THE HIDDEN DANGER

DEFINING DWELL TIME

Aligning Dwell Time to the Cyber Kill Chain® means that the good guys are attuned to opportunities to counter how the bad guys operate. The Kill Chain represents the lifecycle of a threat (the process the threat actor conducts) from beginning to end.

In this model, phases 4 through 7 represent the opportunity security teams have to disrupt the threat actor’s efforts.

Some vendors like to consider Dwell Time as the time between when the threat successfully penetrated your

environment to when it is first detected. Because even during any response phase a threat actor still has an opportunity to perform Actions on Objectives, it is critical to add this time

into the overall calculation for Dwell Time.

DAYS TO ACTIONSON OBJECTIVES

DWELL TIME AS A CRITICAL SECURITY SUCCESS METRIC

Mid-level threat actorsonly require an average of

to achieve success via targeted attacks.

WHAT IS DWELL TIME?

The time from the point a threat successfully enters your environment to when the threatis completely remediated.

WHY IT MATTERS

Dwell time is a leading metric in measuring the proficiency of a given security strategy and its related processes, policies and controls. For CISOs and CIOs, tying this number to business impact is critical.

4-6 DAYS

191+ DAYS

THREAT ACTORS MOVE FAST

SHOCKINGLY, THE INDUSTRYAVERAGE DWELL TIME IS CURRENTLY

[1]

[2]

CLEANUP IS COSTLY, TIME-CONSUMING

AVERAGE U.S. COST OF A BREACH: $7.35M [2]

The longer a threat actor is ableto operate unfettered in your environment, the more likely the actor is able to achieve Actions on Objectives, the final stage of the Cyber Kill Chain. For businesses, shorter dwell times mean reducedrisk of a data breach, a malware outbreak, or their machines getting ensnared in a botnet or held hostage by ransomware.In turn, this also means lower chances of downtime, regulatory compliance penalties and hefty lawsuits and costs stemming from a cyber incident.      

Strongly Agree and Agree responses combined

FY - 2017 FY - 2016

It just takes 5 daysfor a threat actor to accomplish

their Actions on Objective and cause harm to your organization.

Armor leads the industry in measuring, reporting, and reducing any time an actorhave to operate unfettered

in your environment.

Industry Average

THE INDUSTRY AVERAGE IS NO MATCH FOR ARMOR

VSFALSEPOSITIVE

RATE

PERCENT OF MSSPSTHAT OPERATE AT A

FALSE POSITIVE RATEOF 25% TO 99%.[5]

VS VS

3-4%

<1

66%

INDUSTRYAVERAGE

191+

VULNERABILITIESPER DEVICE

VULNERABILITIESPER DEVICE [6]

DAY DAYS

2 10

[2]

SOURCES: 1. “2017 Cost of Data Breach Study: Global Overview,” Ponemon Institute, 2017. 2. “2017 Cost of Data Breach Study: United States,” Ponemon Institute, 2017. 3. “2017 State of Cybersecurity in Small & Medium-Sized Businesses (SMB),” Ponemon Institute, September 2017. 4. “2018 Security Alert Overload And Its Impact On MSSP Business Models, “ Advanced Threat Analytics, 2018. 5. “2017 A Day in the Life of a Cyber Security Pro,” Enterprise Management Associates® (EMA™), Infobrief – April 2017.

18020507 Copyright © 2018. Armor, Inc., All rights reserved.  (US) +1 844 682 2858 | (UK) +44 800 500 3167

KNOW YOUR DWELL TIMEDwell Time is more than just a metric; it is a catalyst for a proactive security philosophy built around a common objective. Learn more about architecting

your security operations with Dwell Time in mind.

Get the eBook

Attacker goeslateral in yourenvironment.

THE CYBER KILL CHAIN AND THE COST OF AN INCIDENT

CO

ST

($) O

F A

N IN

CID

ENT

DWELL TIME

0

EXPLOITATION INSTALLATION

COMMAND & CONTROL

ACTIONS ONOBJECTIVES

Minimizing dwell times must be a goal of IT Security teams. Dwell time is a key metricfor determining success of overall security controls and operations.

Data leaves your environment. Your costs experience a step-changedue to the seriousness of the incident.

FY - 2017 FY - 2016

3.774.35

0

1

2

3

4

5

RELATIONSHIPS BETWEEN MEAN TIME TO CONTAIN AND AVERAGE COST [3]

2.833.18

<30 DAYS >30 DAYS

When the threat appears to be getting more targeted, more sophisticated and the consequences more severe,

reducing Dwell Time becomes all the more critical [4]:

Cyber attacks are becoming more

targeted

Cyber attacks are becoming more severe in terms of negative consequences

Cyber attacks are becoming more

sophisticated

0%

10%

20%

30%

40%

50%

60%

60%52%

0%

10%

20%

30%

40%

50%

60%

59%51%

0%

10%

20%

30%

40%

50%

60%

59%51%

THREAT ACTOR’S PROCESS

DWELL TIME

DETECTION ANDIDENTIFICATION

CONTAINMENTPREVENTION INVESTIGATION ERADICATIONRECOVERY ANDPOST-MORTEM

REC

ON

NA

ISS

AN

CE

WEP

ON

IZAT

ION

DEL

IVER

Y

EXP

LOIT

ATIO

N

INS

TALL

ATIO

N

CO

MM

AN

D A

ND

CO

NTR

OL

ACT

ION

S O

N

OB

JECT

IVES

1 2 3 4 5 6 7

Measured in US ($) millions

SECURITY DEFENDERS PROCESS ARMOR, RAYTHEON / WEBSENSE DWELL TIME

DETECTION ANDIDENTIFICATION

CONTAINMENTPREVENTION INVESTIGATION ERADICATIONRECOVERY ANDPOST-MORTEM

DWELL TIME DEFINED BY OTHER VENDORS FIREEYE/MANDIANT, CROWDSTRIKE, MSSPs DWELL TIME

VS