Understanding the Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) Metrics to Improve your SOC

The average dwell time for attackers once they are inside a network is in the ranges of 100–150 days which is on average equivalent to 5 months before the security teams notice any unusual activity or malicious activity within the network. At the same time the nature of cyber- attacks has changed dramatically with attackers been well organized and well-funded and many supported by nation states. They have sophisticated technical skills which means that they are using those skills to create custom malware which can easily bypass any detection technologies organizations have in place and they won’t stop until they reach their objectives.

If a motivated attacker wants to penetrate your network, they will find a way to get in and it is up to the security teams to be one step ahead of the attackers if they wish to detect and respond to these attacks as quickly as possible. Finding and fixing vulnerabilities and any loopholes allows your organisation to be one step ahead of the attackers. Understanding your ability to do so will provide metrics on where the organization and security teams need to improve and focus their attention to. The two metrics that can help an organization’s SOC team measure its effectiveness are the MTTD and MTTR.

• Mean Time to Detect (MTTD)- Is the amount of time it takes your security team to discover a potential security incident.
• Mean Time to Respond (MTTR)- Measures the average time it takes to control, remediate and eradicate a threat once it has been discovered. Poor performance in this metric in terms of an extended amount of time can lead to higher breach costs.

MTTD is calculated as the time from when a threat was first seen in the network to the time when it was prioritised or dismissed as a viable incident. MTTR is calculated from the time when the threat was identified as an incident to when it was mitigated to reduce the risk level.

As seen from the figure above, your SOC operation is going to mature when the MTTD and MTTR metrics are improved. By going from months to minutes, the SOC operation has matured enough to detect threats faster and hence has the ability to respond to threats faster.

There are various things that can help to drive down the MTTD and MTTR;

• Create an incident response plan and make sure that your security team is aware of all the processes and technologies in order to detect and respond to threats quickly. This can be achieved through continuous training and education such as tabletop exercises and simulations
• Have proper processes and rules of engagement in place so that the SOC team is aware of the assets within the organisation as well as the escalation matrices and contact points so that they can quickly identify the owners during an incident.
• Understand the adversaries, their capabilities, intentions and tools, how they behave. This can be achieved by integrating threat intelligence to your SOC operation.
• Utilize security tools such as packet capturing, network activity monitoring within the organisation to observe for indicators of compromise (IOC) of these threat actors within the organisation. This can be also be carried out by leveraging threat hunters and analysts in the SOC team.
• Active discovery/ threat hunting within the network can help to drive to MTTD by constantly applying the knowledge gained from threat intelligence to hunt for adversaries within your network.
• Conduct regular cybersecurity training for employees. People are usually the weakest link in the security chain. Employees may inadvertently click on malicious links or fall prey to phishing emails. In addition the non-technical management may not fully understand the risk of a cyber security incident and therefore may not allocate sufficient budgets. Therefore the more educated everyone in the company is about cybersecurity, the easier it will be to protect and defend against these cyber-attacks.
• Leverage automation and orchestration. Security orchestration, automation and response (SOAR) tools can help security teams to centralize, correlate and analyze event data from multiple sources such as SIEM, network packet capturing, threat intelligence etc. This can allow your SOC team to make quicker decisions which lowers the MTTR.
• Leverage deception technology that can help security teams to identify and study techniques of the attackers while the attackers are distracted by the decoys. This can help to drive down MTTD and act as an added security barrier.
• Leverage machine learning (ML) technology to detect advanced threats and improve the capabilities of your SOC team. This can help to accelerate investigations and to reduce the workload on the SOC staff thus increasing their productivity which in turn can help to reduce MTTD and MTTR.

Cyber attacks will continue to persist and more advanced attackers will continue to come into the spotlight thus testing the efficiency and preparedness of SOC operations. However if your SOC operation and team are well prepared with the necessary procedures and tools, they can be one step ahead of the attackers. By measuring the metrics such as MTTD and MTTR, the management can easily view the effectiveness of their investment and gauge the ROI of the SOC operations to some extent. These metrics can help SOC managers to fine tune the SOC operation and to identify areas where their team needs to improve as well.