Mean time to detect (MTTD)

For Security Operations (SecOps) professionals and Security Operations Center (SOC) teams, having a low MTTD is crucial to their success. In order to have a low MTTD, it’s imperative to have solutions like Contrast ADR in their arsenal that are capable of quickly detecting anomalous behavior at the first stages of an attack.

What is Mean Time to Detect and what is it used for?

MTTD is a metric used primarily in cybersecurity and operations management to measure the average time it takes to identify or detect a security incident after it occurs. It is a key metric that helps assess how effectively an organization can detect incidents and respond to them, and it's typically used as part of continuous improvement efforts for cybersecurity defenses.

What MTTD is used for:

• Application layer threat detection: SOC teams can use MTTD to measure how effectively they are able to detect attacks targeting the application layer. This can be especially useful for attacks that are exclusive to the application layer and that would not be detected by endpoint, network or even cloud detection solutions.
• Security incident response: MTTD is commonly used in security operations to evaluate how quickly a security team or system can detect a potential threat, like an attack on a web application, data breach, malware attack or system intrusion. The quicker a threat is detected, the sooner it can be mitigated, reducing potential damage.
• Improvement of detection processes: By analyzing MTTD, organizations can identify bottlenecks in their detection processes, helping to refine detection strategies, deploy better tools, or optimize workflows for faster identification of issues.

How is MTTD calculated?

MTTD is calculated by averaging the amount of time it takes to detect incidents or issues within a given period. To calculate MTTD, you need the detection time for each incident or event that occurred. Tools like Security Information and Event Management (SIEM) systems, monitoring platforms and incident response tools can help capture detection times automatically.

For example, let’s say an organization had three security incidents in a month. One was detected 30 minutes post intrusion, one 125 minutes after the fact and one in 10 minutes. In that month, the organization’s MTTD would have been 55 minutes.

There are nuances to consider when calculating MTTD, however. For one, SOC teams need to exclude incidents that were detected but turned out to be false positives, as they don't contribute to real detection times. Additionally, the time period during which MTTD is calculated should be consistent for meaningful comparisons.

What is a good MTTD?

Ideally, an organization’s MTTD is as close to zero as possible. An MTTD of zero means that SOC teams are detecting attacks as they happen, in real time. 

But MTTD can be a highly subjective metric, dependent on the tools and expertise available. Overall, a low MTTD is often part of a proactive security strategy that helps prevent damage, while a high MTTD might indicate a need for stronger monitoring or improved detection mechanisms.

What is beneficial to using MTTD as a KPI?

For one, a shorter MTTD can minimize the time an incident or threat affects systems, users or operations. In addition, measuring MTTD can highlight areas where monitoring tools, processes or teams need improvement to detect incidents quicker.

Challenges with using Mean Time to Detect

While MTTD is an effective metric for many SecOps and SOC teams, it is not perfect.

• MTTD is dependent on the tools in place. For example, it may be difficult to detect incidents that originate in the application layer if the organization doesn’t have tools in place designed to oversee and observe the application layer. As such, some organizations prefer Mean Time to Alert (MTTA) as it can be an alternative way to determine if the tools in place are working as intended.
• Calculating MTTD depends on when the incidents in question are determined to have actually started. Determining this is contextual and can depend on the tools, the kind of attack, etc. As such, because different attacks work so differently, calculating timing can be challenging.
• Some organizations prefer to focus less on detection and more on response and remediation, and so may prefer using a metric like MTTR over MTTD to determine security effectiveness.

How to lower MTTD

To lower MTTD, SOC teams should invest in automation, advanced detection tools and continuous monitoring, while also focusing on improved team training, improving alert prioritization and using threat intelligence feeds. A proactive approach, backed by technology and trained personnel, is key to identifying incidents and threats as quickly as possible, reducing the overall detection time.

Investing in faster detection on one of the layers where detection capabilities already exist will result in marginal improvements. For example, being able to detect ransomware on an endpoint from 10 seconds to 5 seconds does little to make an organization more secure. However, adding an entirely new level of detection can be more impactful. Detection during a different stage in the attack means you have a head start.

And as attacks on the application layer increase, it’s imperative that SecOps utilizes more effective tooling that is designed to detect anomalous behavior targeting applications and APIs in real time. This is where Contrast ADR comes into play. Instrumented inside applications, Contrast ADR can detect attacks in real time, even zero-day exploits, and alert SOC teams through their SIEM.