COMMENT
Risk reduction has long been the guiding principle of security teams. However, even though security teams today are larger and have more sophisticated security stacks, risk remains at an all-time high and continues to increase.
Risk management is becoming much more complicated. With the expansion of code and cloud resources, the number of vulnerabilities has increased from hundreds to thousands or even millions. Not only is the number of vulnerabilities skyrocketing, but the amount of time it takes to remediate a vulnerability is also increasing, reaching an average of 270 days.
Average time to remedy (MTTR) is one of the best key success metrics for security teams because it is directly related to risk. If organizations can eliminate inconsistencies from MTTR calculations and accelerate remediation of remaining vulnerabilities, they can begin to make a significant impact in reducing risk.
The security solution dilemma
Organizations today are moving faster than ever. Keeping up with customer demand and the speed of innovation means they continually and rapidly create and deliver new products, services and offerings.
This can be great for business growth, but it poses a huge security challenge. Code and cloud infrastructures are deployed faster than they can be secured. This leaves application security teams in the dark about what resources they own or who owns those resources, and often cannot provide clear steps to engineering or development teams on how to resolve issues before deployment.
The result of this unmanageable expansion of resources is unmanageable risk. The more unprotected resources deployed, the more vulnerabilities need to be patched.
There’s also context to consider. Not all of these vulnerabilities pose a real risk, which introduces a new level of complexity for security teams. Now they must sift through and sort through a wave of vulnerabilities to determine what is noise and what is real risk. This is largely manual labor and costs security teams one of their most critical resources: time.
If security teams don’t have a robust vulnerability management program to guide them on what needs to be fixed, who needs to fix it, and how, the longer their assets will remain exposed to exploits.
Security teams need better approaches and tools to help them find and fix vulnerabilities. But as the saying goes, you can’t manage what you don’t measure. So how can you measure your effectiveness in remediating these vulnerabilities?
Because MTTR is the most important safety parameter
MTTR is the average time it takes to remediate a vulnerability in your organization. It might be a metric you’re already measuring or that you want to measure but aren’t sure how. Regardless, MTTR should be the primary metric you leverage as part of your ongoing strategy.
Every minute that vulnerabilities go unfixed is another minute that your organization remains exposed. So, reducing your MTTR means reducing the window of opportunity for an attack. MTTR reflects the effectiveness of your actions in fixing vulnerabilities and reducing risks. It is critical to have a way to measure how effectively you are shortening the detection, evaluation, and remediation lifecycle.
However, not all vulnerabilities impact risk equally. Low severity vulnerabilities may not impact your organization and do not need to be included in your MTTR. However, high severity vulnerabilities do, and your MTTR should measure how you reduce critical, severe, and risk-based vulnerabilities over time, especially considering that 33% of vulnerabilities across an organization’s entire stack are of high or critical severity.
Why is MTTR more important today?
MTTR has always been an important metric for security teams, but it is more critical than ever. Assets and infrastructure are deployed faster than understaffed and under-resourced security teams can protect them, causing a cascade of vulnerabilities that must be addressed. And vulnerabilities will only increase. Considers that In 2022, 25,082 vulnerabilities were publisheda 24% increase compared to 2021.
Another reason MTTR measurement is more important is so that security teams can become aware of the need for better remediation tools and strategies. Today, there are many tools that can help security teams discover vulnerabilities. But there’s a big difference between finding a vulnerability and fixing it.
Too often, security teams have tools that add more issues to their to-do list, things that don’t reduce their MTTR and risk. To truly reduce risk and MTTR, security teams need tools and approaches that give them a list of instructions on how to remediate high-risk vulnerabilities and reduce MTTR.
How to reduce your MTTR
MTTR is a direct measure of how well you are reducing risk, but what steps can you take to reduce risk in the first place? Start with the following.
-
Discover and aggregate your vulnerabilities: First, create a file inventory of your possessions, such as code repositories, software dependencies, software bills of materials (SBOMs), containers, and microservices. Add context to those assets, such as who owns them and how they impact critical business functions.
-
Assess business risk: Using the collected context, evaluate each vulnerability based on the severity of the risk. This will allow you to prioritize the vulnerabilities that pose the greatest risk to your business.
-
Sorting: Next, assess your vulnerabilities, asking which software assets need fixing, who needs to fix them, and how to fix them.
-
Measuring MTTR to promote repair efforts: Measure and monitor your MTTR to evaluate the effectiveness of your actions in reducing risk and where you need to continue to improve or modify your efforts.
The key metric for 2024
Do you know the average time it takes your organization to reduce risks? By measuring and tracking your MTTR over time, you’ll see how your vulnerability management efforts are reducing risk and closing the window of opportunity for adversaries. As you prepare your security strategies, be sure to use MTTR as a key metric.