{"id":243391,"date":"2026-07-15T06:58:00","date_gmt":"2026-07-15T10:58:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/15\/why-attacker-dwell-time-is-exposing-the-shortcomings-of-legacy-siems\/"},"modified":"2026-07-15T07:20:06","modified_gmt":"2026-07-15T11:20:06","slug":"why-attacker-dwell-time-is-exposing-the-shortcomings-of-legacy-siems","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/07\/15\/why-attacker-dwell-time-is-exposing-the-shortcomings-of-legacy-siems\/","title":{"rendered":"Why Attacker Dwell Time Is Exposing the Shortcomings of Legacy SIEMs"},"content":{"rendered":"<p><a href=\"https:\/\/www.cybersecurity-insiders.com\/why-attacker-dwell-time-is-exposing-the-shortcomings-of-legacy-siems\/\">Why Attacker Dwell Time Is Exposing the Shortcomings of Legacy SIEMs<\/a><\/p>\n<p><a href=\"https:\/\/www.cybersecurity-insiders.com\/why-attacker-dwell-time-is-exposing-the-shortcomings-of-legacy-siems\/\">https:\/\/www.cybersecurity-insiders.com\/why-attacker-dwell-time-is-exposing-the-shortcomings-of-legacy-siems\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-15 06:58:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.cybersecurity-insiders.com\">www.cybersecurity-insiders.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n<p>            The cybersecurity metric that should concern us most is not necessarily the number of vulnerabilities published this week, the latest malware family, or whichever threat actor just got a flashy new name. It\u2019s the amount of time attackers are able to remain in an environment undetected before someone finds them and kicks them out, otherwise known as attacker dwell time.<br \/>\nThe reality is that, for many organizations, attackers spend far too much time in their environment once they\u2019ve been compromised \u2013 an average of 241 days according to the latest reporting. This gives them ample time to perform reconnaissance, move laterally, disrupt systems, steal data, and stage additional attacks.\u00a0<br \/>\nAs an industry, this tells us we\u2019re doing something wrong. While we\u2019re hyperfixated on the latest APT, we\u2019re not doing enough to monitor the rest, like the opportunistic hackers operating out of their garage just trying to make a quick buck. As a result, too many organizations are still treating the problem like it can be solved with more out-of-the-box detections, IOC feeds, ATT&#038;CK mapping, and dashboards that make the red boxes turn green.<br \/>\nSome of that has value. Known-bad indicators are not useless. If a hash, domain, IP address, etc. is obviously malicious, alert on it. The problem is what happens when the attacker does not use yesterday\u2019s vulnerability, does not trigger the prebuilt rule, and does not behave in a way that some vendor could have predicted across every customer environment.<br \/>\nThat is where the one-size-fits-all SIEM mindset starts to break down.<br \/>\nThe traditional approach assumes defenders already know what they are looking for. Collect the approved log sources. Normalize them into a schema. Apply a huge pile of detection content. Generate alerts. Map it to a framework. Generate alerts. Build the dashboard. Generate alerts\u2026 oh God, the alerts. Show \u201ccoverage\u201d.<br \/>\nBut \u201ccoverage\u201d can be a slippery word. Out-of-the-box coverage is, by definition, lowest-common-denominator coverage. It has to work across many organizations, which means it cannot deeply understand any one organization. Is it ok for a detection rule to bypass itself if the DNS request came from pirate streaming software in YOUR organization? Because out-of-the-box rules are full of exceptions like that. The problem there is that every organization is different; it operates differently, its employees behave differently, and they care about different things.\u00a0<br \/>\nA generic rule can tell you something that is commonly suspicious. It cannot tell you that, in your environment, this specific machine should only ever talk to that specific controller on that specific port. It cannot know that this service account should never be used from that subnet. It cannot know that this DNS behavior is abnormal for your business but not abnormal for someone else\u2019s.<br \/>\nThat context matters because a lot of attacker activity does not look malicious in isolation. It just looks like normal technology being used in the wrong way.<br \/>\nThat is especially true as attackers continue to live off the land. DNS, PowerShell, scheduled tasks, service accounts, SMB, remote management tools, and cloud storage links are not inherently malicious. They all have legitimate applications in enterprise environments. The badness is in the context around who used it, where it ran, what happened before, what happened next, and whether that sequence makes sense for the system involved.<br \/>\nSIEMs struggle with this because they were not built for the kind of flexible, messy, environment-specific investigation that modern threat hunting requires. They were built around predefined data, predefined parsing, schemas, and detections. That model works until the investigation gets weird. And cybersecurity is mostly about the weird.<br \/>\nSometimes, the evidence of compromise is one log line buried in terabytes of data. Sometimes the interesting activity is spread across SharePoint, Sysmon, Zeek, Windows Defender, DNS, SMB, and syslog. Maybe the attacker\u2019s communication is split into chunks and shoved through DNS queries, but those queries are carrying recon data, audio, video, or some other payload you will never understand if your investigation stops at \u201cbad domain.\u201d<br \/>\nThat is the real issue with IOC-first security. It encourages teams to stop too early.<br \/>\nA domain looks suspicious, so we block it. A file hash is known to be bad, so we quarantine it. A rule fires, so we open a ticket. Fine. But what did the attacker actually do? What did they touch? Which systems were involved? Was data exfiltrated? Was the payload reconstructed? Did the behavior happen elsewhere under a slightly different domain? Did the rule catch the tactic, or did it just get lucky?<br \/>\nThis is why dwell time exposes the shortcomings of SIEMs. If attackers are living in environments for weeks or months, the answer is not simply more rules written by someone else. The answer should be better visibility, longer retention, much more flexible querying, and a deeper understanding of what is normal inside the organization.<br \/>\nThat is Defender Advantage.<br \/>\nDefender Advantage comes from knowing your environment better than the attacker does. This is where generic detection and framework-driven thinking hit a wall. Frameworks like ATT&#038;CK are useful organizational tools. But if they become a coverage map divorced from actual telemetry, they can create a false sense of security. \u201cWe detect this technique\u201d is not enough. With what data source? At what fidelity? With how much retention? Against which systems? With what blind spots? A green box on a slide does not mean you can actually investigate the incident when it matters.<br \/>\nThe same applies to AI. AI can help accelerate security work, but it does not magically solve context. Context is the hard part, and AI has a very limited context window. An AI model does not inherently know your weird legacy application, your OT network, your developers\u2019 habits, your business workflows, or the device that should never initiate outbound traffic except during a maintenance window. That knowledge lives with people: security analysts, engineers, IT teams, developers, and operators. It lives in terabytes and terabytes of log data. Is it any mystery why \u201cAI will save us\u201d vendors also advocate you should shrink your log data and throw all that pesky \u201cwaste\u201d away?<br \/>\nTrying to replace that human context with generic automation is how organizations end up being faster at missing the point.<br \/>\nReducing dwell time requires a different mindset. Keep the raw data and keep it long enough to matter. Do not throw away evidence just because it is expensive, ugly, or inconvenient. Give analysts the ability to parse on the fly, inspect nested fields, reassemble activity across events, decode payloads, baseline systems, and ask new questions of old data. Let teams turn internal knowledge into detection logic. Let them hunt for what is abnormal in their environment, not just what is globally known to be bad.<br \/>\nAttackers already know how to hide in the gaps between tools, teams, and assumptions. Defenders need to close those gaps with visibility, flexibility, and a better understanding of themselves.\u00a0<br \/>\n\u201cIf you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.\u201d<br \/>\nNotice how Sun Tzu doesn\u2019t say anything about knowing your enemy but not yourself? Because that would be silly. Even in modern times, this ancient wisdom holds true. While defending their organizations from attacker activity, security teams should be taking it to heart.\u00a0<\/p>\n<p>                            Join our LinkedIn group Information Security Community!<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Why Attacker Dwell Time Is Exposing the Shortcomings of Legacy SIEMs https:\/\/www.cybersecurity-insiders.com\/why-attacker-dwell-time-is-exposing-the-shortcomings-of-legacy-siems\/ Publish Date: 2026-07-15&#8230;<\/p>\n","protected":false},"author":1,"featured_media":243392,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cybersecurity-insiders.com\/wp-content\/uploads\/Cybersecurity-analyst-in-high-tech-SOC.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24,32,34,27],"class_list":["post-243391","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity","tag-malware","tag-threat-actor","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/243391"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=243391"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/243391\/revisions"}],"predecessor-version":[{"id":243393,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/243391\/revisions\/243393"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/243392"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=243391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=243391"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=243391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}