Reduce Dwell Time by Integrating Security Controls Via Open APIs

Security organizations know they can’t count on keeping bad actors out of their networks and systems 100% of the time. But they can limit the damage intruders cause by reducing the amount of time they can roam the network unnoticed and unhindered.

That’s why “dwell time” is becoming a core metric for tracking and improving cyber resilience. It’s why many security organizations are focused on integrating controls into a unified system that can be orchestrated for smarter, speedier response. And it’s also why they’re increasingly recognizing the importance of open APIs when they invest in new security technologies.

Dwell Time: Bad, and Not Improving (Yet)

Dwell time measures the time from when a threat actor enters a network without authorization to the attack’s eradication. One of the industry’s most respected measurements of dwell time trends is in the Ponemon Institute’s annual Cost of a Data Breach reports. Reflecting breaches through April 2020, Ponemon says the average time to identify and contain a breach is now 280 days—and it’s gotten worse in the past two years.[1]

CISOs and their colleagues know lengthy dwell time has been a factor in many high-profile breaches, including those at Equifax and the U.S. government’s GAO/Office of Personnel Management. Mimecast Principal Security Strategist Matthew Gardiner lived through one of the earliest of these. Back in March 2011, he was at RSA—provider of mission-critical cryptography solutions to many of the world’s most security-sensitive organizations—when it discovered a critical breach. “We scrambled to understand what was going on, but because our data wasn’t well integrated, we took longer than we should have—and if we figured it out an hour or two earlier, we could have prevented the damage.”

Nowadays, of course, systems, attacks, and defenses are all more complex and diverse than they were in 2011. Security organizations have brought on new tools: according to Rapid7, the average organization now has to manage 57 of them. Many weren’t originally designed to be integrated. That can make it difficult or impossible to quickly identify patterns if fragmentary signs of a threat begin appearing in multiple systems. SOAR and related tools can help centralize threat hunting and investigations, but only if they can easily access data and insights being captured by other tools already in place. It can also be difficult to build efficient workflows that combine inputs and outputs from multiple systems which weren’t built for that.

The Advantages of Open APIs

Pre-built integrations offer a partial solution. However, as KPN Senior Platform Engineer Marius Iversen recently pointed out, they may not integrate all the tools you care about, support all the functionality you need, be extensible, or support new software versions when they’re introduced.[2]

That’s where open APIs come in. If a security technology provider exposes its capabilities via a well-documented and comprehensive API, you can build your own integrations when necessary, work with a SOAR or SIEM partner to do so, or extend and maintain pre-built integrations created with that API.

So, for example, if you discover that a user has been compromised, you can use the API to centrally instruct your email gateway to immediately prevent that user from sending any outbound emails, thereby safeguarding against data loss. Conversely, you might automate the forwarding of logged email receipt, processing, delivery, and clicked-link events from the email gateway to an enterprise security analytics system such as Splunk.

Open APIs can streamline tasks ranging from searching message archives to updating managed senders and URLs, reconfiguring policies to managing the customer lifecycle. Some of these tasks can help you correlate events and recognize intrusions sooner; others can help you respond and end the attack faster.

Of course, not all APIs are equally helpful. Ask: does the provider’s API expose all the functionality you need, via familiar approaches such as REST and JSON? And is it thoroughly documented and well supported, so your developers can make the most of it? If so, that API may help you drive more value from security infrastructure, shorten dwell time, and protect more of what matters to you.

The Bottom Line

Shortening dwell time is essential to cyber resilience. It requires improving integration across all your security tools, so your threat hunters can leverage all the information you’re capturing and recognize attacks more rapidly. Open APIs offer powerful advantages for integrating diverse security tools into a coherent system that supports flexible and fast response.