Why Dwell Time is the Biggest Threat to Security Operations Center (SOC) Teams in 2023

By Sanjay Raja, VP of Product, Gurucul

Dwell time, or the length of time a cyber attacker remains hidden within an organization’s environment, is a major threat plaguing Security Operations Center (SOC) teams today. Reducing dwell time is critical for organizations because the longer attackers remain undetected, the longer they have to steal sensitive data or plant ransomware. According to the latest Cost of a Data Breach Report published by IBM, in 2021 it took a mind-boggling average of 287 days before attackers were discovered and kicked out. Despite the best efforts of organizations, that number doesn’t seem to be going down substantially. So, why is this happening? And what can these organizations do to defend themselves?

How Hackers Get into Your Network:

Oftentimes, hackers get initial access to a network by exploiting employees of a company. In recent years, hackers have achieved this through social engineering or via phishing attacks through a person’s cell phone or email address. Once they achieve access to a network and obtain the structure of usernames for a particular enterprise, they try to hack in using brute force passwords or by using guesswork depending on what they know about the user. Additionally, if hackers have obtained legitimate credentials, it’s much harder for SOC teams to detect and block them.

In addition to employees being exploited, software and system exploits remain a huge issue for organizations. Both zero-day exploits (which are vulnerabilities in software, hardware or firmware that are unknown to the organization) or vulnerabilities that haven’t yet been patched, represent common ways into a network. It’s critical that IT teams be in regular contact with their software vendors and internal software architects to be up to date on the latest vulnerabilities and patches. If a patch exists, IT staff should apply it as soon as it is tested in their environment.

Another way hackers can gain access to a network is through smaller organizations that can’t afford to hire dedicated security staff. When organizations don’t have a dedicated security staff, cybersecurity often becomes just one more additional duty for IT. Oftentimes IT professionals aren’t equipped with the proper security software, tools or skills to prevent cyber attacks, let alone detect dwellers on their network. This lack in a security infrastructure makes them a prime target for hackers and hacking groups. Attacks can sometimes use this access to breach larger organization’s networks in a supply chain attack.

Despite hackers finding ways to exploit employees and loopholes in software, organizations can defend themselves against dwell time. By utilizing unified SOC views, true machine learning and establishing a cost-efficient data model, organizations can prepare themselves for attacks against these hackers and other threats that come their way.

A unified SOC view to streamline investigations: By automating initial responses to threats and the gathering of actionable intelligence, SOC teams can investigate threats more quickly. This lets them not only detect dwellers, but also take actions to remove them from the network. Additionally, SOC teams that are stuck using static, legacy threat detection products aren’t optimizing their systems to their full potential either. These legacy products produce too many false positive alerts that can make dwell time worse because real threats are drowned out. The solution here is to use machine learning threat detection that adapts and can detect different variants of threats, ensuring that SOC teams are getting true threat detection.

Machine learning software that can adapt: Many products that advertise as having machine learning really don’t. They have limited, rules-based ML that can’t adapt to situations or threats it’s not programmed to respond to. By using true machine learning, modern cybersecurity software can create models of normal activities that learn and adapt based on incoming data. This lets them more readily flag true positives, saving time and effort for SOC teams and security analysts. This allows SOC teams to detect new and emerging threats that are not yet in the threat intelligence feeds.

Establishing a cost-efficient, data ingestion model: An unfiltered approach to data analysis will generate many false positive results. These are usually activities that are unusual but legitimate. SOC analysts could well be overwhelmed by seemingly real threats that turn out to be spurious. Using an unlimited data model allows a full field of view into what’s happening on the network by giving the security software the context it needs to generate more accurate responses. Limiting analytics to save on cost makes threat detection less accurate and puts more work on SOC teams. Paying based on data volume can run also up the bill quickly.

Dwell time is a critical threat facing organizations today that continues to worsen every year. However, organizations can reduce dwell time by taking a unified SOC approach, using machine learning software, and establishing a cost-efficient model that allows for unlimited data ingestion for full analytics. By doing so, SOC teams can reduce the damage caused by attackers and mitigate the cost of a data breach. Today, organizations must modernize their security systems and software and take proactive steps to defend themselves against dwellers on their network.

About the Author

Sanjay Raja is the VP of Product of Gurucul.  Sanjay brings over 20 years of experience in building, marketing and selling cyber security and networking solutions to enterprises, medium-to-small business, and managed service providers. Previously, Sanjay was VP of Marketing at Prevailion, a cyber intelligence startup. Sanjay has also several successful leadership roles in Marketing, Product Strategy, Alliances and Engineering at Digital Defense (acquired by Help Systems), Lumeta (acquired by Firemon), RSA (Netwitness), Cisco Systems, HP Enterprise Security, Crossbeam Systems, Arbor Networks, Top Layer Networks, Caw Networks (acquired by Spirent Communications), Nexsi Systems, 3Com, and Cabletron Systems. Sanjay holds a B.S.EE and an MBA from Worcester Polytechnic Institute. Sanjay is also a CISSP as well as Pragmatic Marketing certified.