dwell time.
Like peanut butter and jelly
Illumio fills the gap between incident and detection, agnostic from attack pattern.
Combining proactive technology like ZTS with reactive technology like EDR on every endpoint lessens the dwell time weakness while also significantly increasing response capabilities. In fact, according to offensive security firm Bishop Fox, combining detection and response with Illumio radically reduced an attacker from spreading while detecting 4 times faster.
Breaches are not going anywhere. But by embracing breach containment on every endpoint ensures your organization can be resilient to everything that is left to come.