Short Definition
Dwell time is the duration an attacker remains inside a system before being detected and removed.
Deep Technical Explanation
Dwell time is a critical security metric. It measures how long adversaries operate undetected inside an environment. Historically, the average time in enterprises ranged from 50 to over 200 days. Modern SOC practices aim to reduce this to minutes or hours.
High dwell time allows bad actors to:
- escalate privileges
- move laterally
- collect credentials
- steal sensitive data
- deploy ransomware
- exfiltrate information slowly
Reducing dwell time requires:
1. Real-time monitoring:
Continuous visibility via SIEM, EDR, network sensors, and cloud telemetry.
2. Strong alerting logic:
Detection rules mapped to MITRE ATT&CK.
3. Rapid triage:
L1 analysts must eliminate false positives and escalate quickly.
4. Active investigations:
Threat hunting shortens this time by proactively searching for hidden compromises.
5. Endpoint response capabilities:
Isolation tools accelerate containment.
Organizations with high dwell time suffer larger financial and operational damage from attacks. SOC as a Service reduces this time without requiring internal staff.
How BlueGrid.io Handles It
Our combination of EDR, SIEM correlation, 24/7 monitoring, and human triage allows us to detect threats rapidly and drive this time to a minimum.