The Missing Trends in M-Trends 2017
FireEye released the 2017 edition of the Mandiant M-Trends report yesterday. I've been a fan of this report since the 2010 edition, before I worked at the company.
Curiously for a report with the name "trends" in the title, this and all other editions do not publish the sorts of yearly trends I would expect. This post will address that limitation.
The report is most famous for its "dwell time" metric, which is the median (not average, or "mean") number of days an intruder spends inside a target company until he is discovered.
Each report lists the statistic for the year in consideration, and compares it to the previous year. For example, the 2017 report, covering incidents from 2016, notes the dwell time has dropped from 146 days in 2015, to 99 days in 2016.
The second most interesting metric (for me) is the split between internal and external notification. Internal notification means that the target organization found the intrusion on its own. External notification means that someone else informed the target organization. The external party is often a law enforcement or intelligence agency, or a managed security services provider. The 2016 split was 53% internal vs 47% external.
How do these numbers look over the years that the M-Trends report has been published? Inquiring minds want to know.
The 2012 M-Trends report was the first edition to include these statistics. I have included them for that report and all subsequent editions in the table below.
Year Days Internal External
2011 416 6 94
2012 243 37 63
2013 229 33 67
2014 205 31 69
2015 146 47 53
2016 99 53 47
2017 101 62 38 (added from 2018 report after original blog)
As you can see, all of the numbers are heading in the right direction. We are finally into double digits for dwell time, but over 3 months is still far too long. Internal detection continues to rise as well. This is a proxy for the maturity of a security organization, in my opinion.
Hopefully future M-Trends reports will include tables like this.
Curiously for a report with the name "trends" in the title, this and all other editions do not publish the sorts of yearly trends I would expect. This post will address that limitation.
The report is most famous for its "dwell time" metric, which is the median (not average, or "mean") number of days an intruder spends inside a target company until he is discovered.
Each report lists the statistic for the year in consideration, and compares it to the previous year. For example, the 2017 report, covering incidents from 2016, notes the dwell time has dropped from 146 days in 2015, to 99 days in 2016.
The second most interesting metric (for me) is the split between internal and external notification. Internal notification means that the target organization found the intrusion on its own. External notification means that someone else informed the target organization. The external party is often a law enforcement or intelligence agency, or a managed security services provider. The 2016 split was 53% internal vs 47% external.
How do these numbers look over the years that the M-Trends report has been published? Inquiring minds want to know.
The 2012 M-Trends report was the first edition to include these statistics. I have included them for that report and all subsequent editions in the table below.
Year Days Internal External
2011 416 6 94
2012 243 37 63
2013 229 33 67
2014 205 31 69
2015 146 47 53
2016 99 53 47
2017 101 62 38 (added from 2018 report after original blog)
As you can see, all of the numbers are heading in the right direction. We are finally into double digits for dwell time, but over 3 months is still far too long. Internal detection continues to rise as well. This is a proxy for the maturity of a security organization, in my opinion.
Hopefully future M-Trends reports will include tables like this.
Comments
... dropped from 146 days in 205, to ...
should be:
... dropped from 146 days in 2015, to ...
Year/Days/Internal/External
2017/101/62/38
Year/Days/Internal/External
2018/78/59/41
Years/Days/Internal/External
2019/56/47/53
Years/Days/Internal/External
2021/24 (45 non-ransomware, 5 days ransomware)/ 59 / 41