MTTD and MTTR in Cybersecurity

Metrics that Gauge Program Maturity

Mean time to detect (MTTD) and mean time to remediate (MTTR) are two of the most important metrics to use when judging your security program’s true maturity.

But what are MTTD and MTTR? Why are they so important to minimize? And how do you actually go about improving your security posture? The security world has changed, and this change only further emphasized the importance of MTTD and MTTR.

Today’s blog post looks to answer all of these questions and much more. Let’s talk about it!

To learn how PlexTrac gives your team a clearer view of your security posture and improves your team’s efficiency, click here.

What is Mean Time to Detect (MTTD)?

Mean time to detect is an extremely common, yet important key performance indicator (KPI) in the IT incident management space. MTTD can be defined simply as the amount of time passed between the beginning of an IT incident and the discovery of the incident by your security team.

While the metric is quite easy to calculate on a case by case basis, there’s a simple equation to use when looking at your MTTD on a macro level:

MTTD = (Total Sum of Detection Time) / (Total Number of Incidents)

What is Mean Time to Remediate (MTTR)?

Mean time to remediate is another common and important key performance indicator (KPI) in the IT incident management space. MTTR, in similar fashion to MTTD, can be defined as the average amount of time passed from the discovery of an IT incident to the time your security team remediates said incident. In more simple terms, MTTR is the number of days it takes to close a security vulnerability once it has been discovered.

MTTR may also be calculated on a case by case basis or on a macro level. The macro equation for MTTR is provided below:

MTTR = (Total Sum of Detection to Remediation Time) / (Total Number of Incidents)

The Importance of MTTD and MTTR

Now that we’ve defined both MTTD and MTTR, let’s talk about why they’re so important to track and improve over time. The simple, one sentence answer to this question is that prioritizing MTTD and MTTR will improve your cybersecurity.

For security teams of any size or maturity, it is vital to both detect and remediate security vulnerabilities in as little time as possible. In the past it might have been possible to prevent all security breach attempts outright, but this is no longer the case. Attacks are constant and growing in sophistication every day. So what are security professionals to do?

The answer lies in the efficiency of your detection and remediation efforts, and not just your efforts in prevention. The brutal truth for your organization is that you aren’t going to be able to prevent all vulnerabilities and breach attempts. This fact may largely be out of your control, but what’s not out of your control is your team’s ability to see your security posture and act on irregularities you spot.

The less time the bad guys spend behind your security perimeter, the better. An undetected infiltrator will have ample time to elevate their privileges, locate all of the precious data they want, and exfiltrate the data from your network.

If you’re able to detect and then remediate the vulnerability in short order — meaning you have a low MTTD and MTTR — your organization’s losses will be minimized and your fellow employees will thank you.

How to Improve Your MTTD and MTTR

It is a no brainer that as security professionals we all want a low MTTD and MTTR… but how can this be achieved? Answers aren’t clear, but one thing that is obvious is that something is better than nothing.

Here are a few of our tips to cut down on your MTTD and MTTR times:

Power to the People (Through Education)

Our first bit of advice is to focus on the people employed within your organization. People are the first layer when it comes to reducing MTTD and MTTR within your SOC. Whether they are at the top of the chain or the bottom, your employees need to understand the processes and technologies in place in order to detect and respond to threats in a timely manner.

This advice is best implemented by thorough education and continuous training courses to keep your team sharp. By harping on ideas like the incident response lifecycle and other vital processes your team will be ready and willing to pounce on threats as they’re uncovered.

Increase the Visibility of Your Program and Processes

A baseline level of understanding of the major players in and out or your organization is necessary before you begin remediating willy nilly. Your team also needs to understand their internal role, the authority they have, and the responsibilities of their position within your team’s security posture. In short, your team’s processes need to be defined and clarified so everyone is aware of their duties.

The process of increasing your program’s visibility starts by dissecting events within your technologies and having a framework detailed and laid out for your team to utilize when detecting and responding to threats. Security organization center (SOC) teams also need a detailed understanding of the assets they’re protecting, the role of each group, etc.

By increasing visibility and solidifying processes for your entire team, you ensure your entire attack surface is continuously monitored and accounted for, strengthening your security posture and cutting down on MTTD and MTTR.

Enable Your Team with the Right Platform (*cough* PlexTrac *cough*)

Using technology to cut down on MTTD and MTTR — whether that’s with heaps of tools or with full blown platforms — is an integral part of many security organizations and SOCs. SOCs often work with an expansive list of tools. However, these tools are often disparate and siloed away from each other. Having a technology that centralizes all of this information is vital to maintaining full visibility and focusing on the right security work. This is where PlexTrac comes in.

PlexTrac is the perfect security platform to centralize all of your security findings in order to gain full visibility and collaborate on remediation. First, PlexTrac’s powerful Assessments module allows you to both identify and manage risks within your organization. Additionally, PlexTrac allows you to import scanner findings from external tools like Qualys, Nessus, Nexpose directly into the platform, thereby aggregating data from internal and external means into one all-encompassing ecosystem. The platform gives you a 360 degree view of your security posture, enabling your team to make empowered analytics-backed decisions on remediation.

PlexTrac truly is built to empower security pros of all disciplines to get the real security work done, cutting down on MTTD and MTTR.

But let us show instead of just tell! Book a demo with PlexTrac today to see our award-winning platform in action.