- August 16, 2023: New Grading & Finding Behavior sections.
- March 3, 2023: Added resources on the correlation of Bitsight data to ransomware and security incidents.
- May 11, 2020: Updated description.
This risk vector evaluates how long, on average, known vulnerabilities existed in an organization unpatched. Software vulnerabilities are holes or bugs in software, hardware, or encryption methods that can be used by attackers to gain unauthorized access to systems and their data.
- Vulnerabilities
- Publicly disclosed holes or bugs in software, hardware, or encryption methods. Information about Common Vulnerabilities and Exposures (CVE) is obtained from the National Vulnerability Database (NVD). A vulnerability might exist before its official announcement, but will not be evaluated and included in Patching Cadence risk vector until it’s officially announced by the NVD.
- Remediation
- The process of updating software or taking other actions to ensure that the vulnerability is resolved (“patching”), so attackers can't use that channel for malicious purposes. Patches are applied either by automatically keeping operating systems and supporting libraries up-to-date or by manually configuring settings and modifying files until a patch is available.
Risks
Vulnerabilities can expose organizations to malicious attacks. With major vulnerabilities emerging at an increasing rate, reacting quickly and consistently is critical for reducing cyber risk.
A Bitsight study on the Bitsight Security Rating’s correlation to ransomware highlights Patching Cadence as a major indicator of the likelihood of experiencing a ransomware event. The study showed companies with a poor Patching Cadence grade experience a nearly sevenfold increase in ransomware risk.
A Marsh McLennan study of Bitsight analytics’ correlation to security incidents also highlights Patching Cadence as the top indicator. Poor performance in Patching Cadence significantly increases the risk of experiencing a cybersecurity incident, while strong performance implies a lower risk of incident.
Grading
See how the Patching Cadence risk vector is graded.
Concept | Behavior |
---|---|
Lifetime |
300 Days Since Patching Cadence is based on an estimate of the mean remediation time of vulnerabilities, this lifetime is set for a longer duration than other Diligence risk vectors to ensure an accurate measure of the mean remediation time. |
No Findings |
The rating is positively impacted if there are no findings for this risk vector within its lifetime. |
(Out of 70.5% in Diligence) |
20% |
Remediation
Review Patching Cadence findings and refer to the Vulnerability Catalog report, which includes the information your response teams will need to ensure that the vulnerability is eliminated from the affected systems.
- Conduct general housekeeping on company infrastructure. Keep software, hardware, operating systems, and supporting libraries up-to-date. Doing so can make it easier to patch systems in case vulnerabilities appear in the future.
- Ensure your operating systems and supporting libraries are up-to-date with the latest patches. Implement automatic updates for critical systems.
- Ensure new systems introduced into your corporate network are free of known vulnerabilities. Staying informed on the latest threats is a simple way to be aware of any possible risks your company could acquire when bringing any new devices onto your network.
- Find out how long your critical vendors leave vulnerabilities unpatched. Your organization’s security posture may be strong, but even one weak link in your supply chain can pose significant risk.
Finding Behavior
Concept | Behavior |
---|---|
Refresh |
Automated: Findings are checked at various intervals:
User Requested: User-requested refresh not available. |
Remediated |
Newer findings are weighted more heavily as it decays over its lifetime. After all Patching Cadence findings are remediated, the average remediation time is adjusted so that it decays linearly during the remaining finding lifetime, enabling a corresponding increase in the risk vector grade. This linear decay starts 60 days after the Last Seen date of the last vulnerable finding. If you’ve remediated all of your findings, your rating does not necessarily improve. It may improve if some of your longest duration ones are older, but it may not. |