The Patching Cadence risk vector evaluates how long, on average, known vulnerabilities existed in an organization unpatched. Software vulnerabilities are holes or bugs in software, hardware, or encryption methods that can be used by attackers to gain unauthorized access to systems and their data.
- Vulnerabilities
- Publicly disclosed holes or bugs in software, hardware, or encryption methods. Information about Common Vulnerabilities and Exposures (CVE) is obtained from the National Vulnerability Database (NVD). A vulnerability might exist before its official announcement, but will not be evaluated and included in Patching Cadence risk vector until it’s officially announced by the NVD.
- Remediation
- The process of updating software or taking other actions to ensure that the vulnerability is resolved (“patching”), so attackers can't use that channel for malicious purposes. Patches are applied either by automatically keeping operating systems and supporting libraries up-to-date or by manually configuring settings and modifying files until a patch is available.
Risks
Vulnerabilities can expose organizations to malicious attacks. With major vulnerabilities emerging at an increasing rate, reacting quickly and consistently is critical for reducing cyber risk.
A Bitsight study on the Bitsight Security Rating’s correlation to ransomware highlights Patching Cadence as a major indicator of the likelihood of experiencing a ransomware event. The study showed companies with a poor Patching Cadence grade experience a nearly sevenfold increase in ransomware risk.
A Marsh McLennan study of Bitsight analytics’ correlation to security incidents also highlights Patching Cadence as the top indicator. Poor performance in Patching Cadence significantly increases the risk of experiencing a cybersecurity incident, while strong performance implies a lower risk of incident.
Grading
See how the Patching Cadence risk vector is graded.
Concept | Behavior |
---|---|
Duration: 90 Days Since Patching Cadence is based on an estimate of the mean remediation time of vulnerabilities, this lifetime is set for a longer duration than other Diligence risk vectors to ensure an accurate measure of the mean remediation time. See lifetime for details. |
|
A default risk vector grade is assigned. |
The rating is positively impacted if there are no findings for this risk vector within its lifetime. |
Percentage (out of 70.5% in Diligence): 20% |
Remediation
Review Patching Cadence findings and refer to the Vulnerability Catalog report, which includes the information your response teams will need to ensure that the vulnerability is eliminated from the affected systems.
- Conduct general housekeeping on company infrastructure. Keep software, hardware, operating systems, and supporting libraries up-to-date. Doing so can make it easier to patch systems in case vulnerabilities appear in the future.
- Ensure your operating systems and supporting libraries are up-to-date with the latest patches. Implement automatic updates for critical systems.
- Ensure new systems introduced into your corporate network are free of known vulnerabilities. Staying informed on the latest threats is a simple way to be aware of any possible risks your company could acquire when bringing any new devices onto your network.
- Find out how long your critical vendors leave vulnerabilities unpatched. Your organization’s security posture may be strong, but even one weak link in your supply chain can pose significant risk.
Finding Behavior
Concept | Behavior |
---|---|
The Bitsight platform regularly checks for new observations. Bitsight findings are updated as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated. |
Automated Scan Duration:
User-Requested Refresh Duration: Not Available |
If the vulnerability is fixed, the finding is marked as remediated. Its impact on the risk vector grade and overall rating decreases starting 60 days after the Last Seen date of the last vulnerable finding and continues until the end of its lifetime (90 days). Patching Cadence findings have a positive impact if they are remediated faster or negative impact if they are remediated slower than the company’s mean time to remediate. It also depends on the vulnerability’s severity. |
- September 5, 2024: The remediated finding behavior references the mean time to remediate.
- July 10, 2024: The Patching Cadence lifetime is 90 days.
- March 25, 2024: “No findings/low findings” changed to “insufficient data.”
Feedback
0 comments
Please sign in to leave a comment.