
The process of gaining unauthorized entry into a network to passing control to another attacker now only takes 22 seconds, compared to over eight hours it used to take back in 2022. That’s how much the severity of the situation has escalated.
Furthermore, that’s the new reality in which investigations take place. This is exactly why the old reactive approach of waiting for an alert, responding to it at a convenient time, and writing a report later simply does not work anymore. This is why enterprises working with sensitive data require much more advanced strategies.
This article outlines why identity is critical during such investigations and how faster investigations enhance overall security.
Key Takeaways
- Investigations scout the damage done, trace the root cause, and answer the question every CISO actually cares about
- Identity issues were the contributing factor in nearly 90% of Unit 42’s cases, while stolen credentials, hijacked sessions, and overly permissive tokens have become the go-to vector
- Organizations utilizing AI and automation shorten their breach lifecycle by 80 days and save approximately $2 million per incident
- The difference isn’t just a better tool. It’s having the right visibility and context from the very beginning of the investigation
People often confuse triage with investigation. Triage is the quick gut check: is this alert worth anyone’s time?
Investigation is the deeper process that follows. It scouts the damage done, traces the root cause, and answers the question every CISO actually cares about: how far did the damage creep in, and what do we fix so it doesn’t happen again?
Triage takes minutes. Investigation can run from hours to weeks, depending on how good your visibility is going into it.
And visibility, it turns out, is the real battleground. Unit 42’s latest global report found that misconfigurations or gaps in security coverage materially enabled the attack in over 90% of the incidents they investigated. Not exotic zero-days. Not nation-state wizardry. Just gaps nobody was watching closely enough.

If there is any common thread woven throughout most major incident response reports this year, it is surely this: intruders are no longer hacking their way in, but rather logging in. Identity issues were the contributing factor in nearly 90% of Unit 42’s cases, while stolen credentials, hijacked sessions, and overly permissive tokens have become the go-to vector.
As the approach towards attacks has changed drastically, so has the approach to investigation. Monitoring the network perimeter is not enough anymore. You must have logs and identity artifacts as behaviour context, as all have become interconnected entities; in many cases, the information needed is already present in the log, and investigators only need to piece it together in vital moments from multiple sources.
NetWitness lets you combine packet analysis, endpoint monitoring, and log activity in one workflow. It would be the best platform to address these challenges.
Did You Know?
Hackers often hide by using the exact same built-in computer administration tools that IT staff use every day.
Here’s the part that’s easy to miss in all the AI-driven SOC hype. Organizations utilizing AI and automation shorten their breach lifecycle by 80 days and save approximately $2 million per incident.
But automation doesn’t replace investigators. It removes repetitive work, so analysts can focus on understanding attacker behavior and making informed decisions faster.
Dwell time indicates the same findings, but from a different angle. Managed detection environments are now locating threats with a median dwell time of around 39 minutes, compared to around 390 minutes for organizations that depend on manual detection.
The difference isn’t just a better tool. It’s having the right visibility and context from the very beginning of the investigation.
Investigations for incidents go well beyond looking into alerts once an attack has happened. These involve obtaining a holistic view of everything in the network, on endpoints, at identities, and in logs in order to determine the real impact of an incident before the attackers do more harm.
It makes sense for organizations to use a combination of trained experts and effective investigative tools such as NetWitness in order to investigate incidents faster and make the attacker dwell time shorter.
Ans: They require faster processes because the time to breach systems has decreased quite a lot, forcing organizations to adapt or risk losing sensitive information to unauthorized attackers.
Ans: AI speeds up the whole process considerably by monitoring threats in real-time, allowing businesses to prevent data breaches instead of waiting for the attacks to happen and then reacting later.
Ans: Monitoring the network perimeter is not enough anymore. You must have logs and identity artifacts as behaviour context, as all have become interconnected entities. These things help greatly in identifying threats quickly and taking action swiftly.
Ans: No, automation doesn’t replace investigators. It removes repetitive work, so analysts can focus on understanding attacker behavior and making informed decisions faster.