Jiu Jitsu vs InfoSec: Mean Time To Detect

This is part of a series comparing Jiu Jitsu with InfoSec.

As very much a low level student of Jiu Jitsu, one of the ways I know that I’m getting better is that I’m seeing my mistakes closer to the time I made them. (“Putting my hand there was a mistake! He pinned my legs down! I should have squared up when I had the chance!”) Make no mistake, it’s still too late. I fall behind the curve, and my opponent ends up winning.

But detecting these mistakes after they were made is still a big step up from the complete novice who cannot even see mistakes after they are made! Even explaining these mistakes to the novice in slow mode may not immediately “click” in their mind, since there is so much information to take in before concepts are internalized.

At a certain point, a jiu jitsu student has already acquired the answers for certain problems that they are presented, but the value in those answers is really measured in how quickly they can put them into play. On the defense side, a black belt might only give up a sub-second window of opportunity, whereas a purple belt may give up eight or ten seconds for the same opportunity. Meanwhile, a white or even blue belt might give up an infinite window of opportunity for what they simply do not yet know! The same might be true for offense: a black belt may be able to capitalize on their opponent’s weakness within a second, but a white belt might take 10 to 20 seconds before they realize the window is there and begin to execute. This is a great explanation why a black belt can so easily handle a blue belt — the blue belt’s mean time to detect and mean time to respond is so much slower than the black belt’s.

With infosec, it’s really no different.

The weakly protected enterprises have essentially an infinite mean time to detection (i.e. no detection), or if they do detect it, they have an infinite mean time to (correctly) respond. This is like the white belt who cannot see the problem with extended their arms so far away from their body. Or the white belt who sees the higher belt gave them a sweep opportunity, but it took the white belt too long to remember how to react, position their body, and setup the sweep. By the time the white belt got there, the higher belt had already moved on. The enterprise that dusts off their incident response procedures when their SEIM goes off is that white belt!

As an enterprise improves and gets more proficient, their ability to detect and respond to threats improves and can be measured by decreases in the corresponding mean times. This can also be seen across the infosec industry as a whole with Mandiant’s annual trend reports, which still measure the average “dwell time” (mean time to detect) in months (not days, hours, or ideally minutes or seconds). It’s fair to extrapolate that the infosec industry is still a bunch of white belts, as long as our mean times are so long and slow.

There are still great defending organizations, of course, and at varying levels. What makes them exceptional is the quickness of their ability to detect a threat and respond to it — just like the high level jiu jitsu competitor.

Want to get better at either jiu jitsu or infosec? Work on decreasing your mean time to detect/respond to the corresponding threats & opportunities.

Continue this series: Jiu Jitsu vs InfoSec — Privileged Access.