Vendor Hype Gives New Meaning to the Term “Zero Trust Security” (And Not in a Good Way)

If you’re a security professional, there’s a lot to keep you up at night, from crippling ransomware attacks to costly data breaches. That’s why you turn to trusted security solution providers, right? But what if you are placing your trust in people and/or companies that mislead, over-hype evaluation wins, and generally do not stack up? Recently, some security vendors have been conflating CrowdStrike’s 1-10-60 breach response rule with malware threat prevention, falsely implying — if not outright claiming — that we rely on slow, human-powered processes to detect and mitigate threats. Taking shots at the market leader is to be expected, but this particular implication can only be interpreted in one of two ways: either they don’t understand the difference between threat hunting and threat prevention, or they are intentionally misleading people. Either way, it does not help a security industry built on the very notion of trust, and it does not help the end-user community we’re collectively trying to protect, which is ultimately why we are all here. Let me set the record straight by explaining what the 1-10-60 Rule is really all about, and explaining how CrowdStrike uses artificial intelligence and machine learning to detect and prevent threats — without human intervention.

 

 

The History of the 1-10-60 Breach Response Rule

Back in the early 2010s, some security firms began tracking and publishing statistics like dwell time — the median time between when an adversary penetrates an organization’s environment and when they discover the incident. Dwell time, which back then often lasted hundreds of days, provided a simple and consistent way to gauge the overall success of an adversary, and it was a line in the sand — a metric for organizations to reduce to better secure their businesses. While helping organizations during incident response engagements, we routinely discovered that they had suffered from long dwell-time problems. While dwell time was helpful for characterizing how effective enterprises are at identifying they had an incident, or more specifically that there was an adversary on the network, it didn’t help break down or quantify the particular actions the attacker performed. And it didn’t really provide any practical insights you could use to strengthen your security posture. CrowdStrike has long thought of a breach not as a single event, but as a series of actions an adversary performs to achieve their objectives. Consequently, we identified discrete metrics to quantify the time it takes a threat actor to achieve various stages of an attack (e.g., the time it takes to accomplish the various tactics described in the MITRE ATT&CK Framework). In 2018, we honed in on what we dubbed breakout time — the time it takes an adversary with a foothold in your network to escalate privileges or take other actions to move laterally across your enterprise — as a key metric. Your ability to mitigate a security incident before an adversary breaks out is paramount. It is the difference between doing minor cleanup work and getting on with your day, and dealing with a major service disruption or data breach, requiring potentially drawn-out forensics and remediation. In the years that followed, we have seen average breakout times shift in line with the changing threat landscape. When we first calculated breakout time, for

 

the 2017 calendar year, we found that it averaged just under two hours. That average proceeded to rise in 2018 to around 4 hours and 30 minutes, and again in 2019 to 9

 

hours. This is in large part explained by the rapid proliferation of eCrime actors over this period, who while abundant were not as skilled as their state-nexus counterparts.

 

As the averages rose, we also began to examine breakout times across different adversary categories. For example, while the average stood at 9 hours in 2019, we saw BEARs or Russian state actors average breakout time of just under 19 minutes. This more granular analysis immediately helped inform some organizations’ threat models, providing an evidence-based benchmark against which they could set internal performance requirements and make decisions around staffing, architecture, procurement and so on.

Source: 2019 Global Threat Report (Analyzing data gathered in 2018)

Realizing the significance of breakout time, we came up with a concept called the 1-10-60 Rule to help organizations improve cybersecurity readiness and nip incidents in the bud. Developed in consultation with key organizations, the rule challenges defenders to detect malicious activity within one minute, have a human analyst assess the activity within 10 minutes, and isolate or remediate the threat within 60 minutes, before an adversary can break out and wreak havoc. Crucially, in the past two years we have seen breakout times fall dramatically. Average breakout time observed so far in 2021 has been just 2 hours and 30 minutes. There has also been a paradigm shift, with many of the shortest breakout times now observed in eCrime campaigns, and eCrime adversaries are now averaging a breakout time of around 1 hours and 30 minutes. In this context, the 1-10-60 Rule is no longer simply a useful benchmark for organizations that are of interest to state-nexus adversaries, it is a stark warning to organizations everywhere to prepare themselves for a battle increasingly defined by speed.

Using the Rule to Assess Cybersecurity Readiness

The 1-10-60 Rule makes it easy to assess your organization’s response readiness against a well-defined set of criteria. Many organizations around the world now use it as a key performance indicator. You can run red team vs. blue team exercises to simulate breaches, see how well your organization performs, and adjust your defenses accordingly. Some organizations use the rule to evaluate managed service providers and negotiate SLAs. And some entities in the cyber-insurance space are experimenting with the rule for a variety of use cases. In addition, the rule is so simple to understand that board-level stakeholders can use it to determine if their security teams are on the right track. The concept has gained a great deal of attention within government circles as well. The U.S. Cyberspace Solarium Commission, for example, found that “ company’s ability to rapidly detect, investigate, and remediate network intrusions is a useful indicator of the maturity of its security operations, in its ability both to defend against cyberattacks and to mitigate the types of cybersecurity risks that could harm its business operations and financial conditions.” It went on to recommend that the U.S. Congress amend key corporate governance legislation to: Specify corporate responsibility requirements for the security of information systems, including the metrics and records publicly traded companies must keep regarding risk assessments, determinations, and decisions; cyber hygiene; and penetration testing and red-teaming results, including a record of metrics relating to the speed of their detection, investigation, and remediation.(emphasis mine) More recently, the FY21 National Defense Authorization Act requires the Department of Defense (DoD) to assess the use of “speed-based metrics to measure the performance and effectiveness of security operations centers and cyber security service providers” across DoD. Work in this area is slated to continue through at least December of this year and could inform Department cyber strategy going forward.

Setting the Record Straight on the 1-10-60 Rule

The 1-10-60 Rule is a practical benchmark for gauging readiness and formulating cybersecurity plans. If your organization has the right people, processes and technology in place to meet the rule, you should be able to identify and thwart a savvy attacker before they can establish a foothold in your network and inflict serious damage. Now let’s get back to cybersecurity vendors that again either intentionally or carelessly twist the meaning of the 1-10-60 Rule, claiming the rule is outdated, pointing to recent ransomware attacks as proof that it only takes milliseconds to breach an organization. As they likely know, the 1-10-60 Rule is not about simply preventing the execution of malware. It is about staving off hands-on-keyboard attacks and stopping an active adversary before they traverse your network, achieve their ultimate objectives and possibly do irreparable harm. In many cases, this means preventing attacks that don’t use malware (and instead often leverage legitimate software or services to carry out attacks), or preventing attacks that exploit system misconfigurations or abuse legitimate credentials. So either the vendors that try to use the ransomware example don’t understand the difference between malware detection and threat hunting, or they are deliberately trying to deceive and mislead.

 

There Is No Auto-pilot in Cybersecurity

Worse still, some vendors imply CrowdStrike somehow uses the 1-10-60 Rule as a guideline to engineer our solutions, the implied suggestion being that our products are slow and/or require human intervention. Nothing could be further from the truth, and again this illustrates a lack of understanding or an attempt to outright mislead people. Does CrowdStrike employ a team of seasoned security professionals? Of course we do. For example, over the past year CrowdStrike’s human experts within the Falcon OverWatch™ team have directly identified more than 65,000 potential hands-on intrusions — that’s one every 8 minutes. But critically, these experts do things that machines aren’t good at on their own, like hypothesis-driven threat hunting or contextualizing security alerts and events. We certainly don’t rely on human experts to manually detect and block malware or other basic endpoint threats. The truth of the matter is the CrowdStrike Falcon® endpoint protection platform uses artificial intelligence, machine learning, and an intelligent, lightweight agent to defend against today’s threats with unmatched speed and simplicity. CrowdStrike Threat Graph®, the brains behind the cloud-native Falcon platform, combines a massively scalable threat intelligence database with AI-powered analytics to detect, prevent, predict, and mitigate advanced attacks and zero-day exploits. Threat Graph continuously ingests massive volumes of live telemetry data from Falcon endpoints and other sources — at a scale and speed no competitor can match. The solution captures 500,000+ events per second, processing over 1 trillion events per day from millions of agents worldwide and delivering unprecedented security insights.

“Trust but Verify” — Focusing on What Matters

Falcon defends against modern cyberattacks with speed and accuracy. But you don’t have to take our word for it. We regularly participate in the broadest possible set of lab tests conducted by independent authorities like AV-Comparatives and SE Labs. When it comes to third-party public testing, openness and transparency matter, and we believe the best way to maintain the trust of the market is by not just cherry-picking tests based on how we think we might perform.

 

In the June 2021 SE Labs Enterprise Endpoint Protection tests, for example, CrowdStrike Falcon® received a AAA award, achieving a 98% protection accuracy rating, a 100% legitimate accuracy rating, and a 99% total accuracy rating. And in the June 2021 AV-Comparatives Business Security Test, CrowdStrike Falcon® Pro received the Approved Business Product award, achieving a 99.5% protection rate. Trust is one of the most foundational elements of security. Carelessly or purposefully misleading customers, gaming the system and avoiding independent product testing is at best irresponsible and at worst outright dangerous. Cybersecurity is about protecting customers. Customers should expect transparency and integrity from their trusted security suppliers. Unfortunately, some players have given new meaning to the term Zero Trust security vendor. See for yourself why the world’s leading companies trust CrowdStrike to protect against the most sophisticated adversaries. Start your free 15-day Falcon trial today.

Additional Resources

Breaches Stop Here