If your organization is keeping up with vulnerability remediation, give yourself a pat on the back, but don’t rest on your laurels just yet. Too few organizations are keeping track of what may be the most important cybersecurity metric out there: time to remediate.
What’s your organization’s average time to remediation?
Vulnerability Remediation: Key Metrics
Even organizations that are staying afloat when it comes to patching admit they could do better when it comes to time to remediate (TTR).
According to a Ponemon-Tenable study of over 2,400 IT and security professionals, 70% claimed TTR is an essential KPI, but only 46% were actually tracking this data. And the ones who are tracking this number may not be actively working to bring it down.
Security software today typically fails to track TTR and yet often does deliver a wide range of less-relevant metrics:
- Number of vulnerabilities: Since vulnerabilities will exist, this is guaranteed to be a big scary number that may or may not have any practical impact.
- Number of scans run: A million ineffective scans won’t make your organization more secure.
- Critical vs. non-critical vulnerabilities: This metric can be misleading since it doesn’t always correspond to your organization’s priorities.
The importance of TTR was driven home in 2019 when the U.S. Department of Homeland Security demanded that all federal agencies patch critical vulnerabilities within 15 days and high vulnerabilities within 30 days.
Unfortunately, the private sector hasn’t followed suit. TTR varies from industry to industry but can range from 15 weeks in the energy sector to 35 weeks in IT. Another study showed it could take up to 42 weeks to resolve half of an organization’s vulnerabilities.
Let’s look at what happens if we forget every other metric and focus only on TTR.
Putting TTR First
Rather than counting vulnerabilities that are blocked or fixed, try shifting your priorities and looking at how long your entire remediation strategy takes. Only after that should you start breaking things down to look at TTR for the most critical vulnerabilities.
This approach may seem counterintuitive or inefficient at first, as most IT professionals are used to prioritizing according to risk.
But prioritizing vulnerabilities can lead to a false sense of security. A “severe” vulnerability might have little chance of being exploited. The painful truth is that hackers don’t care how severe a vulnerability is; they will exploit anything that gives them a foothold to get inside your organization and wreak havoc.
A TTR-focused approach creates a big-picture strategy, giving you the best chance of addressing all vulnerabilities.
TTR also provides a clear, concrete metric for reporting on security goals and achievements. Just like hackers, senior execs don’t always care how severe a vulnerability is either. They just want to know the organization is secure. Being able to report, “Our team has been successfully patching 90% of critical vulnerabilities on payroll-related systems within 15 days,” proves your IT department is meshed well with your organization’s business goals and strategies.
What Do the Data Say?
Remediation may be getting lip service, but even with a widespread understanding of the risks, one WhiteHat Security study shows that remediation rates are actually down from 57% in 2017 to 46% in 2019.
At JetPatch, it’s important for us to know what’s going on behind the scenes so we can help our customers improve their vulnerability remediation picture. So, we’ve been running a survey of our own.
What we’re seeing is generally consistent with other studies. People are telling us it can take months to remediate their entire environment: a TTR of 15-30 days for critical vulnerabilities and 60-120 days for non-critical vulnerabilities.
We’re also hearing that IT staff have many responsibilities, and remediating vulnerabilities often has to take a backseat. To ensure nothing falls through the cracks, choosing tools to help bring your organization’s TTR in line can help shift how you handle security overall and take the burden off your team.
Choosing Tools to Prioritize TTR
Looking at tools to aid and streamline vulnerability management, a global approach is best, and TTR is absolutely critical in keeping your organization patched tight and secure.
An effective tool will offer a big-picture view of how long it’s taking your organization to remediate and, perhaps most importantly, let users measure their performance against standard benchmarks.
A new Forrester report has just weighed in on the simplest way to improve TTR: automation. This falls into two areas: automated scanning and automated remediation. By building automated scanning into your security strategy, you’re taking the burden off IT’s shoulders and ensuring more frequent scans, something Forrester reported brought down median TTR from 68 days to 19 days.
Tools such as JetPatch offer features like predictive patching to help automate and simplify the patching process, making the entire remediation cycle run more smoothly.
In an article about the perils of patching, the UK government admits it’s not easy to close the gap. It’s time-consuming and complex. Patching can be disruptive, and there are additional challenges in securing older, newer, or more complex systems.
Closing the gap may not be easy, but it’s impossible if you’re not measuring TTR. If your security tools aren’t treating TTR as a priority, you may believe you’re keeping up but actually remediating too slowly to keep your organization secure.