Measuring performance is essential for any team; but knowing exactly what to measure, how to measure it, and what that means in practice, is the key to building an effective team.
Take ‘MTTR’ - a commonly used metric in cyber security which can have different meanings depending on who you ask and what is important to the team measuring it. Just a quick google search shows different articles on Mean Time to Repair, Recover, Respond, Remediate; each of which is defined and measured quite differently.
So, what is MTTR in cybersecurity?
Depending on the long-form version of this acronym, the definition differs:
- Mean time to repair – the average time to repair a product or a system.
- Mean time to recovery – the average time for a product or a system to recover from a failure.
- Mean time to respond - the average time it takes to recover from a product or system failure from the time when you are first alerted to that failure.
- Mean time to remediate - the amount of time it takes an organization to neutralize an identified risk, threat or failure within their network environment.
Which of these metrics you chose to focus on will depend on what is important in the context of your team's work. Often for NOC teams, the focus is on system recovery, whilst for SOC teams, response times might be more important.
MTTR and Proactive Security
Repair, response and/or recovery are vitally important metrics when it comes to incident response. Any effort to reduce the mean time is essential to getting systems back up and running quickly, and safely.
But with the shift to Proactive Security on the horizon for many cyber teams, fixing vulnerabilities and misconfigurations, before they are exploited, requires a focus on reducing the mean time to remediate. As the old adage goes, an ‘ounce of prevention is worth a pound of cure’; preventing incidents from occurring in the first place, means there is no exploitation to respond to or recover from. Which is why Titania uses MTTR in this ‘remediate’ context, and our solutions focus on detailed configuration analyses that inform remediation workflows to help close network security gaps, before they are exploited.
Interestingly, our Nipper Enterprise solution is also now being considered by incident response teams that need a historic view of security posture to inform how an attack might have proliferated across the network from the time of the first indicator of compromise. This analysis and insight supports improvements in the other versions of the MTTR acronym too.
How can Nipper Enterprise support proactive security and help reduce MTTR?
Proactively assessing that networking devices – routers, switches and firewalls – remain secure, when a configuration changes, is one of the most effective ways to reduce MTTR. Ultimately, the configuration of network devices can change due to planned or unplanned activities. These changes, either accidental or nefarious, may have left the network vulnerable to attack. For example, an attacker might focus on non-repudiation by switching off audit logging to mask/hide what they next do, which might be to open up a firewall rule or create a new interface to suit their mission e.g. gain access to a critical network segment.
So it is essential to proactively assess any change, to check the network remains secure.
Nipper Enterprise’s proactive assessment not only automates that check when a config change is identified, in certain deployments it also provides visibility of that change (possible indicator of compromise) in the first place, and can report where your network is non-compliant with a security standard or at risk from a real-world threat.
The real power of Nipper solutions when it comes to reducing MTTR however, is in the detailed configuration analysis that informs remediation workflows – to help shut-down any detected threats, in time to defend the network.