Mean time to detect (MTTD), is one of the key performance indicators (KPIs) used to evaluate the efforts of information security professionals.
Moving at a digital rate has both advantages and disadvantages. Work is accomplished rapidly and effectively, yet when there is a cyber-attack, they too move at digital speed. Therefore, threat identification and incident response must be agile and prompt.
Mean time to detect (MTTD) is one of the key performance indicators (KPIs) used to evaluate the efforts of information security professionals.
MTTD quantifies the elapsed time between an intrusion and its detection, or how long an issue — a vulnerability, an incursion, or any type of malicious activity — is present in a network before the relevant parties become aware.
Mean-time-to-detect, also known as mean-time-to-identify (MTTI), can be calculated by dividing the total incident reaction times attributable to a technician, security team, or time period by the number of events. If the organization has sufficient accurate data on occurrences, the computation is simple.
Challenges of improving MTTD
The capacity to reduce MTTD may be constrained by a number of factors:
Lack of transferable knowledge: The Internet is rife with malware that bad actors can purchase off the shelf and deliver as-is or with minimum modification. Knowing how it behaves and some of its warning signs, can be beneficial to teams that set up security, but without a foundation of knowledge that defenders can apply to comparable scenarios, detection will be slowed.
Lack of experience: Confidence and the capacity to shorten response times are derived from security personnel’s experience in handling these occurrences. After dealing with occurrences, they would know how to use their acquired knowledge.
Lack of process: Teamwork reduces MTTD, however, teams must adhere to a procedure and be comfortable with it in order to collaborate and address incidents. When team members have experience working together, they will know what to do, on whom to rely, and how to transition from investigation to mitigation. The work must validate their method.
Best techniques to enhance MTTD
Providing teams with practice and a sense of accomplishment as they carry out their duties will make the job of security less challenging. As a result, interruptions are decreased across the organization, causing a domino effect. As security and IT reduce their response times, these disruptions and outages become less obvious to the organization and are therefore no longer attributed to them.
Here are a few tips that can help bring down those MTTDs:
Practice: Don’t wait for a real incident to test the team or to put things into practice, start preparing using live simulations now. Simulations expose and prepare defenders for occurrences. They create a chain reaction where, if they are prepared for how things unfold in a controlled simulation, they can predict how they may unfold outside of this controlled setting.
Be Practical: Understand that the threat landscape changes. Security teams must be able to think abstractly in order to anticipate where threats may evolve. This is why transferrable information is essential, as a change in the environment may be the key to detecting a new threat. Utilize solo and team exercises to keep up with the ever-changing threat landscape and attack strategies.
Invest in training: Ensure that the team is trained, competent, and comfortable using the available security solutions. It is essential for security personnel to practice with and comprehend the technologies they are utilizing, since technology evolves and develops. Security teams could have a budget for some of the latest and finest tool sets on the market, but if the employees do not know how to use them in the context of their jobs, the teams will not be able to realize their full potential.
Nothing can ever adequately prepare a company for every potential ransomware scenario. However, if organizations train for multiple situations, their team will be able to make decisions faster, and react appropriately when an unforeseen incident occurs.
All of these will decrease MTTD.