CrowdStrike CTO Explains “Breakout Time” — A Critical Metric in Stopping Breaches

27 May
Industry, Partners

This video features CrowdStrike® Co-founder and CTO Dmitri Alperovitch discussing why “breakout time” is a critical measurement for organizations trying to stop a breach. As Alperovitch explains, “Breakout time is the time between when an intruder gets on a machine, whether it’s through spear phishing or some sort of strategic web compromise, and when they break out of the beachhead they’ve established and compromise other systems.”

Breakout time was first introduced in CrowdStrike’s 2018 Global Threat Report, where it was reported that on average, it takes an intruder one hour and 58 minutes to jump from the machine that’s initially compromised and begin moving laterally through your network. Once adversaries break out into your environment, they are often able to penetrate deep into your network, performing reconnaissance and scoping out targets for exfiltration or other mischief. Alperovitch explains that this small window of time is critical for an organization to detect and respond to the intruder. This is why speed becomes such an important factor in containing the intruder and stopping a breach.

Alperovitch also discusses three “outcome-driven metrics” that can spell the difference between an organization stopping a breach or experiencing catastrophic data loss:

  • First is Time to Detection — organizations should set a goal of allowing only one minute to detect an incident or intrusion (automated).
  • Second is Time to Investigation — the length of time it takes to find out if the incident is legitimate and determine next steps (containment, remediation, etc.). The best organizations do this within 10 minutes.
  • Third, and most important, is Time to Remediation — the period of time needed to eject the intruder and clean up your network, which may involve coordination with the business owner of that asset. The best organizations try to do this within 60 minutes.

Alperovitch reassures organizations that if they can meet these time objectives — the “1-10-60 Rule” — they’ll be able to stay ahead of the adversary, and stop a potential breach from occurring. To meet this challenging benchmark for speed and precision, organizations may need to adopt next-generation solutions such as the CrowdStrike Falcon® platform, with its endpoint detection and response (EDR), managed threat hunting, and next-gen AV with behavioral analytics and machine learning. Such tools are key to gaining the visibility you need to meet these critical, outcome-driven metrics and stop the breach, Alperovitch says.

Blog written by: 

This blog was brought to you by our partner and valued sponsor of Camp Secure Sense 2019, CrowdStrike.


Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions, want to learn more about our services or just want to chat security please give us a shout.

You can also find us on TwitterFacebook,  LinkedIn.