Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
1-10-60: Measuring the speed of incident response
Cyber Security: A Peer-Reviewed Journal,
3
(4),
308-314
(2020)
Abstract
Threat intelligence reports have started to record adversary activities with such high fidelity that it is now possible to record how rapidly they perform their actions, showing that some adversaries are moving at staggering speed in some attacks and have highly professional operations. One such report is CrowdStrike’s ‘Annual Global Threat Report’,1 in which breakout time is used as a measurement of the speed of operations of cyber adversaries. But no matter which measurement we look at, it is clear that the attackers have a very efficient operation and do not suffer from the challenges the defenders face in their day-to-day operations that prohibit them from detecting, analysing and containing an incident rapidly before it spreads. This paper will discuss the speed at which the defensive side should operate and some of the challenges with, for instance, business processes they come across in order to keep up with the pace of the attackers.
Keywords: incident response; attack speed; APT; eCrime; breakout time; 1-10-60
The full article is available to subscribers to the journal.
Author's Biography
Ronald Pool is a cyber security specialist at CrowdStrike. With an IT career spanning more than two decades, including over a decade in cyber, he acts as an adviser to some of the biggest companies in the Benelux and Nordic regions with a focus on threat intelligence and endpoint protection. Ronald often speaks at events and sits in expert panels, displaying thought leadership on the topic of cyber security.
