Patching Cadence Risk Vector

The Patching Cadence risk vector is part of the Diligence risk category. It evaluates how long, on average, known vulnerabilities existed in an organization unpatched. Software vulnerabilities are holes or bugs in software, hardware, or encryption methods that can be used by attackers to gain unauthorized access to systems and their data.

Vulnerabilities

Publicly disclosed holes or bugs in software, hardware, or encryption methods. Information about Common Vulnerabilities and Exposures (CVE) is obtained from the National Vulnerability Database (NVD). A vulnerability might exist before its official announcement, but will not be evaluated and included in Patching Cadence risk vector until it’s officially announced by the NVD.

Remediation

The process of updating software or taking other actions to ensure that the vulnerability is resolved (“patching”), so attackers can't use that channel for malicious purposes. Patches are applied either by automatically keeping operating systems and supporting libraries up-to-date or by manually configuring settings and modifying files until a patch is available.

See data collection methods.

Risks

Vulnerabilities can expose organizations to malicious attacks. With major vulnerabilities emerging at an increasing rate, reacting quickly and consistently is critical for reducing cyber risk.

A Bitsight study on the Bitsight Security Rating’s correlation to ransomware highlights Patching Cadence as a major indicator of the likelihood of experiencing a ransomware event. The study showed companies with a poor Patching Cadence grade experience a nearly sevenfold increase in ransomware risk.

A Marsh McLennan study of Bitsight analytics’ correlation to security incidents also highlights Patching Cadence as the top indicator. Poor performance in Patching Cadence significantly increases the risk of experiencing a cybersecurity incident, while strong performance implies a lower risk of incident.

Grading

Concepts for assessing and grading Patching Cadence:

Finding Grades

Diligence findings are graded as GOOD, FAIR, WARN, BAD, or NEUTRAL based on inherent risk and if best practices can be improved upon.

Behavior: Finding grades are not applicable to Patching Cadence findings. Patching Cadence is graded as N/A. The findings still have an impact on the rating.

Insufficient Data

A default risk vector grade is assigned if there is insufficient or no data.

Behavior: The rating is positively impacted if there are no findings for this risk vector within its lifetime.

Default Grade:

Lifetime

Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.

Behavior: Since Patching Cadence is based on an estimate of the mean remediation time of vulnerabilities, this lifetime is set for a longer duration than other Diligence risk vectors to ensure an accurate measure of the mean remediation time. See lifetime for details.

Duration: 90 Days

Weight

The Patching Cadence risk vector contributes to the weight of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.

Weight: 20%

Remediation

Review Patching Cadence findings and refer to the Vulnerability Catalog report, which includes the information your response teams will need to ensure that the vulnerability is eliminated from the affected systems.

• Conduct general housekeeping on company infrastructure. Keep software, hardware, operating systems, and supporting libraries up-to-date. Doing so can make it easier to patch systems in case vulnerabilities appear in the future.
• Ensure your operating systems and supporting libraries are up-to-date with the latest patches. Implement automatic updates for critical systems.
• Ensure new systems introduced into your corporate network are free of known vulnerabilities. Staying informed on the latest threats is a simple way to be aware of any possible risks your company could acquire when bringing any new devices onto your network.
• Find out how long your critical vendors leave vulnerabilities unpatched. Your organization’s security posture may be strong, but even one weak link in your supply chain can pose significant risk.

Rescan base duration

The Bitsight platform regularly checks for new observations.

Automated Scan: 30 Days (standard)

Priority Scanning: Daily automated scans for EASM Enhanced customers, providing faster updates and continuous visibility into new exposures.

Finding Behavior

Rescan

The Bitsight platform regularly checks for new observations. A finding rescan updates findings as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.

Behavior:

• Automated Scan Duration: 30 days maximum.
• User-Requested Rescan Duration: Not Available

Remediated

The vulnerability is fixed (remediated).

Behavior:

Patching Cadence findings have a positive impact if they are remediated faster or negative impact if they are remediated slower than the company’s mean time to remediate. It also depends on the vulnerability’s severity.

The impact of remediated findings on the Patching Cadence grade and overall rating decreases starting 60 days after the Last Seen date of the last vulnerable finding and continues until the end of its lifetime (90 days).