The New MTTP: More Time to Patch

Managing and measuring your security posture is complex

Security is difficult in modern environments. The attack surface is exploding, and the pieces are constantly getting smaller. CISOs and operations teams have to maintain and secure environments that can be any combination of on-premise, cloud, containers, serverless, microservices, and kubernetes and are likely doing all of this from home these days. One thing has remained the same throughout all of these changes: vulnerabilities exist in production. 

Ask anyone who’s responsible for managing vulnerabilities what keeps them up at night and while some will say they’re constantly worried about the next zero day, the majority will tell you the exact opposite. The vulnerabilities they already know about are troubling enough. Moreover, these vulnerabilities are likely staring them in the face from one or many dashboards and are one of the few concrete metrics that can be reported up to the C-Suite and the board. This inevitably leads to two questions – “Why isn’t this patched yet?” and “Is the environment secure with all of these unpatched vulnerabilities?”

Why isn’t this patched yet?

Mean time to patch or MTTP has long been a standard metric to measure the effectiveness of a vulnerability management program. On the surface it makes sense, companies should know how long it takes to go from vulnerability identification to patch implementation at a given severity level. In practice, however, there are a number of reasons why vulnerabilities exist without patches for an average of between 60-150 days. A patch may not even exist at the time the vulnerability is discovered. There may also be technical or organizational hurdles standing in the way of patching. It can be difficult to establish and enforce a patching window for critical systems, especially if they’re legacy infrastructure. Dependencies also kill patches, if the patch will bring a critical system to a halt then the cure is likely worse than the disease. There’s also the simple fact that most security teams have far more vulnerabilities to patch than time and resources to patch them.Why would Desired State Enforcement protect against supply chain attacks when many other approaches fail?

Is the environment secure with all of these unpatched vulnerabilities?

The answer to this depends on two things – what portion of vulnerabilities are exploitable and are there any compensating controls in place to account for unpatched vulnerabilities. Only vulnerabilities in files and packages loaded to memory are exploitable. In Rezilion’s experience, only about 30-40% of vulnerabilities found by the average scanner are exploitable. This means that security teams are being measured against an attack surface that’s up to 70% unexploitable. Compensating controls in place refer to anything that limits the impact of a vulnerability being exploited through monitoring, alerting, or even decommissioning and redeploying a compromised asset. 

Security teams need less work and more time

Rezilion Prioritize can deliver on both of these critical needs. Prioritize gives security teams less work through vulnerability validation. This is an automated vulnerability analysis capability that reduces patching efforts by 70% through validating your actual attack surface. Validation focuses your attention on exploitable vulnerabilities that are in code loaded to memory, and allows teams to avoid wasting time focusing on the vast majority of vulnerabilities that are not exploitable. 

Prioritize also buys security teams time with autonomous vulnerability mitigation. Not every vulnerability has a patch and there are times patching isn’t an option. Prioritize also gives teams more time with autonomous mitigation. This is a compensating control for production vulnerabilities that buys teams time to patch without slowing down business or delaying releases. Prioritize detects when vulnerable components are being exploited to run unauthorized code and commands, and responds by leveraging your existing infrastructure to alert asset owners, create tickets, or safely redeploy assets. 

This powerful combination of a reduced attack surface and autonomous mitigating controls delivers the new MTTP – More Time to Patch. Click here to learn more about Rezilion Prioritize and its benefits.

You are Three Clicks Away from a POC

Rezilion is a true turnkey SaaS solution for your cloud workload headaches.

© 2021 Rezilion. All Rights Reserved.