A significant concern for Security Operations Center (SOC) teams is dwell time, which refers to the length of time that cyber attackers remain undetected within an organization’s network. This issue poses a major threat because attackers have more time to steal sensitive data or introduce destructive ransomware. According to IBM’s Cost of a Data Breach Report for 2021, it took an average of 287 days for organizations to discover and remove attackers. Despite organizations’ efforts, this dwell time doesn’t seem to be decreasing substantially. The question is why this is happening and what organizations can do to protect themselves.
One common way that hackers gain initial access to a network is by exploiting the employees of a company. They often achieve this through social engineering or phishing attacks via cell phone or email. Once they gain access and acquire the usernames for a particular enterprise, they attempt to hack into the network by guessing passwords or using brute force techniques. Moreover, if hackers possess legitimate credentials, it becomes more challenging for SOC teams to detect and block them.
Software and system exploits also remain a significant issue for organizations. Zero-day exploits, which are vulnerabilities unknown to the organization, and unpatched vulnerabilities provide frequent entry points for hackers. It is crucial for IT teams to maintain regular contact with software vendors and internal software architects to stay updated on the latest vulnerabilities and patches. If a patch is available, IT staff should promptly apply it after testing it in their environment.
Another entry point for hackers is through smaller organizations that lack the resources to hire dedicated security staff. When organizations don’t have a specialized security team, cybersecurity responsibilities often fall on IT professionals who may lack the necessary software, tools, and skills to prevent and detect cyber attacks effectively. This security vulnerability makes these organizations prime targets for hackers and hacking groups, who can exploit their access to breach larger organizations’ networks in a supply chain attack.
Despite the various methods hackers use to exploit employees and software vulnerabilities, organizations can defend themselves against dwell time. By utilizing unified SOC views, implementing true machine learning, and establishing a cost-efficient data model, organizations can prepare themselves to combat these hackers and other threats that come their way.
A unified SOC view can streamline investigations by automating initial response procedures and gathering actionable intelligence. This allows SOC teams to investigate threats more quickly and take actions to remove attackers from the network. It’s important to note that SOC teams using static, legacy threat detection products may not be optimizing their systems to their fullest potential. These legacy products often produce numerous false positive alerts, which can worsen dwell time by diverting attention from real threats. Adopting machine learning for threat detection allows for adaptability and the ability to detect different variants of threats, providing accurate threat detection for SOC teams.
True machine learning software can adapt to new situations and threats, unlike products that are only rules-based. Modern cybersecurity software that incorporates true machine learning can create models of typical activities and adjust them based on incoming data. This enables the software to more accurately identify true positives, thereby saving time and effort for SOC teams and security analysts. SOC teams can then detect new and emerging threats that are not yet included in their threat intelligence feeds.
Establishing a cost-efficient data ingestion model is crucial to prevent an overwhelming number of false positive results. An unfiltered approach to data analysis often generates unusual but legitimate activities that may overwhelm SOC analysts with seemingly real threats that turn out to be false. By implementing unlimited data ingestion for full analytics, security software gains a comprehensive understanding of network activities, leading to more accurate threat detection. Limiting analytics to save costs may compromise threat detection accuracy and burden SOC teams. Additionally, paying based on data volume can quickly increase expenses.
Dwell time remains a critical threat for organizations, continually worsening each year. However, organizations can reduce dwell time by adopting a unified SOC approach, using true machine learning software, and implementing a cost-efficient data ingestion model that allows for thorough analytics. By prioritizing these measures, SOC teams can minimize the damage caused by attackers and mitigate the costs associated with data breaches. It is crucial for organizations to modernize their security systems and software while taking proactive steps to defend against dwellers on their network.
About the Author:
Sanjay Raja, the Vice President of Product at Gurucul, brings over 20 years of experience in building, marketing, and selling cybersecurity and networking solutions. He has held successful leadership roles in Marketing, Product Strategy, Alliances, and Engineering at various companies, including Prevailion, Digital Defense, Lumeta, RSA, Cisco Systems, and HP Enterprise Security, among others. Sanjay holds a B.S.EE and an MBA from Worcester Polytechnic Institute, and he is CISSP and Pragmatic Marketing certified.