Have you ever heard of something that truly changed your view of the world?

Back in December 2019, I took the "SEC 530 - Defensible Security Architecture". This course covered various topics, from zero trust architecture to network monitoring. And it was while doing this course, and there amongst the 500+ pages of material, that one page, in particular, caught my attention.

The page was called "Time-Based Security", and it's revolutionised my thinking on Cyber Security.

Time-Based Security

The page titled "Time-Based Security" was shoehorned between "Purple Teaming" and "the broken window mentality". It was just one of the many suggested "winning" security techniques a defender could use.

The page slide was simple, it had this picture of an old book, and underneath it was this equation;

And it simply read that this was a reproducible method to understand how much "security" a product or technology provides.

Where;

P - How long our protection will hold back an adversary

D - How long it will take us to detect

R - How long it will take us to respond

Now for me, this was love at first sight. Right here was a Holy Grail.

Unfortunately, the course never mentions or references the slide again. But there was something magical about that slide that stuck with me, and perhaps it was my experience of being a network defender and having to deal with network breaches daily that I could see the merits of that formula.

The Theory

Imagine that an attacker is exfiltrating data from your network, and by them accessing your files, it has triggered an alert.

Now that attacker will take 10 minutes to exfiltrate all your files. That 10 minute time period is your P-value.

Your defender will take 5 minutes to review and understand the alert. This 5 minute time period is your D-value.

Your defender then takes a further 6 minutes to perform the necessary actions to disable the attacker, effectively kicking the attacker off the network. This 6 minute time period is your R-value.

Using this formula makes it easy to see that the attacker wins every time, and even though it has done the challenging tasks of putting in defences, detections and response plans, it still isn't enough!

The Holy Grail

By measuring security in terms of time, we can position ourselves to detect the attack and respond to it before it breaches our defences, so we remain free from impact.

The credit for this simple formula goes to the cyber legend Winn Schwartau. Who came up with this revolutionary idea in 1999, in the book entitled "Time-Based Security".

According to CrowdStrike, it takes on average 1hr and 58 minutes for an attacker to move from Initial access to lateral movement. That is the average P-time across our industry.

Now think about your network?

How long will it take you to raise a block request? Or get an engineering team on a call to explain an alert? What is your companies average response time for a detection?

No one said the Holy Grail had a nice taste!

I base a lot of my thinking on this formula, and it has been how I approach security. I've used this thinking to build my SOCs playbooks. I've used it to determine what security controls to put in. And in my opinion, it works exceptionally well at identifying the snake oil present in our industry.

Kind Regards

LR