⇤ How is the Diligence Risk Category Calculated?
Patching Cadence measures how long, on average, known vulnerabilities existed in an organization unpatched. This average time-to-remediate is weighted according to the severity of the vulnerability, so more severe vulnerabilities have a greater impact on the risk vector grade.
Patching Cadence measures an average, meaning that the number of vulnerabilities detected and the number of assets at an organization do not directly influence the grade. Companies with many Patching Cadence findings can have an excellent risk vector grade, provided the vulnerabilities are remediated quickly.
All vulnerabilities that can impact Patching Cadence are classified as confirmed.
Understanding Ratings Impact
- Both remediated and unremediated findings impact the grade, but only the unremediated findings can be affected by a company’s actions.
- Unremediated findings only impact the grade if they have been active for a time period that is longer than the current average remediation time. Otherwise, new unremediated findings would artificially drive down the average remediation time.
- As long as a finding remains unremediated, its duration continues to increase and its impact on the risk vector grade becomes increasingly negative.
- Because Patching Cadence represents an average, a quickly-patched finding has a positive impact on the letter grade, while a finding that takes longer-than-average to patch has a negative impact.
- The impact–positive or negative–of a given finding is greatest on the day the vulnerability is patched. As soon as a finding changes from unremediated to remediated, its duration stops increasing. The impact of the finding then begins to decrease each day, reaching zero 90 days after the Last Seen date.
Patching Cadence Concepts
For a list of all data fields in Patching Cadence, see Patching Cadence Findings.
For information about scanning and refresh of findings, see How is the Diligence Risk Category Calculated?
Concept | Description |
---|---|
The number of days a vulnerability is present on a given asset before the vulnerability is remediated. |
The number of days a vulnerability is present on a given asset before the vulnerability is remediated. (See Duration for details.) |
A default risk vector grade is assigned. |
The rating is positively impacted if there are no findings for this risk vector within its lifetime. |
The number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. |
Duration: 90 Days Since Patching Cadence is based on an estimate of the mean remediation time of vulnerabilities, this lifetime is set for a longer duration than other Diligence risk vectors to ensure an accurate measure of the mean remediation time. See lifetime for details. |
Time To Remediate | The weighted average time to remediate across Patching Cadence findings, weighted by severity and including the decay over the course of the lifetime. |
The seriousness of a vulnerability; its innate potential for harm. |
See Vulnerability Severity for details. |
Percentage (out of 70.5% in Diligence): 20% |
Vulnerability Severity
More severe vulnerabilities have greater influence on the Patching Cadence grade. As mentioned, Patching Cadence is based on the average duration (time to patch), and severity is used as a weighting factor in that average.
Example: Consider two vulnerabilities with different severities–one is minor and the other is material. If both vulnerabilities were patched in the same number of days, the material vulnerability would have significantly more impact on the Patching Cadence grade.
The Bitsight severity scale is based on the Common Vulnerability Scoring System (CVSS). Learn how we determine the severity of vulnerabilities.
Duration
Duration is the time a specific vulnerability remains unpatched on a specific asset (time to remediate). It is the number of days between when an asset is first observed to be vulnerable and when the asset is last seen to be vulnerable.
Time to Remediate
It can take up to 60 days for a vulnerability to be considered to be remediated. However, the ratings impact is always calculated as if it were remediated when the vulnerability was last seen. A vulnerability on a given asset is considered remediated if:
- A subsequent observation confirms that the vulnerability is not present on the asset. (Bitsight detects the patched asset.)
- The vulnerable asset has not been reachable for 60 days. (The asset was taken offline.)
A remediated finding will be returned to non-remediated if the same vulnerability is observed again on the same asset.
- If the vulnerability is re-observed within 180 days of the Last Seen date, the duration of the finding is extended and the Last Seen date is updated accordingly. (The vulnerability has been unpatched since the previous observation.)
- If the vulnerability is re-observed more than 180 days from the Last Seen date, a new duration period is started from the current observation. (The vulnerability was patched and is now vulnerable again.)
Lifetime & Decay of Patching Cadence Findings
A Patching Cadence finding impacts the risk vector grade for 90 days after it is remediated. The relative weight of the finding decays linearly over this period, and the finding's impact on the average remediation time may be reduced.
After all Patching Cadence findings are remediated, the average remediation time is adjusted so that it decays linearly during the remaining finding lifetime, enabling a corresponding increase in the risk vector score. This linear decay starts 60 days after the Last Seen date of the last vulnerable finding.
Patching Cadence measures average time-to-patch. Lifetime is how long each individual time-to-patch duration continues to be included in the average. This means that the 90-days lifetime period is not inherently negative (or positive) for the risk vector grade. The positive impact of a quickly patched vulnerability lasts throughout the lifetime period, just like the negative impact of a slowly patched vulnerability.
Learn more about finding lifetime and why findings have a decay and lifetime period.
- July 10, 2024: The Patching Cadence lifetime is 90 days; Time to remediate concept video.
- March 25, 2024: “No findings/low findings” changed to “insufficient data.”
- January 31, 2024: The lifetime is subject to change for the 2024 RAU.
Feedback
0 comments
Please sign in to leave a comment.