Let's bring this topic home and cover what we want to do about them, because we are going to do something right? We patch, remediate, and mitigate in order to reduce the exploitability of the asset in question.
Ideally your business and or asset owner should be indicating how long they are willing tolerate being exposed. Turning cybersecurity into a business decision is a bigger discussion for another day so let's seed this discussion with a 30-day window. Why 30-days? Simply because we are all very used the cadence of Patch Tuesday - Microsoft, Adobe, Oracle and few others' regularly scheduled release of updates. If we can patch our systems within 30-days, we don't have to deal with complications of overlapping updates. Don't forget that there are many vendors that may have their own update cadence and that many vendors may release out-of-band updates to address more critical issues.
The typical small to mid-sized enterprise (SME) that operates 9x5 should be able to adhere to the 30-day target. For all others, you may have to have different targets depending up the type of asset. For example, you may choose to allow non-critical assets to be patched within 45-days. See previous posts regarding asset categories.
For now let's stick with 30-days for all assets.
- Average # of days to patch Critical assets
- Average # of days to patch non-Critical assets
- % of Critical assets patched within 30-days
- % of non-Critical assets patched within 30-days
- # of assets with exceptions
- # of assets with exceptions over 90-days