Reducing Security Operations MTTD and MTTR

For many security operations (SecOps) teams, the real measure of where the “rubber meets the road” is tied to two metrics—Mean Time to Detect (MTTD) an attack, and the Mean Time to Respond (MTTR), (the time needed to take action and neutralize the threat).  As the stakes of a cyber-attack increase, management wants to see progress on both metrics.

Improvement in these metrics can be achieved by focusing on how the individual security tools and products can work better together.  The interoperability/integration of many different solutions is critical for detecting and responding to a threat more quickly.  A security orchestration platform enables a SecOps team to combine the capabilities of multiple security solutions with the aim of improving these critical KPIs.

And clearly there is a very real need to improve these metrics.

The 2016 SANS Incident Response Survey found that 21% of organizations had an MTTD of two to seven days, and only 29% could detect an incident in 24 hours or less.  The same study found that only 18% of respondents could move from detection to response (MTTR) in a day or less.  Worse, 38% of the survey admitted that they typically don’t respond in less than a week.

Orchestration allows a SecOps team to centralize, correlate and analyze security event data from multiple categories of cyber security solutions, including SIEM, threat intelligence, anti-malware, network visibility, and IDS.  Best-in-class orchestration solutions, such as Swimlane’s, simplify the process through API-friendly architectures, extensive out-of-the-box integrations, and relevant built-in content.

There’s an increasing groundswell among industry experts recommending that organizations deploy technologies that allow them to orchestrate workflows across their cyber-security infrastructure.  One relevant example comes from Jon Oltsik in a recent NetworkWorld article. In it he makes the case for a security operations and analytics platform architecture (SOAPA) that links all of the aspects of the cyber-security infrastructure.

The use of orchestration continues to increase as it provides the platform for combating new and more clever threats by increasing the “speed” of SecOps. As Gartner has stated, “the traditional SOC must evolve to become the intelligence-driven SOC (ISOC) with automation and orchestration of SOC processes being a key enabler.”  The time for orchestration is now and Swimlane delivers an enterprise grade solution for improving MTTD and MTTR. For a few real-world applications, take a look at our use cases here.


Improve your Security Operations