Vulnerability Risk vs Time to Detection

‍

Risk of vulnerabilities is often considered an important security testing metric to track. Visibility over the number of high or medium risk vulnerabilities is critical in understanding the health of a vulnerability management programme, however, it’s not what mature organisations are focussing on. Instead, mean time to detection (MTTD) and mean time to response (MTTR) provide much more insight into a programme’s efficiency.

‍

MTTD

‍

MTTD indicates the time taken between the inevitable introduction of a vulnerability and its detection. Security teams with a low MTTD find vulnerabilities faster, meaning they can begin the remediation process faster. Higher MTTD rates suggest that uncovered vulnerabilities are lingering in systems for longer. 

‍

‍MTTR

‍

MTTR is the next metric to track along the vulnerability lifecycle. MTTR measures the length of time between a vulnerability being acknowledged and addressed. It’s important to note that addressed does not necessarily mean fixed. Not all vulnerabilities get rectified, instead they can be mitigated or even just accepted. So MTTR includes all the possible outcomes after the vulnerability has been found and assessed. 

‍

Summary

‍

Ultimately, it’s the individual business goals of the vulnerability management programme that determines what metrics to focus on. But having systems and tools (like Cisco Vulnerability Management (formerly Kenna), Armorcode and Cytix) to easily track performance metrics is vital. With the right processes in place and focus on the right metrics, high performing security teams are reducing the time vulnerabilities are live in their system, reducing the chance of harmful attacks. 

‍

If you want to see how Cytix can drive down MTTD, book your demo today.

‍