Saturday, March 2, 2024

What The MTTR Is & How To Improve It

 


Believe it or not, just a couple of weeks ago, I signed the contract for my 18th book.  I just started writing the manuscript for it a few days ago, but now it is being bumped into my 15th book.  I am hoping to get it done by the early summer.  Interestingly enough, the topic is about Generative AI, and how that can be used to help improve the security metrics that are used in Cybersecurity today.

No doubt there are many of them, but the two key ones that I plan to focus on are what is known as the “Mean Time To Detect” (also known as the “MTTD”) and the “Mean Time To Respond” (also known as the “MTTR”). 

Although the definitions to them can vary and be complex, in simpler terms, the former refers to how quickly (or slow) the IT Security team is in detecting an imminent threat, and the latter refers to how long it takes for them to contain and/or mitigate it.

Astonishingly enough, it takes on average 270 days for an IT Security team to control an imminent threat.  To you and me, this seems to be unfathomable, but it’s true.  The source in which this information is available can be seen at the link below:

https://www.mend.io/blog/securing-the-software-supply-chain-mend-open-source-risk-report/

Because of this, it is the MTTR that is becoming a very key metric to the CISO and its higher ups today.  You may be asking at this point, why is this metric so bad?  Here are some reasons for it:

*With the advent of AI, many new innovations are proceeding at a very fast pace.  In fact it is so quick that many IT Security teams of today simply cannot keep up with what it takes to secure them.  And, this trend is only expected to quicken even more.  Many more tools are being used, such as Virtual Machines (VMs) and the like.  This can also be technically referred to as “Sprawl”.

*There is the issue of context.  With so many new products and services being AI driven, the sheer number of false positives is becoming totally numbing.  Although AI can also be used in this regard to only present the real and legitimate threats to an IT Security team via the SIEM, it still takes time to have to manually configure all of this.  By spending more time on this effort, much less resources are dedicated to actually fighting off the threats that are already present.

*Many organizations lack a cohesive Vulnerability Management program that can be easily deployed and enforced.  Because of the lack of this, just like the false positives, there is a very strong blur as to what can even be considered to be a vulnerability or not.  For instance, only 33% of them can be deemed of a critical nature.  So that leaves about 67% of them that are not real.  So how is an IT Security team supposed to filter through all of this?

(SOURCE:  https://www.edgescan.com/intel-hub/stats-report/)

To make matters even worse, there has been recorded a mind blowing 25,082 total number of vulnerabilities, which represents a staggering 24% increase from the previous year.

(SOURCE:  https://www.cvedetails.com/browse-by-date.php)

So given these dire situations, what can you, as the CISO of your business do help improve your MTTR metric?  Here are some steps to start with:

*Conduct a comprehensive Risk Analysis:  I have always been a huge fan of this.  With this approach, you are inventorying all of your assets, both physical and digital, and ranking them according to a Vulnerability Scale.  There are already frameworks that are out there to help you do this, most notably from CISA and NIST.  By doing this, you can also examine what you truly need and don’t need.  In turn, this will help to reduce Sprawl, which will then decrease the amount of vulnerabilities that in the end you have to manage.

*Examine your Triaging Structure:  See what you have in place right now, and determine if it is really working or not.  If it is not, then you and your IT Security team will have to produce a way to either improve it or replace it in its entirety.  But whatever you end up doing, test it in a sandbox environment first before deploying into your production environment.

*Be proactive it:  Once you have done the above two things, make sure that you keep a proactive watch on how your MTTR is doing.  Keep measuring on a regular schedule, because after all in the end, being the CISO, you will be ultimately held responsible for it.

My Thoughts On This:

The above are just some steps that you can take, and of course, as things evolve (especially with AI), there will be other actions you need to take as well.  But one of the big benefits of a lower MTTR is that your C-Suite will be more prone to give you a higher budget – in the name of keeping the business safe.

Also, keep an eye on my new book.  It will actually discuss how a Digital Person can help your IT Security team in bringing down your MTTR.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...