Mean time-to-detect (MTTD) measures the amount of time it takes for an organization to discover a security incident. The lower this metric is, the faster and more reliable its detection systems are. Early detection makes a significant difference in the overall cost of incident response.
As a strategic key performance indicator, keeping the MTTD metric as low as possible is a major goal for many security leaders. The longer a security issue goes unnoticed, the greater the risk it represents.
MTTD only addresses the amount of time that passes between a security failure and the moment that failure is discovered. It doesn’t address the average time it takes to address security incidents or remediate damage.
That means that measuring your team’s MTTD is just one part of your overall security posture. It shows the average time to detection but doesn’t give any information about what happens afterward.
Modern organizations pursue security initiatives to improve MTTD so they can improve discovery time and gain a deep understanding of their incident management process. MTTD can be included in continuous improvement programs and compliance reports, where reducing average detection time is a key goal.
The longer a data breach takes to contain, the greater its overall cost can be. According to some reports, it takes an average of 212 days to detect a data breach. Letting threat actors conduct operations against you for such an extended period of time is a clear and serious risk.
This kind of time frame allows threat actors to conduct lateral movement and plan elaborate attacks against multiple network assets at once. Data breaches that look like separate incidents may in fact be sophisticated attacks that rely on multiple consecutive system failures.
Comprehensive monitoring provides security teams with the ability to detect and investigate these issues. However, the amount of time that goes into investigation grows longer as the incident becomes more complex. Lowering your organization’s MTTD metric streamlines the incident response process, making it easier to secure the entire IT environment in a cost-effective way.
To calculate MTTD, you need to know how much time elapsed between the moment a security breach occurred and the moment it was detected. That means analyzing activity logs of actual incidents when they occur and comparing the data.
For example, imagine your company experienced five cybersecurity incidents in the last quarter. Two events took 30 minutes to discover, one took 35 minutes, another took 45 minutes, and the last one took two hours.
Your MTTD for this period would be:
The calculation is simple, but getting access to that kind of data is not always easy. Most organizations use a Security Information and Event Management (SIEM) platform to gain access to this kind of data. A full-featured SIEM will help you automatically gather the data you need to conduct a complete analysis.
Some organizations may calculate more than one MTTD. For instance, if the security team groups incidents by severity, it may have a different score for low-severity incidents compared to critical risks. This can add complexity to the results, but it may also generate valuable insights.
Security leaders that want to make their incident response plans more efficient can reduce MTTD by investing in security solutions that improve their detection capabilities. Some of the ways organizations successfully improve their MTTD include:
The concept behind MTTD is simple, but successfully reducing it can be difficult in practice. Some of the issues that prevent security teams from successfully improving incident management metrics like MTTD include:
MTTD is not the only incident response metric security leaders capture and report on. It doesn’t include the amount of time it takes to successfully remediate incidents or mitigate threats. To do that, the team must collect and analyze Mean Time-to-Respond (MTTR) data.
Together, these two metrics provide a solid understanding of the organization’s overall exposure to security risks. Leaders who capture and analyze this data are in an ideal position to continuously improve security performance over time.