One of the key components of any kind of security policy for
a business is to have a regular schedule of performing software patches and
upgrades. But what the timing should be,
is really entirely up to the CISO, or even the vCISO. In my opinion, given the dynamics of the Cyber
Threat Landscape, it should be done once a week. In fact, when I started my first IT job over
20 years ago, this was the norm, even all the way back then.
But it takes resources to monitor all of this stuff, as you
will most likely need to have a dedicated person on hand to do all of
this. Not many people think about this,
but it matters a lot to the other members of the C-Suite, and even to the Board
of Directors. But the good news here is
that there are metrics and Key Performance Indicators (KPIs) that you can use
to help put a quantitative assessment to this.
So, here is a review of some of the major ones that you can
make use of:
1)
The Mean Time To Remediate:
The acronym for this is the “MTTR”. It simply measures how long it takes to get
your dedicated resources to put the software patches and upgrades into your
production environment after they have been first announced. The one primary disadvantage with this kind
of metric is that it treats all patches and upgrades in the same manner. So for example, a low priority one will receive
the same kind of weighting as a high priority one. However, some CISOs have been known to use
the MTTR solely just for tracking the latter.
2)
The Mean Time To Detect:
The acronym for this is the “MTTD”. Essentially, this metric shows how long it
takes for your IT Security Team to detect an actual threat variant that exists
in your IT /Network Infrastructure, and also how long it takes for them to
apply the relevant patch to remediate it.
In a way, this can be viewed as an enhancement to the MTTR. For more information on this, click on the
link below:
http://cyberresources.solutions/blogs/Threat_Report.pdf
3)
The Mean Time To Prioritize:
The acronym for this is the “MTTP”. This metric reflects the degree of
vulnerability of all of the digital and physical assets that you have at your
business. Typically, all of the details
for this will come into play when you first conduct a comprehensive Risk
Assessment Analysis. This can then be
fed into the MTTP, and it will show how quickly you need to respond to a
security breach that has impacted your most vulnerable assets. One of the responses is mitigation of course
through your Incident Response (IR) Plan, but the other key component is
applying the relevant software patches and upgrades in a timely manner.
4) The Mean Time To Communicate:
The acronym for this is the “MTTC”. This is actually a new metric, and this is the
first that I have even heard of such a thing.
This metric shows how well your IT Security team can interact with the other
members of the IT Department. If your business
is large enough, these two departments will have independent tasks and duties
to protect it. For example, the IT Security
team would be responsible for the checking and downloading of the software
patches and upgrades, but then, it would be up to the IT Department to actually
roll them out into the production environment.
But this metric can also be used to gauge how effectively your IT
Security team can also communicate with the other relevant members of the other
departments in your business.
My Thoughts On This:
Honestly, nobody really likes to be gauged by a set of
metrics and KPIs, but this is the only way that value can be shown to the
higher ups, as previously mentioned. But
a key factor here is to have the buy in form all of the members of the IT
Security team, and determine which ones are the most relevant to your security
requirements.
A good way to help speed things up in the deployment process
is to make use of automated tools, such as those making use of AI and ML. There are plenty of tools out there, the hard
part will be in figuring out which ones will be the most relevant for helping
to secure your business.
I am also going to be writing a special whitepaper on the software
upgrade and patching process (softwareupdate.art), so stay tuned for it!!!
No comments:
Post a Comment