The global cyber threat landscape facing businesses is becoming more daunting every year. SecOps professionals are increasingly turning to information-based approaches to deal with current threats and adapt to new ones. Two useful metrics that can be used to measure an organization’s current aptitude at responding to malicious attacks are MTTD and MTTR. These same metrics can be used to graph out the improvement (or, deterioration) of incident response performance over time. So, what is MTTD and MTTR and how can you improve your organization’s scores using these KPIs?
What is MTTD?
MTTD stands for Mean Time to Detect/Discover. This refers to the average time it takes your security infrastructure to detect that a breach, infection, or attack has taken place. The time is measured from the moment the event first occurred to the moment it’s picked up.
For example, let’s say your endpoint security solution detects a malware infection at 6:45: AM on Friday. After an existential security audit, you trace the origins and establish that the infection actually occurred at 4:30 PM on Wednesday. In this case, the time to detect (TTD) was 38 hours and 15 minutes or 1 day, 14 hours, and 15 minutes.
By averaging the TTD over a certain period, say a month, you get the MTTD for your organization.
What is MTTR?
MTTR stands for Mean Time to Resolve (alternatively to Recovery, Repair, or Respond). It refers to the average amount of time it takes to recover from system failure. It has a strong relation to another metric, MTTF, which measures the average time to failure after an event.
MTTR is calculated by measuring the time it takes a system to fail until the time it’s fully operational again. Since a malicious attack doesn’t always result in failure, it may also start once the system is purposefully taken down to avoid theft/loss of data or further damage.
Depending on your incident response plan or protocol, MTTR itself may consist of a number of steps. A relatively standard IR plan involves the following steps post detection:
- Containment: Stopping the spread by isolating compromised system components and moving business operations over to secure/failover channels and reauthenticating access.
- Eradication: This involves the actual removal of the threat, such as malware artifacts or unauthorized access.
- Recovery: During this process, sanitized components/resources are reintroduced to the network in order to resume normal operations.
Only once all these steps are completed and normal business operations are resumed is the incident considered “resolved.
How to Improve MTTD and MTTR?
For example, you can’t respond to an incident you haven’t detected, so the first step in improving MTTR is to improve MTTD. From a damage mitigation perspective, it also doesn’t help if you can quickly identify breaches but are unable to respond to them efficiently.
A 2019 SANS support showed that businesses still had a long way to go in improving MTTD and MTTR metrics. Almost half of businesses take more than 24 hours to merely detect an event. Only around 67% of businesses resolve issues within 24 hours. However, other studies by Verizon and IBM point to the fact that many more threats go unaddressed for months, if not years.
Because these two metrics are so strongly intertwined, we’ll consider how to improve them holistically. Here are some of the most effective ways to prepare your organization for any security-related eventuality:
- Conduct an incident response readiness assessment – Analyze your current readiness by reviewing your IR procedures, conducting exercises, reviewing documentation, and testing shareholders’ understanding of their roles and responsibilities.
- Implement an IR plan – Come up with a specific incident response plan that takes into account:
- A dedicated IR team, whether it’s internal or as an IR retainer service
- Funding and resources
- Your most critical components/assets
- Points of failure, most at-risk endpoints, and threat profile
- Employee education and training
- A business continuity plan
- Step-by-step incident response procedure
- Invest in a SOAPA or SOAR security solution – Security experts increasingly agree that an endpoint security solution that leverages automation and workflow integration is the future of business security. These solutions also carry the highest potential for damage mitigation.