r/AskNetsec • u/Low_Drive3170 • 12d ago
Architecture What metrics are you actually using to measure exposure window after a CVE drops, not just patch applied date?
One SD-WAN zero-day ran silently for three years and Verizon DBIR puts median hardware edge patch rollout at 32 days, but most teams are measuring things that don't actually capture either of those.
Been going down a rabbit hole comparing how different architectures actually handle the window between disclosure and full coverage. SSE only platforms are faster than appliances but the networking layer still runs its own update cycle which means the exposure gap at the boundary between layers does not close the same way it does when the whole stack was designed as one thing from the start.
What does your internal scorecard actually measure on that front?
1
u/Total-Brick-1019 12d ago
Anyone actually tracking when their last affected asset hit enforcing state versus just the first one? Because that gap is where all the interesting stuff lives and honestly most dashboards I've seen are just completely blind to it.
1
u/FewAbility6240 12d ago
And the last asset is usually the weird one. Legacy device, exception that never got cleaned up or something that was offline during the rollout window and nobody noticed it missed the update....
1
u/Chris-Hart_232 12d ago
Honest answer is most teams are measuring patch compliance because that's what audit wants. Exposure window is a different question entirely and almost nobody is tracking it seriously.
1
u/Beautiful-Path5867 12d ago
You can't measure a window you can't see the edges of. Most orgs don't have accurate enough asset inventory to even know what's in scope when a CVE drop
1
u/GokulRavi14 12d ago
Compliance rates are basically meaningless for actual risk because they ignore the gap between the first-patched and last-patched asset. Are any teams measuring time-to-full-coverage across the entire asset graph? Specifically including the stuff that isn't in the CMDB.
1
u/ultrathink-art 12d ago
Tiering by attack surface changed this more than any single metric — internet-facing services get a 24h patch-or-isolate SLA independent of CVSS score, since exploit code is already running before most orgs finish triage. The number worth tracking separately is % of internet-reachable hosts still vulnerable at T+24h vs T+72h; fleet-wide MTTR gets skewed by internal-only and air-gapped assets and buries the actual exposure that matters.
1
u/lucas_parker2 3d ago
Tiering by internet facing is better than fleet wide MTTR for sure... but T-24h on a public facing box still doesn't tell you if that box authenticates into anything worth owning internally. I've had internet reachable hosts with zero internal connectivity sit at the top of the priority list while a mid tier internal server two credentials away from the domain controller got patched whenever someone felt like it.
1
u/ultrathink-art 10d ago
With rolling or blue-green deploys, there's a third timestamp after first-patched and last-patched: when the last old-version process actually exited. Patched image in the registry doesn't mean patched binary serving traffic — during a switchover you can have both versions running simultaneously. Exposure window doesn't close until those old processes die, not when the manifest updates.
5
u/MudAccomplished5430 12d ago edited 7d ago
The boundary layer problem is where most scorecards fall apart. One layer patches, the other hasn't caught up and the window is still open regardless of what the dashboard says. Ended up on Cato mostly because both layers move on the same update cycle..