Reducing security operations MTTD and MTTR

For many security operations (SecOps) teams, the real measure of where the “rubber meets the road” is tied to two metrics—Mean Time to Detect (MTTD) an attack, and the Mean Time to Respond (MTTR), which is the time needed to take action and neutralize the threat. As the stakes of a cyber attack increase, management wants to see progress on both metrics.

Improvement in these metrics can be achieved by focusing on how the individual security tools and products can work better together. The interoperability and integration of many different solutions is critical for detecting and responding to a threat more quickly. A security automation and orchestration platform enables a SecOps team to combine the capabilities of multiple security solutions with the aim of improving these critical KPIs.

And clearly there is a very real need to improve these metrics.

The 2016 SANS Incident Response Survey found that 21 percent of organizations had an MTTD of two to seven days, and only 29 percent could detect an incident in 24 hours or less. The same study found that only 18 percent of respondents could move from detection to response (MTTR) in a day or less. Worse, 38% percent of the survey admitted that they typically don’t respond in less than a week.

Orchestration allows a SecOps team to centralize, correlate and analyze security event data from multiple categories of cybersecurity solutions, including SIEM, threat intelligence, anti-malware, network visibility and IDS. Best-in-class orchestration solutions, such as Swimlane, simplify the incident response process through API-friendly architectures, extensive out-of-the-box integrations and relevant built-in content.

There’s an increasing groundswell among industry experts recommending that organizations deploy technologies that allow them to orchestrate workflows across their cybersecurity infrastructure. One relevant example comes from Jon Oltsik in a recent NetworkWorld article. In it, he makes the case for a security operations and analytics platform architecture (SOAPA) that links all of the aspects of the cybersecurity infrastructure.

The use of orchestration continues to increase as it provides the platform for combating new and more clever threats by increasing the “speed” of SecOps. As Gartner states, “The traditional SOC must evolve to become the intelligence-driven SOC (ISOC) with automation and orchestration of SOC processes being a key enabler.” The time for security orchestration is now, and Swimlane delivers an enterprise-grade solution for improving MTTD and MTTR.

For real-world applications of security automation and orchestration, download our SOAR use cases e-book.