John Titmus, Senior Director EMEA at CrowdStrike, outlines the key metrics security teams should be using to understand the evolving threat landscape and associated organisation risks.
Forward-leaning organisations are by now well-educated around the increasing severity and frequency of cyberattacks. Controls have been tightened, security platforms and teams have been put in place, and employees have been briefed on tactics for improved cyber hygiene. However, the ‘elephant in the room,’ which is often unacknowledged, is that security teams are still buckling under the sheer weight of daily incidents and alert fatigue, with a UK business suffering a cyberattack every minute in early 2019.
Not only are security teams struggling, but the CISO is becoming increasingly stretched as the scope of their role broadens and they have less time to dedicate to understanding – even if they can’t manage – every live threat in their environment on an ongoing basis. For today’s CISO, balancing business needs and the complex environment they are responsible for is a challenge to overcome every day.
A robust cybersecurity strategy is a must, but how can this be achieved in practice and how can security teams effectively alert the broader executive layer to varying levels of threats to inspire appropriate sponsorship and a business response?
The answer lies in outlining and defining the key metrics security teams should be using to understand the evolving threat landscape and associated organisational risk: speed. Within this, there are two metrics that must be understood in order to beat the clock; breakout time and the 1-10-60 metric that the whole organisation can understand, utilise and get behind.
Breakout time
The first valuable metric for CISOs and their security teams to bolster their cyber-response is breakout time. This refers to the window of time from when an adversary first compromises a machine, to when they begin moving laterally across the network from that entry point. Speed is of the utmost importance when stopping criminals before they ‘break out’.
The CrowdStrike Global Threat Report 2019 was able to provide a granular examination of breakout time by clocking the average speed of major nation-state actors. Russia-based threat actors are almost eight times (18 minutes) as fast as their speediest competitor — North Korea-based adversaries, who themselves are almost twice as fast as intrusion groups from China. While certainly not the only metric to judge sophistication, the ranking by breakout time is an interesting way to evaluate the operational capabilities of major threat actors. As a consequence, it shows how fast defenders need to be to stop a criminal’s initial entry point from turning into a breach.
One of the most important implications of this data, however, is that it is an indication of how fast defenders have to be in order to stop a breach from the adversaries that may be likely to target them. They may have more time if they are dealing with a threat actor who tends to be slower at lateral movement, but security teams cannot waste even a second when dealing with fast-moving actors, such as those affiliated with the Russian government, for example.
The 1-10-60 rule
Adequately preparing for cyberthreats should equate to a risk mitigation strategy that works from the top-down and involves not only CISOs but other C-levels, BoD and security teams. If the CISO can’t give the board something to work with, like simple metrics for action and success, they won’t be able to get the right sponsorship and support.
Breakout time is a key and insightful metric to guide security teams on the importance of quick reactions and in order for them to measure their ability to respond to intrusions, CrowdStrike advocates the 1-10-60 rule to define metrics for accountability and readiness.
1-10-60 is an easy-to-digest metric that depicts to boards of directors and C-suites on how to make cybersecurity a top priority – and a way to measure if the organisation is meeting metrics. These three outcome-driven numbers can spell the difference between an organisation stopping an incident leading to a breach or experiencing catastrophic data loss and can help the C-suite understand how the business performs and if it’s meeting its security policy and compliance goals, which should include:
- 1: Time to detection – Detect an incident or intrusion with automation: Within one minute
- 10: Time to investigation – The length of time it takes to find out if the incident is legitimate and determine next steps like containment or remediation: Within 10 minutes
- 60: Time to remediation – The time needed to eject the intruder and clean up the network: Within 60 minutes
Beating the clock
In order to keep up with the 1-10-60 rule, security teams must be able to answer the following questions within the given time frames and communicate them effectively back to the CISO: Within one minute, you should be able to identify if you’re under attack; within 10 you need to identify what is the most critical action to take; and in the hour, a strategy needs to be put in place and executed.
While not every organisation can easily achieve these fast reaction times, this rule provides a benchmark for CISOs to measure performance on a monthly or quarterly basis, hopefully helping them reduce this overtime. This can help them to determine if practice and results are going in the right direction and can offer clarity for conversations regarding security posture with the board.
Technology innovators are helping with this process by filtering endpoint detection and response (EDR) data into actionable insights for both the CISO and the board via dashboards, and in line with SLAs and key metrics like 1-10-60. Despite this, the threat landscape continues to evolve in both complexity and scale, requiring adequate budget and resources to ensure CISOs and security teams can quickly respond to cyberattacks.
To avoid becoming headline news, businesses need to arm themselves with next-generation solutions. AI-driven cloud-native solutions are helping CISOs supercharge data analysis, allowing them to extract valuable insights in real-time while freeing them up to focus on remediation strategies and remaining proactive, rather than reactive. All-in-all, they can feed into automation technology that helps an organisation beat the clock consistently – the way they need to, to survive in the cyber arena.