How is Mean Time to Remediate Calculated?

Cisco Vulnerability Management provides you with many metrics for each of your Risk Meters.  One of these is the Mean Time to Remediate. This Help Article will help you to understand how this metric is calculated to assist you in validating your data in your environment.

Mean Time to Remediate is the Average by risk level, for the number of days it took to close the vulnerability (closed at - found on).The overall calculation also takes into account the size of each risk bucket, which ensures that a larger bucket has the proper impact on the overall average MTTR.

Note that the MTTR calculation only includes closed vulnerabilities. It does not include False Positive, Risk Accepted, or Open vulnerabilities in the calculation.

 

Screen_Shot_2022-02-23_at_11.25.47_AM.png

 

The example below shows an Asset Group that contains three assets. 

For these assets there are three vulnerabilities.

To see the MTTR data in Cisco Vulnerability Management you can access the report page for this group from your dashboard as shown below.  Each meter has a Reporting button at the bottom.

 

The MTTR is shown in the Historical Risk Information Section of the report page.  As you can see below, the MTTR for High Risk Vulnerabilities is 93 days for this meter.

 

 

 

Check email and download CSV.

 

Using an advanced spreadsheet tool you can find the difference between the found date and the closed data. If you average the diff values by risk you can confirm the reporting data in Cisco Vulnerability Management. 

 

Additional Notes:

  • Cisco Vulnerability Management will only include closed vulnerabilities on active assets.

  • Since open vulnerabilities are not factored into the equation, customers could theoretically only focus on new vulnerabilities to keep their MTTR low. However, any older vulnerabilities that are eventually closed will negatively impact your MTTR.  

  • Cisco Vulnerability Management does not currently track or save the Cisco Vulnerability Management score when a vulnerability is opened or the Cisco Vulnerability Management score the day on which it is closed. Vulnerability scores are re-calculated and stored every night and that stored value is reported. For example, if a vulnerability is closed on June 1st and the score was 65, the 65 score is not stored and could change over time. Say that by December of that same year, the score was an 87. Cisco Vulnerability Management will only know it is an 87 and was closed on June 1st and thus it is considered to be a Closed - High vulnerability. There is a potential plan to start tracking this information, but it is not tracked today.

  • August 30th, 2019 is the furthest back MTTR calculations will go, even for long standing clients. For new clients, Cisco Vulnerability Management will only calculate as far back as you have data. 

  • Calculations done manually might be slightly different than what is provided in the Portal. This is because our Asset inactivation job runs at 5:35 UTC, the Reporting job runs shortly after at 6:00 UTC. At the time of your export and manual calculation, time has passed and you may have closed vulnerabilities that have come in from a connector after the reporting job completed that morning. As a result, unless you export and calculate at the same time as Cisco Vulnerability Management with no connectors running, the results might be slightly different. 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.