Cisco Vulnerability Management provides you with many metrics for each of your Risk Meters. One of these is the Mean Time to Remediate. This Help Article will help you to understand how this metric is calculated to assist you in validating your data within your environment.
Mean Time to Remediate is the Average by risk level, for the number of days it took to close the vulnerability (closed at - found on). The overall calculation also takes into account the size of each risk bucket, thus ensuring that a larger bucket has the proper impact on the overall average MTTR.
Please note that the MTTR calculation only includes closed vulnerabilities. It does not include False Positive, Risk Accepted, or Open vulnerabilities in the calculation.
The simple example below shows an Asset Group that contains three assets.
For these assets there are three vulnerabilities.
To see the MTTR data within Cisco Vulnerability Management you can access the report page for this group from your dashboard as shown below. Each meter has a Reporting button at the bottom.
The MTTR is shown in the Historical Risk Information Section of the report page. As you can see below, the MTTR for High Risk Vulns is 93 days for this meter.
Check email and download CSV.
Using an advanced spreadsheet tool you can find the difference between the found date and the closed data. If you average the diff values by risk you can confirm the reporting data in Cisco Vulnerability Management.
Cisco Vulnerability Management will only include closed vulnerabilities on active assets.
Since open vulnerabilities are not factored into the equation, customers could theoretically only focus on new vulnerabilities to keep their MTTR low. However, any older vulnerabilities that are eventually closed will negatively impact your MTTR.
Cisco Vulnerability Management does not currently track or save the Kenna score when a vuln is opened or the Kenna score the day on which it is closed. Vuln scores are re-calculated and stored every night and that stored value is reported. Example: If a vuln is closed on June 1st and the score was 65, the 65 score is not stored and could change over time. Say that by December that same year, the score was an 87. Cisco Vulnerability Management will only know it is an 87 and was closed on June 1st and thus it is considered to be a Closed - High vulnerability. There is a potential plan to start tracking this information, but it is not tracked today.
August 30th, 2019 is the furthest back MTTR calculations will go, even for long standing clients. For new clients, Cisco Vulnerability Management will only calculate as far back as you have data.
- Calculations done manually may be slightly different than what is provided in the Portal. This is because our Asset inactivation job runs at 5:35 UTC, the Reporting job runs shortly after at 6:00 UTC. At the time of your export and manual calculation, time has passed and you may have closed vulns that have come in via connector after the reporting job completed that morning. As a result, unless you export and calculate at the same time as Cisco Vulnerability Management with no connectors running, the results may be slightly different.