‹ Back

For RA-5: Vulnerability Monitoring and Scanning from NIST SP 800-53, the goal is to ensure that vulnerabilities in information systems are monitored and managed effectively. To monitor the progress and effectiveness of vulnerability management, it's essential to have a clear set of metrics and measuring methods.

Below are several methods for measuring progress for RA-5, including the recommended numerators (the counts of what you're measuring) and denominators (the total or benchmark number to compare against).

• Description: This metric tracks how quickly vulnerabilities are detected across systems and networks.
• Numerator: Number of vulnerabilities detected in a defined time period.
• Denominator: Total number of systems or applications that were subject to vulnerability scanning in that time period.
• Formula:

Vulnerability Detection Rate=Number of vulnerabilities detectedNumber of systems scanned×100\text{Vulnerability Detection Rate} = \frac{\text{Number of vulnerabilities detected}}{\text{Number of systems scanned}} \times 100Vulnerability Detection Rate=Number of systems scannedNumber of vulnerabilities detected​×100

• Purpose: Measures the effectiveness of vulnerability scans. A higher detection rate indicates that the scanning process is thorough.

• Description: This metric measures the average time it takes to fix or mitigate identified vulnerabilities.
• Numerator: Total time spent to remediate vulnerabilities (from detection to resolution) over a specific period.
• Denominator: Number of vulnerabilities remediated in the same period.
• Formula:

Vulnerability Remediation Time=Total time to remediateNumber of vulnerabilities remediated\text{Vulnerability Remediation Time} = \frac{\text{Total time to remediate}}{\text{Number of vulnerabilities remediated}} Vulnerability Remediation Time=Number of vulnerabilities remediatedTotal time to remediate​

• Purpose: Tracks how responsive the organization is to addressing vulnerabilities. Shorter remediation times reflect a more agile vulnerability management process.

• Description: This measures how frequently the same or similar vulnerabilities reappear after being addressed.
• Numerator: Number of vulnerabilities that were previously remediated but reappeared in scans.
• Denominator: Total number of vulnerabilities remediated over a defined period.
• Formula:

Vulnerability Recurrence Rate=Number of recurring vulnerabilitiesTotal number of vulnerabilities remediated×100\text{Vulnerability Recurrence Rate} = \frac{\text{Number of recurring vulnerabilities}}{\text{Total number of vulnerabilities remediated}} \times 100Vulnerability Recurrence Rate=Total number of vulnerabilities remediatedNumber of recurring vulnerabilities​×100

• Purpose: A high recurrence rate could indicate that remediation efforts are incomplete or insufficient, or that patching strategies need to be improved.

• Description: This measures how well the organization adheres to patch management schedules, specifically related to vulnerabilities identified in the system.
• Numerator: Number of patches applied to systems within the expected timeframe.
• Denominator: Total number of patches that were identified as required during the same period.
• Formula:

Patch Compliance Rate=Number of patches applied on timeTotal patches required×100\text{Patch Compliance Rate} = \frac{\text{Number of patches applied on time}}{\text{Total patches required}} \times 100Patch Compliance Rate=Total patches requiredNumber of patches applied on time​×100

• Purpose: This indicates the organization’s efficiency in applying patches and addressing vulnerabilities before they can be exploited.

• Description: This metric categorizes vulnerabilities based on their severity (e.g., critical, high, medium, low) and monitors the trend in severity distribution over time.
• Numerator: Number of vulnerabilities of each severity level detected.
• Denominator: Total number of vulnerabilities detected.
• Formula (for each severity level):

Vulnerability Severity Distribution=Number of vulnerabilities at severity levelTotal number of vulnerabilities×100\text{Vulnerability Severity Distribution} = \frac{\text{Number of vulnerabilities at severity level}}{\text{Total number of vulnerabilities}} \times 100Vulnerability Severity Distribution=Total number of vulnerabilitiesNumber of vulnerabilities at severity level​×100

• Purpose: By monitoring the severity of vulnerabilities, the organization can prioritize remediation efforts on the most critical issues. It also indicates the overall risk exposure at any given point.

• Description: This metric tracks the percentage of systems and applications that undergo regular vulnerability scanning.
• Numerator: Number of systems and applications that have undergone vulnerability scans in the past defined period.
• Denominator: Total number of systems and applications within the organization.
• Formula:

Vulnerability Scanning Coverage=Number of systems scannedTotal number of systems×100\text{Vulnerability Scanning Coverage} = \frac{\text{Number of systems scanned}}{\text{Total number of systems}} \times 100Vulnerability Scanning Coverage=Total number of systemsNumber of systems scanned​×100

• Purpose: Measures the breadth of coverage in the vulnerability management program. A higher percentage means that more systems are being actively monitored for vulnerabilities.

• Description: This measures the organization's adherence to Service Level Agreements (SLAs) for addressing and resolving vulnerabilities.
• Numerator: Number of vulnerabilities resolved within the SLA timeframe.
• Denominator: Total number of vulnerabilities that were due for resolution within the SLA timeframe.
• Formula:

Vulnerability Management SLA Compliance Rate=Number of vulnerabilities resolved within SLATotal number of vulnerabilities due for resolution×100\text{Vulnerability Management SLA Compliance Rate} = \frac{\text{Number of vulnerabilities resolved within SLA}}{\text{Total number of vulnerabilities due for resolution}} \times 100Vulnerability Management SLA Compliance Rate=Total number of vulnerabilities due for resolutionNumber of vulnerabilities resolved within SLA​×100

• Purpose: Ensures that vulnerabilities are being addressed promptly in accordance with established service levels, improving the overall security posture of the organization.

• Description: This metric tracks how many zero-day vulnerabilities (previously unknown to the organization) are identified through scanning.
• Numerator: Number of zero-day vulnerabilities detected.
• Denominator: Total number of vulnerabilities detected.
• Formula:

Zero-Day Vulnerabilities Detected=Number of zero-day vulnerabilities detectedTotal number of vulnerabilities detected×100\text{Zero-Day Vulnerabilities Detected} = \frac{\text{Number of zero-day vulnerabilities detected}}{\text{Total number of vulnerabilities detected}} \times 100Zero-Day Vulnerabilities Detected=Total number of vulnerabilities detectedNumber of zero-day vulnerabilities detected​×100

• Purpose: Helps assess the organization's ability to detect previously unknown vulnerabilities and the effectiveness of proactive scanning.

• Description: This metric measures how effectively the organization mitigates the risks associated with vulnerabilities, through remediation or compensating controls.
• Numerator: Number of vulnerabilities mitigated through remediation or compensating controls.
• Denominator: Total number of high-risk vulnerabilities identified.
• Formula:

Risk Mitigation Rate=Number of vulnerabilities mitigatedTotal number of high-risk vulnerabilities identified×100\text{Risk Mitigation Rate} = \frac{\text{Number of vulnerabilities mitigated}}{\text{Total number of high-risk vulnerabilities identified}} \times 100Risk Mitigation Rate=Total number of high-risk vulnerabilities identifiedNumber of vulnerabilities mitigated​×100

• Purpose: Indicates the organization’s risk management capabilities in addressing high-risk vulnerabilities.

Recommendations for Measurement Framework:

• Frequency: Vulnerability monitoring and scanning should ideally be performed regularly (e.g., weekly or monthly). The metrics should also be measured at the same frequency to monitor ongoing progress and improvements.
• Automation: Use automated vulnerability scanning and patch management tools to generate accurate, real-time data on vulnerabilities. This improves the efficiency of measuring these metrics and provides up-to-date feedback on security health.
• Benchmarks and Thresholds: Set benchmarks for each metric (e.g., a remediation time of less than 30 days for critical vulnerabilities) and monitor trends. Continuous improvement should aim to reduce time to remediate and increase the rate of patching and detection.

By using these metrics and measuring methods, organizations can effectively monitor their vulnerability management efforts, track progress over time, and identify areas for improvement.