COMMENTARY
Reducing risk has long been the guiding principle for security teams. However, even though security teams today are larger with more sophisticated security stacks, risk remains at an all-time high and continues to surge.
Managing risk is becoming much more complicated. With sprawling code and cloud assets, the number of vulnerabilities has surged from hundreds to thousands or even millions. Not only is the number of vulnerabilities skyrocketing, but the amount of time it takes to remediate a vulnerability is increasing as well, to an average of 270 days.
Mean time to remediate (MTTR) is one of the best primary success metrics for security teams because it directly correlates to risk. If organizations can eliminate noise from MTTR calculations and accelerate remediation of the remaining vulnerabilities, they can begin to make a significant impact in reducing risk.
Security’s Remediation Dilemma
Organizations today are moving faster than ever. Keeping up with customer demand and the speed of innovation means they’re continually and rapidly creating and deploying new products, services, and offerings.
This may be great for business growth, but it presents a big challenge to security. Code and cloud infrastructures are being deployed faster than they can be secured. This leaves application security teams in the dark on what assets they have or who owns those assets, and they often can’t give clear steps to the engineering or dev teams on how to resolve issues before deployment.
The result of this unmanageable asset sprawl is unmanageable risk. The more unsecured assets are deployed, the more vulnerabilities there are to remediate.
There’s also context to consider. Not all of these vulnerabilities represent real risk, which introduces a new layer of complexity for security teams. Now they must sift and sort through a flood of vulnerabilities to determine what is noise and what is real risk. Much of this is manual work and costs security teams one of their most critical assets: time.
If security teams don’t have a robust vulnerability management program that guides them on what needs to be remediated, who needs to remediate it, and how, the longer their assets will remain exposed to exploits.
Security teams need better approaches and tools to help them find and remediate vulnerabilities. But as the adage goes, you can’t manage what you don’t measure. So how can you measure how effective you are at remediating those vulnerabilities?
Why MTTR Is Your Most Important Security Metric
MTTR is the average time it takes to remediate a vulnerability in your organization. It may be a metric you’re already measuring, or you want to measure it but aren’t sure how. Whatever the case, MTTR should be the leading metric you leverage as part of your ongoing strategy.
Every minute vulnerabilities go unremediated is another minute your organization remains exposed. So, reducing your MTTR means reducing the window of possibility for an attack. MTTR reflects how effective your actions are at remediating vulnerabilities and reducing your risk. It’s crucial to have a way to measure how well you’re shortening the lifecycle of discovery, triage, and remediation.
However, not all vulnerabilities impact your risk in the same way. Low-severity vulnerabilities may have no impact on your organization and don’t need to be included in your MTTR. Yet high-severity vulnerabilities do, and your MTTR should measure how you’re reducing critical, severe, and risk-based vulnerabilities over time — especially considering that 33% of vulnerabilities across an organization’s full stack are either of high or critical severity.
Why Is MTTR More Important Today?
MTTR has always been an important metric for security teams, but it’s more critical than ever before. Assets and infrastructures are being deployed faster than understaffed and stretched-thin security teams can secure them, causing a cascade of vulnerabilities that must be remediated. And vulnerabilities are only going to increase. Consider that 25,082 vulnerabilities were published in 2022, a 24% increase over 2021.
Another reason measuring MTTR is more important is so that security teams can become aware of their need for better remediation tools and strategies. There are plenty of tools today that can help security teams uncover vulnerabilities. But there’s a big difference between finding a vulnerability and remediating it.
Too often, security teams have tools that add more problems to their to-do list — things that won’t reduce their MTTR and their risk. To truly reduce risk and MTTR, security teams need tools and approaches that give them a how-to list of how to remediate the most high-risk vulnerabilities and reduce their MTTR.
How to Reduce Your MTTR
MTTR is a direct measure of how you’re reducing your risk, but what steps can you take to reduce your risk in the first place? Start with the following.
-
Discover and aggregate your vulnerabilities: First, create an inventory of your assets, like code repos, software dependencies, software bills of materials (SBOMs), containers, and microservices. Add context to those assets, like who owns them and how they impact crucial business functions.
-
Assess for business risk: Using the context you collected, assess each vulnerability for its risk severity. This will allow you to prioritize the vulnerabilities that pose the most risk to your business.
-
Triage: Next, triage your vulnerabilities, asking what software assets need to be fixed, who needs to fix it, and how to fix it.
-
Measure MTTR to drive remediation efforts: Measure and track your MTTR to gauge how effective your actions are at reducing risk, and where you need to continue to improve or change your efforts.
The Key Metric for 2024
Do you know the average time it takes for your organization to reduce its risk? By measuring and tracking your MTTR over time, you’ll see how your vulnerability management efforts are reducing risk and closing the window of opportunity for adversaries. As you prepare your security strategies, make sure that you lead with MTTR as your key metric.