Blogs@Cisco Middle East

Time to Detection: The Race to Keep Narrowing the Window

Hierarchical Navigation

by Adam Philpott, Cisco – Director, EMEAR Cyber Security

We know that security is a top priority for us at Cisco and it is core to all that we do for our customers. Online criminals are continually on the lookout for methods to add efficiency and cost savings to their operations—along with new ways to evade detection, and with GISEC 2016 less than a week away, security will once again take centre stage.

Over the next five years, we expect that the wave of industry consolidation, driven less by financially motivated M&A and more by the need for capable solutions, will bring together niche innovators and long standing players for the greater cause of protecting organisations.

This consolidation will lead to the development of an intergrated threat defence architecture that will help reduce time to detection and remediation of both known and emerging threats. This architecture will bring unprecedented visibility into the threat landscape, and provide control, global intelligence, and context across many solutions.

While disruptive, this change is necessary. Right now, as an industry, we’re just not doing an effective job helping all end users defend themselves from the highly sophisticated and ever-changing tactics of today’s threat actors.

As noted in the Cisco 2016 Annual Security Report, the current industry estimate for time to detection (TTD) is 100 to 200 days, which is clearly unacceptable time frame, given how rapidly today’s malware authors are able to innovate. While there are varying views on TTD, we define it in the report as the window of time between the first observation of a file having bypassed all security technologies to make it to an endpoint, and the detection of a threat associated with that file.

At Cisco, we examined out data and systems to enrich this conversation and better assess where we are and where we think we could go with TTD. So in the first half of 2015, we successfully reduced TTD to less than two days (50 hours) and since May 2015, Cisco has reduced the median time to detection to 17.5 hours, and we believe that even that’s not good enough.

Of course, industry consolidation alone is not enough to develop the integrated threat defense architecture. It also will require cooperation, dialogue, and coordinated action among all security vendors. We will need to share our expertise and combine innovations, and exchange information proactively and actionably to help end users better defend themselves. Openness and inclusiveness is the only way forward, sharing with all defenders, and taking action on that intelligence together, is the future.

While there is a role for alliances, it is not in creating closed groups of insiders and should be focused on establishing the interfaces and methods for an automated exchange of actionable information. Closed alliances create a negative impact on the ability to achieve a timely exchange of meaningful and actionable intelligence, they are simply too slow to share and even slower to act. We see attackers pivoting and changing tactics in a matter of hours and as an industry we need to do better than hours to maintain an effective defensive posture.

Integrated threat defense is the future, but it will require commitment to achieve. For those who aren’t convinced that this is the right direction for the industry, or the right time for change, give me an alternative that helps us collectively reduce the time to detection to minutes for all customers. Until then, we are headed in that direction.

And so, the security industry must move faster—together. Otherwise, the end users that rely on our products will never have the visibility and control that’s necessary to deliver better protection across more threat vectors and to swiftly neutralize more attacks in a timescale that matters.

Let Us Help