Mean Time To Detect (MTTD) and Mean Time To Know (MTTK) are two of the most important metrics in security operations. Respectively, they measure the following:
- MTTD: How quickly you can identify something and generate an alert. It determines how fast you’re notified when something suspicious happens anywhere in your cloud or on-premises environment. Today, most security tools keep MTTD low, so you probably receive alerts pretty quickly.
- MTTK: How fast you can sort signal from noise when you get an alert. It measures how efficient the security team is at detecting real threats and understanding what those threats are. The shorter MTTK is, the sooner you will catch an attack in progress and be able to put a stop to it, reducing the negative consequences for your organization.
You can probably see why MTTK is a lot harder to make an impact on. It’s like seeing how fast you can find a needle in a haystack. Difficult, to say the least!
To begin, security teams are barraged with alerts on a daily basis, requiring manual work to sift through the noise to find a signal that indicates a real issue. Add on all the other tasks that need to be done aside from alert investigations, and it’s seemingly impossible to get ahead.
This is where automation comes in. Automation not only eliminates the need to manually handle tedious tasks (like alert response). It also helps you to optimize your existing resources, empowering them to actually focus on MTTK and get it under control.
In this post, therefore, we’ll take a closer look at how the Threat Stack Cloud Security Platform® can help you integrate security into your operations from the start so you can optimize alert handling and significantly reduce your MTTK.
Context is King
AWS is very effective at alerting you when something goes wrong, sending out scanning abuse complaint notifications whenever an EC2 instance is observed to be scanning another server. These alerts keep your Mean Time to Detection (MTTD) low — but MTTD is not the same as MTTK.
While MTTD measures how quickly you can identify that a problem exists, MTTK is about measuring how quickly you can identify whether or not a problem is real and then determining its nature and cause. To do that, you’ll need context, including:
- What caused an alert? Was it an internal mistake or a malicious attack?
- Who was the specific user or system that triggered the alert? Is it someone or something external to your company, or maybe an insider threat?
- Why did it happen? Was your system compromised, or did a routine update or a known or unknown change in process set things off?
The details you get from AWS, however, are usually pretty fuzzy, so you’ll need to fill in the blanks yourself. If you’re doing this manually, gathering the necessary data to provide context is a time-consuming process that will decimate your MTTK. You’re undertaking a monumental task where time is the enemy: The longer you go without knowing the cause of an issue, the longer vital systems and data remain at risk.
In the face of this problem, Threat Stack’s Cloud Security Platform provides you with:
- Relevant system activity that indicates who did what
- A TTY Timeline that allows you to go back in time to see exactly what happened
- An activity trail that shows contributing events
You can view these contextual alerts on your Threat Stack dashboard, with all the information you need on one screen. This eliminates the need to jump between systems, trying to piece together information to figure out exactly what happened. By taking a SecOps approach — by integrating the Threat Stack Cloud Security Platform into your operational processes — you can eliminate lengthy investigations so you can begin remediating security breaches within minutes. With Threat Stack you receive better data in less time, thereby reducing your immediate risk while strengthening your overall security stance.
History’s No Mystery
You may already be baselining activity in your environment to detect anomalous behavior, but if you’re doing this manually, it can take hours or days to complete a forensic analysis. Beyond needing to dig into multiple systems, endpoint tools, and servers to determine how current behavior matches up with historical behavior, you’ll likely run into system access roadblocks, particularly if your organization follows a policy of least privilege.
In order to determine whether a threat is real, you’ll actually need to understand whether similar behavior has occurred in the past. Baselining allows you to see what activity is considered normal for your specific environment, but Threat Stack takes it one step further to indicate whether an alert is truly anomalous by showing how similar alerts have historically been triggered.
For instance, Threat Stack will show when the same command was run in a certain period of time (e.g., seven days). With this data, you can quickly see whether the command is running differently now than it has in the past, indicating that there may be a real issue at hand.
Or, if you see a pattern of normalized distribution of activity over time, it’s probably updates or automated activity your development team has set up. However, if you see unequal intervals of suspicious activity, it may be malware or a bad actor attempting to get in.
Threat Stack’s analysis produces results quickly, allowing you to see:
- Whether activity is normal or abnormal
- What systems, subsystems, users, and/or applications are involved impacted
- Whether activity occurs regularly or represents an isolated incident
Such a solution, again, dramatically reduces investigation time, errors, and your MTTK. In a dramatically shortened time frame, it turns mountains of data into actionable information.
Reacting to alerts will always be a part of security, but as modern infrastructure becomes ever more complex — as new technologies and sensitive data spread across different cloud servers, containers, and even various SaaS platforms — a reactive approach is simply not enough.
As part of the Threat Stack Cloud SecOps Program℠, we can help assess your current state of security maturity with the Threat Stack Maturity Framework℠. The Framework lays out five levels of security maturity, from completely ad hoc and manual to fully proactive and automated, and then helps you set attainable goals to move toward a more proactive security stance in order to reduce risk and increase efficiency. Using Threat Stack, many customers report that their MTTK has gone from days to minutes or even just a few seconds.
Final Words . . .
To begin assessing your security maturity for yourself, take our Cloud SecOps Maturity Assessment now. And if you’d like to see how the Threat Stack Cloud Security Platform can accelerate MTTK through automation, ask for a demonstration of our platform.