CrowdStrike on Dark Reading: Why “Breakout Time” Is Critical to Your Security Strategy

A new article by CrowdStrike Director of Product Marketing Scott Taschler, published on Dark Reading, discusses how the key metric known as “breakout time” sets the bar for how quickly security teams must respond to an intrusion. The article, titled

 

“Breakout Time: A Critical Key Cyber Metric,"

 

explains the theory behind CrowdStrike’s “1-10-60 Rule,” which asserts that the most effective organizations “need to detect an intrusion in under a minute, understand it in under 10 minutes, and eject the adversary in under an hour.”

The following are some excerpts from the article:

As the targeting of public and private industries continues to plague organizations worldwide, it's obvious that security must be raised to a board-level issue as organizations look to justify increased investment in cybersecurity.

CrowdStrike recently highlighted a new cyber metric based on insights from its 2018 Global Threat Report called "breakout time." Data was compiled from 30 trillion security events collected in 2017 to analyze attacker trends and to develop best-practice recommendations. Breakout time can be used to understand and contextualize the effectiveness of an enterprise security program.

So, what is breakout time? It's the time it takes for an intruder to begin moving laterally outside of the initial beachhead to other systems in the network. The average breakout time analyzed over the previous year came in at one hour and 58 minutes — that's the tight window during which an organization can prevent an incident from turning into a breach.

Breakout time is so important because the initial machine the intruder compromises is almost never the one he (or she) needs to fulfill his or her objective. The adversary must move laterally so he can burrow deep into the network, perform reconnaissance, and find his targets. One hour and 58 minutes dictates how much time the organization has to detect and eject the intruder. That's why it's important to focus on speed when assessing the effectiveness of any security capability.

Read the entire article on Dark Reading Download the CrowdStrike 2018 Global Threat Report
Breaches Stop Here