How's your vulnerability management program doing? Is it effective? A success? Let's be honest, without the right metrics or analytics, how can you tell how well you're doing, progressing, or if you're getting ROI? If you're not measuring, how do you know it's working?
And even if you are measuring, faulty reporting or focusing on the wrong metrics can create blind spots and make it harder to communicate any risks to the rest of the business.
So how do you know what to focus on? Cyber hygiene, scan coverage, average time to fix, vulnerability severity, remediation rates, vulnerability exposure… the list is endless. Every tool on the market offers different metrics, so it can be hard to know what is important.
This article will help you identify and define the key metrics that you need to track the state of your vulnerability management program, the progress you've made, so you can create audit-ready reports that:
- Prove your security posture
- Meet vulnerability remediation SLAs and benchmarks
- Help pass audits and compliance
- Demonstrate ROI on security tools
- Simplify risk analysis
- Prioritize resource allocation
Why you need to measure vulnerability management
Metrics play a critical role in gauging the effectiveness of your vulnerability and attack surface management. Measuring how quickly you find, prioritize and fix flaws means you can continuously monitor and optimize your security.
With the right analytics, you can see which issues are more critical, prioritize what to fix first, and measure the progress of your efforts. Ultimately, the right metrics allow you to make properly informed decisions, so you're allocating the resources to the right places.
The number of vulnerabilities found is always a good starting point, but it doesn't tell you much in isolation – without prioritization, advisories and progress, where do you start? Finding, prioritizing and fixing your most critical vulnerabilities is far more important to your business operations and data security than simply finding every vulnerability.
Intelligent prioritization and filtering out the noise are important because overlooking genuine security threats is all too easy when you're being overwhelmed by non-essential information. Intelligent results make your job easier by prioritizing issues that have real impact on your security, without burdening you with irrelevant weaknesses.
For example, your internet-facing systems are the easiest targets for hackers. Prioritizing issues that leave this exposed makes it easier to minimize your attack surface. Tools like Intruder make vulnerability management easy even for non-experts, by explaining the real risks and providing remediation advice in easy-to-understand language. But beyond prioritization, what else should or could you be measuring?
An example of Intruder's vulnerability management report page |
5 top metrics for every vulnerability management program
Scan coverage
What are you tracking and scanning? Scan coverage includes all the assets you're covering and analytics of all business-critical assets and applications, and the type of authentication offered (e.g., username- and password-based, or unauthenticated).
As your attack surface evolves, changes and grows over time, it's important to monitor any changes to what's covered and your IT environment, such as recently opened ports and services. A modern scanner will detect deployments you may not have been aware of and prevent your sensitive data from becoming inadvertently exposed. It should also monitor your cloud systems for changes, discover new assets, and automatically synchronize your IPs or hostnames with cloud integrations.
Average time to fix
The time it takes your team to fix your critical vulnerabilities reveals how responsive your team is when reacting to the results of any reported vulnerabilities. This should be consistently low since the security team is accountable for resolving issues and delivering the message and action plans for remediation to management. It should also be based on your pre-defined SLA. The severity of the vulnerability should have a corresponding relative or an absolute period of time for planning and remediation.
Risk score
The severity of each issue is automatically calculated by your scanner, usually Critical, High or Medium. If you decide not to patch a specific or group of vulnerabilities within a specified time period, this is an acceptance of risk. With Intruder you can snooze an issue if you're willing to accept the risk and there are mitigating factors.
For example, when you're preparing for a SOC2 or ISO audit and you can see a critical risk, you may be willing to accept it because the resource required to fix it isn't justified by the actual level of risk or potential impact on the business. Of course, when it comes to reporting, your CTO may want to know how many issues are being snoozed and why!
Issues
This is the point from a vulnerability going public, to having scanned all targets and detecting any issues. Essentially, how quickly are vulnerabilities being detected across your attack surface, so you can fix them and reduce the window of opportunity for an attacker.
What does this mean in practice? If your attack surface is increasing, you may find that it takes you longer to scan everything comprehensively, and your mean time to detect may increase as well. Conversely, if your mean time to detect stays flat or goes down, you're using your resources effectively. If you start to see the opposite, you should ask yourself why it's taking longer to detect things? And if the answer is the attack surface has ballooned, maybe you need to invest more in your tooling and security team.
Measuring progress
Prioritization – or intelligent results – is important to help you decide what to fix first, because of its potential impact on your business. Intruder filters out the noise and helps reduce false positives, which is a key metric to track because once you reduce the amount of noise you can circle back and focus on the most important metric – the average time to fix.
Why is this important? Because when you do find an issue, you want to be able to fix it as quickly as possible. Tools like Intruder use multiple scanning engines to interprets the output and prioritize the results according to context, so you can save time and focus on what really matters.
When a new vulnerability that could critically affect your systems is identified, Intruder will automatically kick-off a scan |
Attack surface monitoring
This helps you see the percentage of assets that are protected across your attack surface, discovered or undiscovered. As you team spins up new apps, vulnerability scanner should check when a new service is exposed, so you can prevent data from becoming inadvertently exposed. Modern scanners monitor your cloud systems for changes, finding new assets, and synchronizing your IPs or hostnames with your integrations.
Why is this important? Your attack surface will inevitably evolve over time, from open ports to spinning up new cloud instances, you need to monitor these changes to minimize your exposure. That's where our attack surface discovery comes in. The number of new services discovered during the time period specified helps you understand if your attack surface is growing (whether intentionally or not).
Why these metrics matter
Modern attack surface management tools like Intruder measure what matters most. They help provide reports for stakeholders and compliance with vulnerabilities prioritized and integrations with your issue tracking tools. You can see what's vulnerable and get the exact priorities, remedies, insights, and automation you need to manage your cyber risk. If you want to see Intruder in action you can request a demo or try it for free for 14 days.