The New MTTP: More Time to Patch

Managing and measuring your security posture is complex

Security is difficult in modern environments. The attack surface is exploding, and the pieces are constantly getting smaller. CISOs and operations teams have to maintain and secure environments that can be any combination of on-premise, cloud, containers, serverless, microservices, and kubernetes and are likely doing all of this from home these days. One thing has remained the same throughout all of these changes: vulnerabilities exist in production. 

Ask anyone who’s responsible for managing vulnerabilities what keeps them up at night and while some will say they’re constantly worried about the next zero day, the majority will tell you the exact opposite. The vulnerabilities they already know about are troubling enough. Moreover, these vulnerabilities are likely staring them in the face from one or many dashboards and are one of the few concrete metrics that can be reported up to the C-Suite and the board. This inevitably leads to two questions – “Why isn’t this patched yet?” and “Is the environment secure with all of these unpatched vulnerabilities?”

Why isn’t this patched yet?

Mean time to patch or MTTP has long been a standard metric to measure the effectiveness of a vulnerability management program. On the surface it makes sense, companies should know how long it takes to go from vulnerability identification to patch implementation at a given severity level. In practice, however, there are a number of reasons why vulnerabilities exist without patches for an average of between 60-150 days. A patch may not even exist at the time the vulnerability is discovered. There may also be technical or organizational hurdles standing in the way of patching. It can be difficult to establish and enforce a patching window for critical systems, especially if they’re legacy infrastructure. Dependencies also kill patches, if the patch will bring a critical system to a halt then the cure is likely worse than the disease. There’s also the simple fact that most security teams have far more vulnerabilities to patch than time and resources to patch them.Why would Desired State Enforcement protect against supply chain attacks when many other approaches fail?

Is the environment secure with all of these unpatched vulnerabilities?

The answer to this depends on two things – what portion of vulnerabilities are exploitable and are there any compensating controls in place to account for unpatched vulnerabilities. Only vulnerabilities in files and packages loaded to memory are exploitable. In Rezilion’s experience, only about 30-40% of vulnerabilities found by the average scanner are exploitable. This means that security teams are being measured against an attack surface that’s up to 70% unexploitable. Compensating controls in place refer to anything that limits the impact of a vulnerability being exploited through monitoring, alerting, or even decommissioning and redeploying a compromised asset. 

Security teams need less work and more time

Rezilion can deliver on both of these critical needs. Rezilion’s platform gives security teams less work through vulnerability validation. This is an automated vulnerability analysis capability that reduces patching efforts by 70% through validating your actual attack surface. Rezilion focuses your attention on exploitable vulnerabilities that are in code loaded to memory, and allows teams to avoid wasting time focusing on the vast majority of vulnerabilities that are not exploitable. 

Our powerful combination of a reduced attack surface and autonomous mitigating controls delivers the new MTTP – More Time to Patch. Click here to learn more about Rezilion and its benefits.