How is the Patching Cadence Risk Vector Assessed?

Patching Cadence contributes to how the Diligence risk category is calculated.

Understanding ratings impact

• Both remediated and unremediated findings impact the grade, but only the unremediated findings can be affected by a company’s future actions.
• Unremediated findings only impact the grade if they have been active for a time period that is longer than the current average remediation time of remediated findings – newly observed unremediated findings would otherwise artificially drive down the average remediation time. When no remediated findings are observed, only the longest duration unremediated finding is considered.
• As long as a finding remains unremediated, its duration continues to increase and its impact on the risk vector grade becomes increasingly negative.
• Because Patching Cadence represents an average, a quickly-patched finding has a positive impact on the letter grade, while a finding that takes longer-than-average to patch has a negative impact. Once a finding is remediated it never increases the average remediation time.
• The impact–positive or negative–of a given finding is greatest on the day the vulnerability is patched. As soon as a finding changes from unremediated to remediated, its duration stops increasing. The impact of the finding then begins to decrease each day, reaching zero 90 days after the Last Seen date.

Patching Cadence Concepts

For a list of all data fields in Patching Cadence, see Patching Cadence Findings.

For information about scanning and rescan of findings, see How is the Diligence Risk Category Calculated?

Duration

Duration is the time a specific vulnerability remains unpatched on a specific asset (time to remediate). It is the number of days between when an asset is first observed to be vulnerable and when the asset is last seen to be vulnerable.

Finding Details

For a list of all data fields in Patching Cadence, see Patching Cadence Findings.

Finding Grades

Diligence findings are graded as GOOD, FAIR, WARN, BAD, or NEUTRAL based on inherent risk and if best practices can be improved upon.

Behavior: Finding grades are not applicable to Patching Cadence findings. Patching Cadence is graded as N/A. The findings still have an impact on the rating.

Finding Rescan

For information about scanning and rescan of findings, see Patching Cadence Finding Behavior.

Insufficient Data

A default risk vector grade is assigned if there is insufficient or no data.

Behavior: The rating is positively impacted if there are no findings for this risk vector within its lifetime.

Default Grade:

Lifetime

Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.

Behavior: Since Patching Cadence is based on an estimate of the mean remediation time of vulnerabilities, this lifetime is set for a longer duration than other Diligence risk vectors to ensure an accurate measure of the mean remediation time. See lifetime for details.

Duration: 90 Days

Time To Remediate

Time to remediate is the weighted average time to remediate across Patching Cadence findings, weighted by severity and including the decay over the course of the lifetime. See details.

Vulnerability Severity

The seriousness of a vulnerability; its innate potential for harm. See details.

Weight

The Patching Cadence risk vector contributes to the weight of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.

Weight: 20%

Vulnerability Severity

More severe vulnerabilities have greater influence on the Patching Cadence grade. As mentioned, Patching Cadence is based on the average duration (time to patch), and severity is used as a weighting factor in that average.

Example: Consider two vulnerabilities with different severities–one is minor and the other is material. If both vulnerabilities were patched in the same number of days, the material vulnerability would have significantly more impact on the Patching Cadence grade.

The Bitsight severity scale is based on the Common Vulnerability Scoring System (CVSS). Learn how we determine the severity of vulnerabilities.

Time to Remediate

Patching Cadence measures an average time-to-remediate. This average is weighted according to the severity of the vulnerability, so more severe vulnerabilities have a greater impact on the risk vector grade. Since only specific vulnerabilities representative of patching behavior overall are assessed, we may not necessarily measure the wholistic time-to-remediate and the number of vulnerabilities detected and the number of assets at an organization do not directly influence the grade. All vulnerabilities that can impact Patching Cadence are classified as confirmed.

Companies with many Patching Cadence findings can have an excellent risk vector grade, provided the vulnerabilities are remediated quickly.

It can take up to 60 days for a vulnerability to be considered to be remediated. Once patched, a vulnerability is considered "remediated" when it is no longer observed by Bitsight's scanning processes for 60 consecutive days. However, the ratings impact is always calculated as if it were remediated when the vulnerability was last seen. A vulnerability on a given asset is considered remediated if:

• A subsequent observation confirms that the vulnerability is not present on the asset. (Bitsight detects the patched asset.)
• The vulnerable asset has not been reachable for 60 days. (The asset was taken offline.)

A remediated finding will be returned to non-remediated if the same vulnerability is observed again on the same asset.

• If the vulnerability is re-observed within 180 days of the Last Seen date, the duration of the finding is extended and the Last Seen date is updated accordingly. (The vulnerability has been unpatched since the previous observation.)
• If the vulnerability is re-observed more than 180 days from the Last Seen date, a new duration period is started from the current observation. (The vulnerability was patched and is now vulnerable again.)

Lifetime & Decay of Patching Cadence Findings

A Patching Cadence finding impacts the risk vector grade for 90 days after it is remediated. The relative weight of the finding decays linearly over this period, and the finding's impact on the average remediation time may be reduced.

After all Patching Cadence findings are remediated, the average remediation time is adjusted so that it decays linearly during the remaining finding lifetime, enabling a corresponding increase in the risk vector score. This linear decay starts 60 days after the Last Seen date of the last vulnerable finding.

Patching Cadence measures average time-to-patch. Lifetime is how long each individual time-to-patch duration continues to be included in the average. This means that the 90-day lifetime period is not inherently negative (or positive) for the risk vector grade. The positive impact of a quickly patched vulnerability lasts throughout the lifetime period, just like the negative impact of a slowly patched vulnerability.

Learn more about finding lifetime and why findings have a decay and lifetime period.