Sponsored Content

MTTD and MTTR: Two Metrics to Improve Your Cybersecurity


While there are dozens of metrics available to determine success, there are two key cybersecurity performance indicators every organization should monitor.

For any organization to protect itself from cyberattacks and data breaches, it’s critical to discover and respond to cyber threats as quickly as possible. Shutting the window of vulnerabilities promptly makes the difference between a mild compromise and a catastrophic data breach. Understanding your ability to do so gives your organization a powerful way to determine holes in your defenses and areas where your team needs to improve.

MTTD and MTTR Explained

While there are dozens of metrics available to determine success, here are two key cybersecurity performance indicators every organization should monitor.

  • Mean Time to Detect (MTTD): Your MTTD is the average time it takes to discover a security threat or incident.
  • Mean Time to Respond (MTTR): Your MTTR measures the average time it takes to control and remediate a threat.

Your MTTD and MTTR depend on a number of factors, including the size and complexity of your network, the size and expertise of your IT staff, your industry, and more. And different companies measure things in different ways. There are no industry-standard approaches to measuring MTTD and MTTR, so granular comparisons between organizations can be problematic apples-vs-oranges affairs.

According to the SANS 2019 Incident Response survey, 52.6% of organizations had an MTTD of less than 24 hours, while 81.4% had an MTTD of 30 days or less.

Once an incident is detected, 67% of organizations report an MTTR of less than 24 hours, with that number increasing to 95.8% when measuring an MTTR of less than 30 days. However, according to the Verizon Data Breach Investigations Report, 56% of breaches took months or longer to discover at all. That’s an incredible amount of time for the bad guys to be inside of your perimeter while preparing to exfiltrate your data.

How to Improve MTTD and MTTR

Measuring and improving MTTD and MTTR is easier said than done. The fact is that many businesses work with IT teams that are stretched thin and often lack cybersecurity expertise. Meanwhile, they face ever-more sophisticated attacks stemming from well-funded criminal networks or malicious nation-state actors. That said, there are a number of things every organization can do to drive down its MTTD and MTTR.

Start with a plan: Create an incident response plan in advance of potential attacks to identify and define stakeholder responsibilities so the entire team knows what to do when an attack occurs. This plan can define your processes and services used to detect these threats. As you get a few incidents under your belt, review your plan to look for areas for improvement that can reduce MTTD and MTTR.

Conduct regular cybersecurity training: Cybersecurity isn’t simply an IT issue—people are frequently the weakest link. Employees may facilitate a compromise by clicking malicious emails or links that install ransomware, viruses, and other malware. In addition, non-technical company leaders may not grasp the risk of cyberattacks, which keeps them from providing sufficient budget and resources IT needs to be effective. The more educated the entire company becomes about cybersecurity, the more prepared it will be to both prevent and respond to attacks. To be effective, education is an ongoing process rather than “one and done.”

Level up to Reduce MTTD and MTTR

A security operations center (SOC) such as the Arctic Wolf SOC-as-a-service can extend the capabilities of your IT team by providing 24/7, real-time monitoring of your on-premise and cloud resources. This will help you see if, when, and where an attack occurs, vastly reducing your MTTD. Meanwhile, Arctic Wolf’s Concierge Security™ Team can help reduce MTTR by providing expert advice to help navigate incident response.

Learn more about how SOC-as-as-service can protect your organization.

Suggested articles