What is MTTD and why should I care?

Mean Time To Detect (MTTD) is exactly what it sounds like. It’s the average time from when the first incident occurs - typically when an attacker gains access to your system(s) - to the time it is detected.  Detection could be made by a human or by your security software/hardware.  This is critical in the cybersecurity world because it measures the efficiency and effectiveness of your security as a whole.

MTTD is crucial for all organizations, whether you have your own in-house SIEM, an outsourced managed SIEM, or outsourced MDR solution (like what London Security does).  As IBM outlined in 2021, the average industry-wide Time To Detect (TTD) was 7 months, Wait...what??  Yes you read that right - 7 months in the case of large breaches.  Think of the Colonial Pipeline attack.  Do you remember how long they said the attackers were estimated to be in the environment?  Between 6 and 9 months based on the logs.  But what does this actually mean to you and me? It means the industry average is 7 months, but some were possibly 3 to 5 times as long as that, and of course there was probably a large number of cases that were within a few days or weeks to bring the average to 7 months.

Over the years we've learned the longer an attacker has access to and stays in your environment, the more likely they are to create multiple points of access, just in case you find the original attack vector and shut it down.  In previous blogs we've talked about things like lateral movement, privilege escalation, and how attackers create backdoors.  The point is, the longer it takes an organization to detect an incident the more leverage an attacker can gain on a network.

How do you measure your MTTD?

Take a look in your ticketing system to find an incident.  Look at the date and time it was logged in as a ticket. From there, review your system or security logs to find the actual date and time the incident was first seen or recorded by your hardware or software. The amount of time between the two timestamps is your Time To Detect for that incident.  Now do that for other systems and events.  Then average those out across all reported incidents and you have your MTTD.

Pretty simple right!?

Most of the time in organizations when critical events occur, it's more complicated than just finding a single entry, you need to correlate information in real-time.  For instance, what if you got rid of Solarwinds a couple of years ago and thought all agents were removed from your environment, but someone forgot to update one system script that kept reinstalling the Solarwinds agent. How would you ever know?

The above is a situation that London Security ran into recently when performing one of our Ransomware Risk Assessments. Because of the in-depth checks, our SOC Analysts discovered the Solarwinds agent that was installed was actually one of the vulnerable versions for the Solarwinds attack.  The customer, who had thought they removed all the Solarwinds agents, was actually susceptible to the attack.  Thankfully we caught it before an incident, but still...crazy!

Sometimes an attacker finds a way in, sometimes it's because an application is vulnerable or needs to be patched.  Regardless of how it happens, how long would it have taken them to figure out what happened and how it would have kept happening?  From the first incident to discovery could have been hours, days, or possibly even weeks?  Who knows?  Thankfully they don't need to worry about that now.

How can you reduce your MTTD?

Reducing MTTD is an ongoing process. It’s not something you do once and then move on to other things.  It takes time, patience, and of course...diligence. 

Obviously, the best way to reduce your MTTD to zero is by not allowing any issues or incidents.  While this goal is completely unrealistic, you can take steps in that direction by:

  • Educating users on recognizing potential issues - and instructing them on how to report them to your helpdesk
  • Remove admin access for all users
  • Ensuring your endpoint security is properly managed and maintained on a daily basis
  • Enable multi-factor authentication (MFA) wherever possible
  • Ensure change management processes include pre and post audits of your systems and network
  • Monitor your systems for malicious and abnormal activity.  Especially during the off-hours, evenings, weekends, and holidays

The more eyes you have watching your network at all times with the knowledge of what is and is not typical within your environment, the quicker any issues or incidents can be brought to your attention.

At London Security, we have a highly trained, skilled, and experienced SOC team that stands watch 24 hours a day, 7 days a week, 365 days a year.  While they are assisted and backed by an AI and ML driven threat intelligence engine, the true threat hunting and response are performed by actual humans.  Our analysts become experts on your unique environment so they know when there’s an anomaly and can investigate and correlate data to ensure your network remains secure and can act when action needs to be taken, or alert you when additional steps may be required.

If you’re ready to see how London Security’s MDR can help reduce your MTTD and increase your overall security posture, start with a risk-free 15-day FREE Proof of Value. Don’t take our word for it - see for yourself.  Fill out the form below to get started.


As a note - this is part 1 of a 4 part series.  If you don't want to wait for all the blogs to get posted, use the form below and we'll go over it with you.