When we hear about a cyberattack these days, there’s often a reference to when the network was originally compromised. In recent years, the need to determine how long that compromise was on the network, who else was involved, and how you’re going to gain this visibility has moved to the forefront of the SecOps team’s needs.

What is dwell time and why is reducing it important?

Dwell time represents the length of time a cyberattacker has free reign on your network until they are eliminated. Dwell time is determined by adding Mean Time to Detect (MTTD) and Mean Time to Repair/Remediate (MTTR) and is usually measured in days—though it typically lasts weeks or even months. It goes without saying that reducing the dwell time of cyberbreaches is essential to limiting network infiltration and financial liability, but the question of how to best approach this gets tricky.

So how can we increase visibility and lessen our dwell time?

One common approach to gaining visibility on the network is to deploy a packet capture solution at key points, like the internet perimeter and DC perimeter. This is commonly referred to as north/south traffic. The problem with this approach is that it only touches a small portion of your network traffic.

Back in 2014 Cisco made this point clear when noting that 76% of traffic traversed the data center in an east/west direction, whereas just 17% of traffic moved in a north/south direction at that time. This means that the “moat and castle walls” approach to cybersecurity is clearly not enough, and any detection based on this model will fail to find infiltrations or lateral movement until something crosses a monitored border. As a matter of fact, recent ransomware attacks help solidify the need for stronger east/west visibility since their “low and slow” approach tends not to touch the perimeter until the incident has escalated.

As I’ve mentioned in previous blogs, there are legitimate reasons to deploy a packet capture solution; for example, when regulatory compliance requires it. The challenge with expanding this approach across the entire network is that the deployment model is complex and requires things like taps and packet brokers. Because the scale of today’s networks and obtaining this level of visibility is enormous, and seems to grow every day, companies are exploring other approaches—ones that provide detailed visibility, are scalable, and lessen the total cost of ownership of their current network deployment.

Cisco’s Global Cloud Index tells us that, unlike in campus networks, the dominant volume of traffic in the DC traverses in an ‘East-West’ direction.

Munawar Hossain, Cisco

Why are NetFlow and IPFIX a better choice?

There are multiple reasons to consider NetFlow/IPFIX to gain better visibility into your network traffic.

First, it provides over 90% of the context that most IT professionals turn to packet analysis for. In addition, adoption has grown and now all major vendors support NetFlow and IPFIX. Some of today’s NetFlow reporting tools even enhance the data with things like Active Directory integration and username reporting and, in turn, provide more detail at less cost.

Second, the technology is super scalable. Since you are employing your network devices, it’s relatively easy to start monitoring. Just configure flow to be sent from your device to the collector and—BAM—you now have visibility into a dark spot on your network. Remember, the collector is where the magic happens. It gives you the ability to correlate conversations, provide forensic information, and has the means to monitor your traffic with intelligence.

Third, it lessens the total cost of deployment and ownership. In most cases you already have the equipment, right? Employing the resources you already own not only provides the information needed for the “reduction in dwell time,” but also provides detailed forensic evidence for all your monitoring tools. This allows you to provide context to those alerts and helps you protect more than a single point on the network.

Ready to reduce your dwell time?  

The world as we know it has changed and will continue down that path. Everyone knows that you need to lessen the dwell time of an intrusion on your network. It’s a no brainer. But how will your company implement this requirement? As I mentioned before, employing enhanced metadata like NetFlow and IPFIX will immediately expand your visibility, collect that data in a realistic and scalable way, and do so at a much lower cost. Don’t believe me? If you’re looking for an NDR solution that provides rich conversation visibility along with providing the flexibility to integrate that data into your current environment, why not evaluate Scrutinizer?

James Dougherty

I have worn many hats in my professional life. Support engineer, developer, network admin and manager are all points on my resume, but the one common thread with all of these jobs is that I enjoy working with people; that is what I do here at Plixer. I make sure that everyone understands our product and can get the most out of it. It's just simple 'no bull' support!

Let me know if you have any questions, I would be happy to help.

- Jimmy D