Response Time to Critical Vulnerabilities as a New Security Metric

Key Takeaways

  • The average time to respond to critical vulnerabilities is much longer than the average time it takes a known vulnerability to be exploited

  • Mean time to hardening (MTTH) is a growing security metric

  • Mach37 recently accelerated Auspex Labs, an emerging solution in this space that leverages an automated cyber threat hunting platform

Average Time to Respond to Cyber Vulnerabilities

Organizations are increasingly under pressure to quickly respond to threats that may compromise their users’ data or damage their IT infrastructure. Slow responses to threats or data breaches can result in fines from federal entities, loss of customer trust, and lost time and resources.  A recent report from WhiteHat Security determined that the average time to fix critical cybersecurity vulnerabilities is 205 days. Furthermore, according to a report from IBM, it takes an average of 69 days to contain a breach. 

This delay in hardening security and containing breaches is very costly to companies. Companies that contain a breach in under 30 days save more than $1 million in comparison to those who take more than 30 days.

The report from WhiteHat notes that many outstanding vulnerabilities require very little effort or skill to discover or exploit. The average time to weaponize a new bug is 7 days. Given this window, organizations effectively have under a week to harden their systems before seeing exploits. This means that once a vulnerability is announced, a critical race starts to either secure or exploit. 

The delay to patch vulnerabilities has been seen in the real world many times. For example, Microsoft patched BlueKeep in May 2019, and 6 months later there were still 700,000 machines at risk. 

Mean time to hardening as a new security metric

Mean time to hardening (MTTH) is the average time it takes to patch a vulnerability from the moment your team is notified about it. The same metric is also referred to as mean time to patch (MTTP). If a patch is not considered critical, it can generally be scheduled for the next maintenance cycle. The decision to delay a patch should be governed by a risk management process; however, there are emergency level patches that need to be addressed swiftly and for such cases the security industry is establishing new benchmarks for response time.

One such standard is the 24/72 threshold. This means remeditaiting critical vulnerabilities within 72 hours, and zero-day vulnerabilities within 24 hours. The 72 hours comes from the fact that, on average, it takes adversaries 7 days to exploit a known vulnerability. The 24 hour threshold is ambitious, but it is the difference between proactive and reactive cyber defense.

Other benchmarks with regards to intrusion detection have also become industry standards. Crowdstrike introduced the 1/10/60 benchmark based on an intruder’s breakout time. Breakout time is the average one hour and 58 minutes that it takes an intruder to move laterally from the initially compromised machine. The 1/10/60 benchmark means that you have one minute to detect an attack in progress, 10 minutes to understand it, and 60 minutes to contain it. 

What affects an organization’s response time

Since COVID-19, supply for security professionals has not met the demand. This leaves security teams stretched thin and unable to manually respond to a high volume of outstanding vulnerabilities. Setu Kulkarni, a VP at WhiteHat security suggests distributing security responsibilities from security and IT teams to development teams by training them to handle the top few vulnerabilities that are trending in their products. 

Organizations can do several things to prepare for fast responses to cyber threats: regular audits and assessments of security vulnerabilities, participating in threat-sharing programs, having a comprehensive program to address third-party risk, and strategically investing in appropriate technologies. Much of the work to quickly respond to a breach is done long before that breach even happens.

Automation is, of course, a growing trend in reducing hardening times. Automation takes care of mundane time-consuming tasks and frees up security personnel to focus on more important assignments. IBM found in their report that companies that fully deployed security automation have an average breach cost of $2.88 million whereas companies without automation have an estimated cost of $4.43 million. 

Emerging Solutions

Mach37, “the granddaddy of cybersecurity accelerators”, recently worked with an emerging leader in the space of early detection and response, Auspex Labs. Auspex helps organizations detect attacks, minimize the damage, and get back to their mission. 

One of their products, Auspex Observatory, is a simple to use network visualization and automated cyber threat hunting platform that collects a broad scope of telemetry from common agents and logging mechanisms. This telemetry provides the vectors to detect threats as they begin, giving your organization the ability to prevent damage before it disrupts your business.

Using flow analytics, Auspex Labs is able to quickly identify malicious actors. These successful identifications become part of their threat intelligence database, and are used to detect future attacks. Auspex looks for display hosts that are not participating in active telemetry. These unmanaged hosts could be rogue, failing, or require other attention. All of this is done without administrative access to your devices, all that is needed is your network’s metadata. 

As we have seen, the expectation for organizations to quickly patch vulnerabilities and swiftly contain breaches has put pressure on CISOs to make organizational changes and technological investments. As companies aim to reach industry standards for response times, we will see an increase in automation and adoption of emerging technologies like those provided by Auspex Labs.