How Aligning Security Awareness and Security Operations can Reduce Dwell Time

June 22, 2022

Email phishing attacks pose a large threat to every organization around the world and make up 91% of all cyberattacks.1 The most effective way for organizations to reduce their risk is to ensure that all aspects of their phishing program are focused on resiliency and preparing for the attacks that have the highest likelihood of reaching them. Suggested metrics to define and understand include human resiliency, mean time to detect (MTTD), mean time to respond (MTTR), and dwell time.

While MTTR falls under the purview of Security Operations and is a central focus in analyzing and remediating attacks, MTTD also should be considered and is often a secondary metric. To fight email phishing attacks, both metrics must be primary objectives of the Information Security program. The Security Awareness function can make an impact to these metrics by increasing the resiliency of the humans at the organization to ensure that the threats bypassing traditional email controls are quickly recognized, reported, and placed in the hands of the security operations and response teams.

The first step to reducing dwell time is improving MTTD and can be accomplished by conditioning your employees to be the first line of defense by becoming human sensors to report any email they suspect is malicious. Most security awareness programs focus on susceptibility, a measure of how many employees click on a simulation. Instead, security awareness programs should focus on resiliency, which compares the number of employees who reported the simulation to the number of employees who clicked the link. Email phishing attacks can only be removed if Security Operations is aware of them – positioning Security Awareness in the center of Security Operation’s strategy.

The second step to reducing dwell time can be accomplished by enabling Security Operations to analyze the most-likely malicious emails first. While increased reporting rates are a positive change and increase visibility into the threat landscape, it also means threat analysts must spend more time reviewing emails for actual attacks. Various email security vendors provide tools for Security Operation Centers (SOCs) to respond to reported emails, but don’t provide the best approach. While most organizations take an approach of “scoring” threats based on their internal threat intelligence, this does not account for the power of your internal reporters. With highly trained employees as the first line of defense, they become the best “eyes” of an organization, and employees with the highest likelihood to spot a phishing email should have their reports analyzed first. Combining threat scoring and reporter scoring further emphasizes the importance of Security Awareness while making it easier for Security Operations to stop email phishing attacks.

Security Awareness is more than compliance – it is an integral part in reducing dwell time of the most active and successful threat vector facing every organization - email phishing attacks. With Cofense Phishing Detection and Response (PDR), organizations can create a partnership between the Security Awareness and Security Operations teams. Cofense enables Security Awareness to build resiliency across their organization with simulations derived from real phish that are updated every month and is the only vendor that delivers simulations when an employee is active in their inbox, doubling report rates across our customer base. Cofense PDR takes these reported emails and automatically helps analysts in SOCs sift through the noise by scoring reported emails based on indicator of compromise (IOC) scoring and “reporter reputation,” enabling threat analysts to investigate reported emails from employees with the greatest track record of reporting real phish. It is time Security Awareness takes its rightful place next to Security Operations as partners in reducing dwell time and keeping email phishing attacks out of employee inboxes.