Making the 1-10-60 Rule a Reality
In today’s digitally-transformed world, developers can spin workloads up and down in a matter of minutes. Despite the fleeting nature of these resources, threat actors can still use misconfigurations to exploit these as part of an attack. With time of the essence, the security operations center (SOC) needs to respond to new alerts quickly. Yet, the volume becomes overwhelming.
While the 1-10-60 rule remains a best practice for resiliency, many SOC teams find it a challenging task.
What is the 1-10-60 rule?
The 1-10-60 rule sets a “best practice” timeframe for security teams to detect, investigate, and respond to a threat actor from systems and networks based on breakout time.
Under the 1-10-60 rule, security teams should:
- Detect a new threat within 1 minute
- Investigate within 10 minutes
- Remediate the threat within 60 minutes
Fundamentally, this metric attempts to quantify an organization’s cyber resiliency. However, the time required to investigate across an organization’s expanding environment makes it challenging to reach these timeframes.
How long does the average investigation process take?
While most security teams want to achieve these best practices, they often struggle to do so. Security teams suffer from multiple challenges, not the least of which being information overload. Moreover, many legacy solutions that aggregate data increase rather than decrease the mean-time-to-investigate (MTTI).
A look at the Ponemon Cost of a Data Breach report notes that it takes:
- 280 days: average time to detect and contain a data breach
- 315 days: average time to detect and contain a data breach caused by a malicious attack
Across all attack types and industries, the story is the same. Security teams struggle to detect, investigate, and respond to data security incidents. A primary reason lies in the proliferation of tool sets and organizational data.
The impact of tools and data overload in meeting the 10-minute investigation and 60-second response benchmarks
As organizations adopted more cloud resources, the infrastructure generated more data. The more data, the more alerts security teams need to review and investigate. As infrastructures generate more alerts, the number of false positives increase as well. Ultimately, SOC teams become overwhelmed.
Even if security tools never supplied false positive alerts, managing the investigation process in under ten minutes is challenging on its own. SOC teams struggle to investigate these alerts in a timely fashion because the amount of data and number of security technologies used to investigate incidents increased as well.
The struggle to investigate quickly is real. According to Critical Start’s 2021 Research Report, “The Impact of Security Alert Overload”:
- 80% of organizations investigate at least 10 alerts daily
- Majority of respondents require between 10 to 30+ minutes analyzing each alert
SOC teams struggle because they need to sort through more data to investigate alerts, but they also need to research in more places. Case in point, Ponemon’s “Cyber Resilient Organization” report found:
- 30% of organizations use 50+ separate security technologies
- 45% of organizations use 20+ tools to investigate and respond to incidents
Collecting security investigation data from divergent sources and tools creates complex environments that is inhibiting efficiency.
Getting to “1-10-60” with a security investigations control plane
SOC teams need tools built for digital transformation—ones that understand how to navigate distributed cloud and on-premises infrastructures.
Security teams need tools that help them answer important questions quickly. This requires a paradigm shift away from traditional “collect and aggregate” approaches. To meet the 10-minute investigation benchmark, security teams need efficient solutions that let them easily investigate across their environment.
With everything so decentralized, they need solutions that embrace decentralization and provide full visibility, analysis, and action for their entire infrastructure, without centralizing the data.
To enhance security, organizations need to provide their teams with solutions that enable teams to:
- Access security data no matter where it resides
- Investigate using a control plane that serves as the connective tissue and provides real-time federated search across all systems
- Respond with actions that can be initiated from a single console to tell any of the security tools in the environment what to do, such as isolate a host or initiate a password reset
This approach gives SOC teams a security investigations control plane. It eliminates swivel chair processes and tool pivots that collapses the investigation process, letting teams focus on asking the right questions to contain the threat. Equally important, it gives teams a way to leverage these investigative capabilities while also providing a unified response back from all their tools, so that they can respond within the 60-second goal.
With the full range of capabilities that a security investigations control plane offers, security teams can meet this critically important benchmark.
Query.AI provides the market’s only security investigations control plane for modern enterprises. Our patented browser-based platform delivers real-time access and centralized insights to data across your on-premises, multi-cloud, and SaaS applications, without duplicating it from its native locations.
Query.AI provides a simple and effective way to meet your security investigation and response goals while simultaneously reducing costs.