Threat containment has been a challenge for security teams. Most of the security teams often struggle with poor threat detection, manual threat response, and incomplete remediations. All these lead to longer time frames for threat containment, which is often measured by a key metric dubbed as Mean time to contain (MTTC). The important thing to note is, for security teams, time is of the essence. The more time security teams take to detect, respond, and remediate a threat, the bigger problems they tend to face in terms of threat impact. The solution is not just adopting high-priced threat response and containment systems. Even the most robust threat response solutions can be useless if there’s no clear understanding of the threat landscape, the incident response lifecycle, and the necessary measures that security teams must undertake to bring down the MTTC.
What is Mean Time to Contain (MTTC)?
MTTC is an important metric to measure incident management performance. It is defined as the average time taken by security teams to detect, acknowledge, and minimize the probability of further spread of an incident. This metric provides a holistic view of an organization’s response times and capabilities to measure its cybersecurity posture.
How can SOC teams reduce their MTTC?
Organizations can minimize their MTTC by building cyber fusion centers (CFCs) that help detect, contain, and remediate threats at machine speed. CFCs offer solutions that automatically orchestrate detection and response workflows across multiple tools and technologies to contain threats in real-time.
Cyber Fusion: Key to a Winning Containment Strategy
Threat Intelligence Capabilities
By building CFCs, security teams can both consume and operationalize threat intelligence to enhance case management, investigate malicious activities, trigger containment measures, and track specific threats. In today’s evolving threat landscape, SOC teams need last-mile delivery of contextual and enriched threat intelligence for quicker incident response. CFCs help SecOps teams ingest threat intelligence from internal and external sources to quickly identify, prioritize, respond to, and contain cyber threats. Moreover, they can perform advanced analysis to deduce contextual intelligence on complex threat campaigns, determine attacker trajectories, and identify hidden threat patterns by connecting the dots between available threat intelligence, observed incidents, isolated threats, and other threat elements. Threat intelligence sharing enables security teams to contain threats at a faster rate.
Security Orchestration and Automation Workflows
By bringing together disparate technologies, people, processes, and technologies in one place, CFCs allow security teams to orchestrate and automate security workflows. CFCs deliver true security orchestration, automation, and response (SOAR) capabilities, enabling security teams to identify their security blind spots, define effective strategies, and automate end-to-end threat response. Irrespective of the geographies of teams, a CFC combines all the security functions responsible for threat detection, management, and response in an integrated and collaborative ecosystem. Furthermore, SOAR enables security teams to orchestrate workflows across Cyber, DevOps, and IT tools deployed on cloud and on-premise technologies. SOAR enables SOC teams to handle incident/case management and triage efforts while proactively responding to threats, thereby minimizing their MTTC.
Incident Response Lifecycle
Starting from alert ingestion, analysis, triage, investigation, and containment, the entire incident response lifecycle can be automated with the SOAR capabilities of a CFC. SOC teams can leverage a SOAR solution to ingest alert data from internal and external sources followed and subsequently, enrich and analyze that data. Using the SOAR platform, all the alerts are automatically triaged and false positives are eliminated to trigger automated responses via playbooks. This allows security teams to investigate and respond to threats faster and reduce the overall MTTC.
Collective Defense Approach
Security teams can channelize their capabilities into a more collaborative and coordinated environment to quickly respond to and contain threats. The inter-team collaboration enables SOC teams to combine different security functions to identify, manage, and respond to different threats faster. By bringing disparate security teams under a single roof, cyber fusion helps SOC teams achieve collective defense against malware, vulnerabilities, and threat actors in real-time, thereby minimizing their MTTC. Furthermore, CFCs enable sharing of threat intelligence between security teams across organizations and sectors fostering collective defense at industry-scale. With ingestion and operationalization of high context, actionable threat intelligence shared by threat sharing communities (ISACs and ISAOs), security teams can proactively identify and detect threats lurking in their environment thereby lowering down the MTTC.
MTTC is important, but not the only barometer for measuring incident response. Organizations must not focus on band-aid approaches for reducing MTTC. Instead, they should adopt solutions that enable operationalization of real-time threat intelligence, automated threat response capabilities, and help connect the dots between different threat elements while enabling collaboration between siloed security teams. This will not only reduce MTTC but will help their SOC teams gain extensive threat visibility and improve their cyber readiness in the long run.