Most incident response teams measure both MTTD and MTTR to not only shorten attackers’ dwell times in their systems but also to gauge the team’s readiness to combat future security incidents and then optimize response times.
Mean time to detect (also known as mean time to discover or MTTD) is the average timespan between when a security incident begins and when your teams detect it. Knowing exactly how long it took your systems to discover an invader is key; it can help you gauge the effectiveness of your enterprise’s monitoring and vulnerability detection systems.
What is MTTR?
Mean time to resolution (also called mean time to respond or MTTR) is the average interval between detecting an incident and remediating it. MTTR is generally a measure of how efficient your teams and incident response plan are at containing and remediating cyber threats once detected.
Based on the understanding that the affected system component is repairable, MTTR is different from mean time to failure (MTTF), which is the expected timeframe of an irreparable system component’s failure.
Regardless of how good your security posture and your security solutions are, you can’t completely eliminate your risk of getting attacked, though you can reduce it to the bare minimum. If exploited, vulnerabilities could result in heavy losses. That’s why it’s paramount to pay close attention to metrics that give you insights into how quickly your systems, monitoring tools, and security teams can detect and resolve major incidents (MTTD and MTTR).
Should the unexpected happen, measuring the process of detecting and remediating issues—that is, incident response (IR)—can impact the scale of an attack. Fast and smoothly executed incident response processes can minimize the blast radius of an attack, limit the amount of sensitive data an attacker is able to collect, and reduce the business impact of an attack.
With this in mind, most incident response teams measure both MTTD and MTTR to not only shorten attackers’ dwell times in their systems but also to gauge the team’s readiness to combat future security incidents and then optimize response times.
MTTD and MTTR provide valuable insights that help your enterprise make smart, strategic choices:
MTTD and MTTR serve as statistical evidence of how efficacious your security solution is at detecting and resolving threats, revealing your security / software partners’ true ROI—or lack thereof. You don't want to be stuck with a system that detects threat actors after days or weeks of invasion, especially if what could have been reduced to a minor incident (with early detection) has become a disastrous breach.
Your MTTD and MTTR can also give you insight into the duration of security incidents and how this duration impacts your overall system availability, reliability, and user experience (UX). When attacks are detected and remediated quickly, you typically have lower MTTD and MTTR scores, which translate to more uptime, improved security posture, and better UX.
Finally, by the time news of your system compromise spreads, as it often does in such instances, your ability to detect and resolve the incident quickly can prove your dedication to securing customers’ sensitive data, further earning their trust.
Now that you know why you should track MTTD and MTTR, here’s a step-by-step guide to measuring both.
Mean time to detect
To measure MTTD, add the total period of time it takes to detect all incidents over a specific timeframe (typically a quarter or a year) and divide by the number of incidents:
MTTD = total time to detect incidents ÷ number of incidents
Mean time to resolution
To measure MTTR, add the total resolution time spent on all security incidents (from incident discovery to remediation, including downtime, if any) and divide by the total number of incidents resolved within the specific period.
MTTR = total time to resolve incidents ÷ number of incidents
So what do you do with these figures?
The whole point of measuring MTTD and MTTR is to take steps to reduce them to the bare minimum, possibly to a handful of minutes. Consider the Microsoft Midnight Blizzard attack, which began sometime in November 2023 and was discovered by the Microsoft Security Team on January 12, 2024. The MTTD for this attack was approximately two months!
During this time, the attackers successfully moved laterally within Microsoft’s systems and exfiltrated various secrets from corporate email systems. While Microsoft has since taken steps to resolve the incident, the attack could have been reduced to a minor breach if it had been detected swiftly. Essentially, a low MTTD and MTTR would have ensured that Microsoft’s adversaries were expunged almost instantly, before they had the opportunity to do any real damage.
Reducing your MTTD and MTTR requires a concerted effort from all departments in your enterprise. Below are seven strategies that can help.
1. Understand the cyberattacks your enterprise is most prone to
A basic understanding of the most common cyberattacks in your industry can help you strengthen your defense. This includes identifying your most sensitive assets and knowing the common attack vectors. For example, the financial and healthcare service industries are some of the most common targets for ransomware and injection attacks due to the sensitive data they handle. By understanding the tactics, techniques, and procedures (TTPs) of these attacks, enterprises in both industries can better set up monitoring and alerting systems to detect and thwart them faster.
2. Understand what “normal” means for your organization
As cyberattacks are generally designed to evade detection, the only way to discover them promptly is to understand what passes as normal and anomalous in your organization. Being able to differentiate will make even the most inconspicuous anomaly stand out so that your security teams can work on resolving it immediately.
3. Beef up your incident response (IR) plan
A common reason for high MTTRs is poorly planned or implemented IR plans. An ideal incident response plan must specify in clear terms what should be done when a security incident is discovered. It should define team roles, stating what each team member is expected to do. And it should contain a concise roadmap of authority, specifying who has access to what and who has the final say on what. Your IR plan needs to be clear about what should be done depending on the severity level of the attack.
Make sure all stakeholders are aware of the content of the IR plan. This knowledge helps streamline decision-making at a time when tensions are high and a single wrong decision can escalate the cost of an attack.
If your enterprise struggles with creating a concise and actionable IR plan (as most do), you can leverage a predesigned incident response template and adapt it to suit your unique use case.
4. Implement vulnerability scanning and penetration testing
Invest in vulnerability scanning tools with advanced threat hunting and real-time monitoring capabilities to help you detect threats and vulnerabilities almost instantaneously. But don’t stop there. Test both your IR plan and vulnerability scanner to see how effective they are. You can do this by running penetration tests to simulate real-life attack scenarios.
Take note of how quickly the tool alerts your teams on the “attack” and how swiftly your teams contain/resolve the issue. This will give you an idea of your current MTTD and MTTR and how to improve them.
5. Use a unified security tool
If your security teams have to constantly juggle a diverse set of security tools, you most likely experience high MTTD and MTTR. For one, it means a single tool cannot cover your entire cloud, and what one tool considers an anomaly may be a norm to the other, leaving your security teams fighting to get even one step behind an attacker.
On the other hand, a unified cloud solution that offers prevention, detection, and response capabilities will lower your MTTD and MTTR. You can slash your MTTD and MTTR if the solution you choose serves as a singular source of truth for your entire cloud, providing your security and IR teams with a comprehensive view of threats, vulnerabilities, and possible solutions in a single dashboard.
6. Conduct security awareness trainings
Teach your staff how to avoid being the weak link who lets threat actors access your systems. Additionally, train key stakeholders on the latest vulnerabilities/attack methodologies and how to remediate them. Comprehensive training will ensure that they are always ready to combat attacks—and do it fast.
7. Continuously measure
Shrinking your MTTD and MTTR is not a one-time thing; it is a cyclical process that must continue to evolve as the threat landscape becomes more sophisticated. Repeatedly apply the above-mentioned best practices, measure your progress, and keep track of areas of improvement.
The best practices we’ve covered don’t have to be daunting because Wiz is here to help. Wiz CDR is just what you need to drive down your MTTD and MTTR. Here’s how it works from monitoring to detection to resolution.
Monitoring
IR is a last line of defense. Wiz proactively prevents cyberattacks by detecting misconfigurations and software vulnerabilities and simulating possible attack paths in your systems before they are exploited.
MTTD
Detect anomalies faster: Wiz CDR collects runtime, control plane, data, network, and identity logs and uses them to learn your unique patterns—helping you distinguish between normal and anomalous activities. Wiz CDR detects known and unknown threats including malware, container escape, code injection, lateral movement, data exfiltration and a host of other attacks.
Get rid of blind spots: The Wiz Runtime Sensor provides real-time visibility into your entire workload: apps, running processes, databases, containers, hosts, APIs, serverless environments, and workload configurations. It then presents all scan results in a unified monitoring dashboard for faster threat detection.
Reduce alert fatigue: Using intelligence from anomaly detection and CNAPP context, Wiz assigns criticality to threats to help your teams eliminate noise and focus on the most important incidents first.
MTTR
Let Wiz take some of the load off: Wiz can automatically isolate affected systems, prevent lateral movement, and resolve issues like excessive permissions to contain the attack.
Go deeper with Wiz: Digital Forensics allows you to correlate threats with user activity, map out attack paths, and extract compromised workloads for in-depth analysis, driving down the root cause analysis timespan from days/weeks to minutes—without affecting app performance.
See Your Cloud Activities Come to Life
Schedule a demo to learn how Wiz can detect and analyze threats in context so that you can prioritize, investigate, and respond quickly to the right risks.
Application detection and response (ADR) is an approach to application security that centers on identifying and mitigating threats at the application layer.
Secure coding is the practice of developing software that is resistant to security vulnerabilities by applying security best practices, techniques, and tools early in development.
Secure SDLC (SSDLC) is a framework for enhancing software security by integrating security designs, tools, and processes across the entire development lifecycle.
DAST, or dynamic application security testing, is a testing approach that involves testing an application for different runtime vulnerabilities that come up only when the application is fully functional.
Defense in depth (DiD)—also known as layered defense—is a cybersecurity strategy that aims to safeguard data, networks, systems, and IT assets by using multiple layers of security controls.