2. 2
Sensitivity: Confidential
DWELL TIME
Time of initial
compromise
Eradication of
vulnerability
Identification
of incident
Containment
Time to Identification
Dwell Time
Exposure Time
T0 T1 T2 T3T-1
Time
vulnerability
appears
Time to containmentTime to Compromise
3. 3
Sensitivity: Confidential
DWELL TIME
• Prevention based strategies will fail
• Time to detect and time to respond metrics are irrelevant
• The more time an attacker has in your environment the more
likely they will action on their objectives
• The longer it takes to detect an attack, the worse the
consequences
• Detect the attack
• Prevent the attack spreading
• Identify the source of the attack
• Dwell time and lateral movement are co-dependent
9. 9
Sensitivity: Confidential
DECEPTION
• Current security systems generate a lot of alerts, many of them
false positives
• Alert over load
• Evolution of the honey pot
• Deception technologies are defined by the use of decoys
and/or tricks designed to thwart, or throw off an attacker,
disrupt an attacker's automation tools, delay an attacker's
activities or detect an attack
• Almost zero false positive solution