New Security Metrics to Consider – 24/72 and 1/10/60
Once a new bug is publicly announced, it takes, on average, seven days for bad guys to figure out how to weaponize it.
Experts say that this means that you need to harden your systems against that new attack within 72 hours. That is not very long, even for the best of operations.
How long does it take the average organization to close holes?
On average – 102 days or 15 times the amount of time it takes to weaponize it.
Once a vulnerability is disclosed, it is a race between the good guys and the bad guys to either fix it or abuse it.
Some examples:
Microsoft patched Bluekeep, a bug that was very well publicized in May 2019. It was also explained why it was critical to patch. In December 2019, there were at least 700,000 machines publicly exposed and still vulnerable.
Remember Wannacry? Sophos says that there are still a large number of machines not patched against it – two years later.
Zero day attacks are even worse – best practice says that they should be patched in 24 hours.
To add to the complexity of the problem for IT, these fixes need to be tested.
So if the benchmark for MEAN TIME TO HARDENING is 24 HOURS FOR ZERO DAYS AND 72 HOURS FOR OTHER FIXES, IT has got a lot of work to do.
The cousin of this is incident response. Crowdstrike sets the benchmark at 1/10/60.
For those of you not familiar with this benchmark, it means:
- ONE MINUTE TO DETECT
- TEN MINUTES TO UNDERSTAND
- SIXTY MINUTES TO CONTAIN
These two goals really important and also really hard. Almost no organizations can currently do this.
These two goals interact with each other. If we can close off enough holes then we make it harder for the bad guys. This allows IT to focus on the remaining attacks.
For IT, the battle is basically the need for speed.
So here are the recommendations:
24/72 (hours) for patching
1/10/60 (minutes) for incident response
For almost all organizations, this is a big project. Everybody ready?
Source: Threatpost