Cercles des DSI

Breakout Time: A Critical Key Cyber Metric

Published on

Why organizations need to detect an intrusion in under a minute, understand it in under 10 minutes, and eject the adversary in under an hour.

Cybersecurity breaches continue to capture headlines worldwide, particularly in the wake of nation-state and criminal cyberattacks that impact a wide-range of industries. March 2018 saw major disclosed breaches from Applebee's (167 restaurants), Orbitz (880,000 payment cards), Saks Fifth Avenue and Lord & Taylor (5 million payment cards), and Under Armour (150 million user accounts). These events remind us that organizations still struggle to implement effective security strategies.

In this context, it is essential to put cybersecurity, and increased investment in this area, on the agenda of corporate boards.

CrowdStrike recently highlighted a new cyber metric based on insights from its 2018 Global Threat Report called "breakout time." Data was compiled from 30 trillion security events collected in 2017 to analyze attacker trends and to develop best-practice recommendations. Breakout time can be used to understand and contextualize the effectiveness of an enterprise security program. 

1h58 to prevent a security incident from becoming a real break.

What is the propagation time? This is the time it takes an intruder to move laterally outside the initial bridgehead to other systems in the network. And this in order to insinuate itself in the deepest part of the network, to carry out its mission of recognition and to identify its targets. The average delay analyzed during the previous year was established at 1 hour 58 minutes. In other words, it is the window (narrow if any) during which a company can prevent a security incident from becoming a real breakdown. And this is the time she has to detect and eject the intruder. This is why the notion of speed is essential when evaluating the effectiveness of a security system.

Key Metrics Every Organization Should Know

Security is a business-level imperative that is considered a priority at the executive level. However, many organizations struggle with communicating security as a business issue and finding the metrics to demonstrate effectiveness.

These three key metrics can help an organization estimate its readiness to defend against a breach:

1.    Time to detection of an intrusion

2.    Time to investigate an incident, understanding criticality and scope, and what response actions are necessary

3.    Time to respond to the intrusion, eject the attacker, and contain any damage

The most sophisticated organizations in the world strive to meet the following deadlines:

  • Detect an intrusion within an average of one minute
  • Investigate and understand it in under 10 minutes
  • Eject the adversary in under one hour

In cybersecurity, as in business, time is money. Given today's sophisticated threat landscape, it is imperative that C-levels and boards understand the trade-offs between response time and risk. Breakout time is a useful data point that puts your capability today into clear context. The best organizations in the world should strive to beat attacker breakout time and detect an intrusion in under a minute, understand it in under 10 minutes, and eject the adversary in under an hour to effectively combat stealthy cyber threats. Can you compete?

Scott Taschler, Director Marketing Products - CROWDSTRIKE

Latest publication

CrowdStrike conducted a survey of cyberthreats affecting the supply chain. Answers in this article.

Read more