How to Compress Mean Time to Resolution (MTTR) and Drive Operational Efficiency
Slashing MTTR is one way of shifting into a high-velocity security mode so your team can operate faster to drive innovation, scale, and create a strong competitive advantage.
Here's a simple fact: the faster your security team resolves an incident, the shorter the attack window, the less risk there is of data loss and the more bandwidth you have to implement additional preventive security measures.
Consider also: When you resolve incidents faster and more efficiently, your security team wastes fewer cycles, and there is less of an impact and disruption on other operational areas.
Optimizing MTTR for incident resolution will have a positive impact on your overall operations when you're running in the cloud.
A Framework for Faster Resolution
MTTR is a great starting point when you're looking to increase efficiency, but to really understand how to cut resolution times from hours to minutes, you need to look at each of the six stages in the Incident Life Cycle.
By analyzing the life cycle, you can find out exactly where your team is spending its time and systematically eliminate anything that's unnecessary. It also creates an opportunity for you to streamline and enhance the resolution process by integrating new security tools.
We'll look at a couple of examples later to compare MTTR achieved using traditional approaches and tools with MTTR achieved using cloud-native, platform-based tools. But first, let's talk about these different types of tools.
Applying the New Tools of the Trade
For those of you who have used log management tools or a variety of disparate point solutions as part of your incident response workflow, you know first hand that finding information in logs or across multiple tool sets and then making sense of it, can be tedious and time-consuming.
This isn't to say that these tools don't have their place in capturing critical data, but there's a much more efficient way of doing things today. To achieve maximum process efficiency and lightning-fast resolution times, you need an integrated platform that can stitch together vital security event information in one place, and automatically provide the contextual data that incident responders need - whether you're in security, infrastructure, operations, etc.
So it's no longer necessary to go searching for the proverbial needle in a haystack. With the push of a button, you get the needle along with all the relevant and associated events, to make a decision and take action.
Comparing Approaches to Resolution and MTTR
Now let's take a look at a couple of common, real-world attack scenarios to compare MTTR with traditional tools.
Example 1: Netcat Reverse Shell Attack
Attackers commonly use this technique - post exploit - to gain persistent connection back into the production environment from the Internet. Attackers typically use netcat to make an outbound connection behind a shell.
In this example, there's a big difference between the traditional way of handling the Escalate, Analyze, and Remediate stages - and a correspondingly notable difference in MTTR.
In the traditional approach, the incident responders had to sift through logs manually, find the event, and determine the server involved and the time the event took place. Then they had to look in the logs for the steps leading up to and following the event - assuming the information was even available. After this, based on the data collected, they decided on the best course of action.
With an integrated security platform, these three steps are largely automated, provide much richer information, and the ability for the alert to be evaluated and resolved in a significantly abbreviated time frame. When using a tool like Threat Stack, the responder simply clicks the Process Details icon, looks at the TTY Timeline to see the pre and post event details, and then, using data automatically collected, decides on the most effective remedial action.
Example 2: PHP Webshell Attack
Attackers use this technique to execute commands as the web server user. Typically, an attacker uploads PHP code and gets the server to execute it, and that code is essentially a PHP shell form.
As in Example 1, resolving the issue in the traditional manner would have been more time-consuming. The responders had to sift through logs, find the event, and determine the server involved and the time the event took place. Then they looked for the steps leading up to and out of the event and sorted through other commands the user had executed, as well as other servers on which the same commands were executed. And finally, based on data collected, they determined the best course of action.
Again, the integrated platform largely automates this process, provides much richer information, and slashes MTTR. Again, with Threat Stack, users simply click the Process Details icon to see the pre- and post-event details and determine that the user www-data had executed a shell. Then they can click the Cloud Context icon to see what other actions were taken by the user. With automatically generated data, they quickly decide on the most effective remedial action. Altogether a faster, more streamlined, information-rich process!
The ROI of a Fast Ticket
You operate your business at cloud speed, taking action as quickly as possible using the best information available.
You can't afford to waste time, and it definitely doesn't make sense wasting time analyzing alerts. So anything you can do to shorten the time spent investigating routine warning flags is valuable - especially when you shorten the cycle from hours to seconds, with the potential of increasing the velocity of your team by as much as 10x.
So here are a couple of questions to end on. Have you established an MTTR in your organization? Are you interested in shortening your existing MTTR to save resources and increase operational efficiency? Do you want to make security an integral part of your cloud operations?