FireEye released the 2017 edition of the Mandiant M-Trends report yesterday. I’ve been a fan of this report since the 2010 edition, before I worked at the company.
Curiously for a report with the name “trends” in the title, this and all other editions do not publish the sorts of yearly trends I would expect. This post will address that limitation.
The report is most famous for its “dwell time” metric, which is the median (not average, or “mean”) number of days an intruder spends inside a target company until he is discovered.
Each report lists the statistic for the year in consideration, and compares it to the previous year. For example, the 2017 report, covering incidents from 2016, notes the dwell time has dropped from 146 days in 2015, to 99 days in 2016.
The second most interesting metric (for me) is the split between internal and external notification. Internal notification means that the target organization found the intrusion on its own. External notification means that someone else informed the target organization. The external party is often a law enforcement or intelligence agency, or a managed security services provider. The 2016 split was 53% internal vs 47% external.
How do these numbers look over the years that the M-Trends report has been published? Inquiring minds want to know.
The 2012 M-Trends report was the first edition to include these statistics. I have included them for that report and all subsequent editions in the table below.
As you can see, all of the numbers are heading in the right direction. We are finally into double digits for dwell time, but over 3 months is still far too long. Internal detection continues to rise as well. This is a proxy for the maturity of a security organization, in my opinion.
Hopefully future M-Trends reports will include tables like this.