Systems without vulnerabilities in 48 hours - exploitable or critical and high¶
Description¶
The percentage of systems that have been active in the last 30 days and that have resolved exploitable or critical and high vulnerabilities published in the last 48 hours, providing critical insight into the organisation's ability to minimize exposure to known threats and effectively reduce the attack surface.
How we measure it¶
Find all active hosts per your vulnerability management system. Join the hosts with the vulnerability database, and filter the vulnerabilities on the criteria as defined in the metric definition.
Meta Data¶
| Attribute | Value |
|---|---|
| Metric id | vm_posture_exploitable_critical_48_hours |
| Category | Vulnerability Management |
| SLO | 90.00% - 95.00% |
| Weight | 0.8 |
| Type |  |
References¶
| Framework | Ref | Domain | Control |
|---|---|---|---|
| ISO 27001:2022 | A.8.8 | 8 Technological controls | Management of technical vulnerabilities |
| CIS 8.1 | 7.5 | Continuous Vulnerability Management | Perform Automated Vulnerability Scans of Internal Enterprise Assets |
| CIS 8.1 | 7.6 | Continuous Vulnerability Management | Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets |
| NIST CSF v2.0 | ID.RA-01 | Risk Assessment (ID.RA) | ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded |
| Essential8-ML3 | ISM-1692 | Patch applications | Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. |
| Essential8-ML1 | ISM-1876 | Patch applications | Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. |
| Essential8-ML2 | ISM-1876 | Patch applications | Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. |
| Essential8-ML3 | ISM-1876 | Patch applications | Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. |
| Essential8-ML3 | ISM-1696 | Patch operating systems | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. |
| Essential8-ML1 | ISM-1877 | Patch operating systems | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. |
| Essential8-ML2 | ISM-1877 | Patch operating systems | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. |
| Essential8-ML3 | ISM-1877 | Patch operating systems | Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. |
| Essential8-ML3 | ISM-1879 | Patch operating systems | Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. |
| Essential8-ML3 | ISM-1903 | Patch operating systems | Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. |
Code¶
SELECT
host.hostname AS resource,
'host' as resource_type,
CASE
WHEN count(cve.aid) = 0 THEN 1
ELSE 0
END AS compliance,
CAST(count(cve.*) as text) AS detail
FROM
{{ ref('crowdstrike_hosts') }} AS host
LEFT JOIN
{{ ref('crowdstrike_vulnerabilities') }} AS cve
ON
host.device_id = cve.aid
AND cve.status IN ('open', 'reopen')
AND (
coalesce(cve.cve.exploit_status > 0, false) or
cve.severity IN ('HIGH', 'CRITICAL')
)
WHERE
CURRENT_DATE - CAST(STRPTIME(host.last_seen, '%Y-%m-%dT%H:%M:%SZ') AS DATE) < 30 and
CURRENT_DATE - CAST(cve.published_date AS DATE) >= 2
GROUP BY
host.hostname
SELECT
asset.hostname AS resource,
'host' AS resource_type,
CASE
WHEN count(cve.plugin.id) = 0 THEN 1
ELSE 0
END AS compliance,
CAST(count(cve.plugin) AS text) AS detail
FROM
{{ ref('tenable_assets') }} AS asset
LEFT JOIN
{{ ref('tenable_vulnerabilities') }} AS cve
ON
asset.uuid = cve.asset.uuid
AND cve.state IN ('OPEN', 'REOPENED')
AND (
cve.plugin.exploit_available IS TRUE OR
cve.severity IN ('high', 'critical')
)
WHERE
CURRENT_DATE - CAST(asset.last_seen AS DATE) < 30 AND
CURRENT_DATE - CAST(cve.last_found AS DATE) >= 2
GROUP BY
asset.hostname