Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Contact us Visit the contact us page
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
IDC Study: Customers cite 407% ROI with Google Chronicle. Learn More IDC Study: Customers cite 407% ROI with Google Chronicle. .
What you should know about driving down MTTD and MTTR
Nimmy Reichenberg
Group Product Marketing Manager
August 16, 2018

There’s a reason it’s said that what gets measured gets managed. In order to successfully achieve a goal, you have to be able to measure progress. It’s the only way to know if you’re heading in the right direction.

That’s why any security operations team worth their salt will be paying close attention to both their mean time to detect (MTTD) and mean time to respond (MTTR) metrics when it comes to resolving incidents.

The average dwell time for attackers still sits somewhere within the ranges of 100 to 140 days and frankly, we can do better. Security operations teams need to be fanatical when it comes to lowering these metrics within their organizations.

Significantly reducing dwell time, MTTD and MTTR starts with an understanding of attacks. From there, you need multiple groups working together in harmony enabled by technology to automate and orchestrate incident response processes.

What is MTTD, MTTR and dwell time?

Three quick definitions here:

  • Mean time to detect, or MTTD, reflects the amount of time it takes your team to discover a potential security incident.

  • Mean time to respond, or MTTR, is the time it takes to control, remediate and/or eradicate a threat once it has been discovered.

  • Dwell time captures the entire length of a security incident – reflecting the duration from when an attacker first enters your network to the time they are removed and you have returned to a known-good state.

Now we’re going to focus on how properly investing in the triad of people, process and technology can reduce these three important KPIs.

People are the biggest factor in reducing MTTD and MTTR

People are always the first layer when it comes to reducing MTTD and MTTR within any SOC.  Up and down the chain, your team needs to deeply understand both the processes and the technologies in order to detect and respond to threats quickly. This is accomplished through education and constant training.

For starters, ensure your security team fully understands your incident response processes and life cycles, common attacks and hacker techniques, and best practices for how to defend against them. A firm blue team mindset should be instilled within your team so that when they use powerful technology, its role is to accentuate their abilities. As an example, SIEM and security orchestration and automation (SOAR) tools can be used effectively by analysts of any skill level, but you’ll get even more out of your investment if your team already has a good foundation for analyzing and making judgement calls about malicious activity.

Consistent training and tabletops are also useful to test your security operations team’s understanding, alertness and procedural readiness to harden and lower your MTTD and MTTR and ensure battle-readiness when it comes to real incidents.

Clarify and codify your processes to reduce MTTD and MTTR

Before considering technology, security operations teams need to fully understand who the players are within their own organization before they start remediating or escalating security events. They also need to understand how far and what authority they have before making changes to contain or mitigate a threat.

This process is built by gaining visibility into the events occurring within their technologies and by having a framework laid out for them to detect and respond to threats. SOC teams also need a detailed understanding of the assets they’re protecting, the roles and responsibilities within each group, what internal resources are available to assist with the incident and how each incident effects their organizations from a priority standpoint. This the basis for playbooks and call trees which allow SOC teams to involve, escalate and contain active breaches.

Having proper processes established for security operations teams, tied to the appropriate groups and responsibilities, will significantly lower the MTTR metric within organizations since the predefined rules of engagement on how to tackle incidents has already been outlined. This builds confidence and empowers the SOC to contain and remediate threats efficiently and within the guidelines the organization has set forth.

Enable your team with the right tools to drive down MTTD and MTTR

Using technology to lower MTTR and MTTD is an integral part of reducing these KPIs in today’s SOCs. Security operations groups are working with a multitude of tools, many times within in disparate consoles that can limit their visibility into an attack, so having technology that allows for a central point of reference where this data can be correlated and analyzed is required.

Assuming data is being directed to a central location, the next step is to start automating and orchestrating efforts to detect and remediate attacks. Having the data directed to one location is important because your SOC needs a central point of authority when it comes to making decisions on attacks.

Cybersecurity is a collaborative effort and effectively using the people, processes and technologies in tandem is what enables security operations teams to continuously improve performance and protect their organizations. Each one of these tenets can’t stand by itself; they’re separate, yet connected. Many organizations tackle technology first and try to adapt their processes and people based on the technology stack. In reality, it should be the reverse: Technology should be the enabler that allows the other components to be streamlined into a well-oiled machine.

Using SIEM and SOAR technology, for example, allows for security operations teams to utilize their processes and procedures in automated ways to significantly reduce the MTTD & MTTR within their organizations.

Let’s work together

Ready for Google-speed threat detection and response?

Contact us Visit the contact us page