Defining Mean Time to Inventory (MTTI)
Mean Time to Inventory (MTTI) measures the time required for enterprises to perform a full external asset inventory that assigns ownership to drive classification and protection based on value. MTTI becomes especially critical after common vulnerabilities and exposures (CVE) announcements, as there is an immediate increase in attackers scanning for vulnerable services. Unfortunately, both of these cycles usually occur before most organizations have completed their own first pass of an inventory scan.
Today, organizations use metrics to gauge cybersecurity effectiveness, and typical yardsticks often include dwell time, mean time to detect (MTTD), and mean time to respond (MTTR). However, these measurements are inherently reactive in nature and tend to focus on known assets.
Recent CortexⓇ Xpanse™ analysis found that threat actors conduct scans to inventory enterprise internet assets about once an hour on average. That frequency increased up to about 15 minutes after most CVE announcements, but was even faster for the highest-profile vulnerabilities. Two recent CVEs underscore the problem and highlight the spectrum of scan times. On the low end of the spectrum, scanning started 15 minutes after the release of a CVE on a vulnerability that enabled remote access to products from a maker of prosumer networking devices. By contrast, we saw large-scale scanning begin just 5 minutes of the high-profile disclosure of Microsoft Exchange/OWA vulnerabilities.
Why are defenders so much slower to understand MTTI?
The process of vulnerability management within security teams is also flawed. Like antivirus, scanners rely on a database of known CVEs—making them only as good as the latest update. Practically, this means you wait hours or days for an updated CVE profile, which usually translates to an overall patching process that takes days. Worse, vulnerability scanners query only known devices to see what is exposed. That’s just for known assets. What about unknown assets?
For things enterprises don’t know about, third parties—usually quarterly pen tests or red teaming—perform partial asset enumeration to find and test infrastructure. Typically, this discovery happens quarterly and uses a patchwork of scripts and programs the pen testers have put together that allow them to find some infrastructure that is potentially vulnerable.
These methods are rarely comprehensive and regularly fail to find all vulnerable infrastructure of a given organization. Coupled with a rapid shift to digital transformation and inherently ephemeral systems on the scale of hours and minutes, security teams significantly lag behind attackers in knowing both what assets they have and if they are vulnerable.
In the supply chain discipline, inventory management has long been studied and optimized. Countless books, websites, and business school classes have been devoted to the art of inventory management. Yet, in information technology and security, inventory management remains elusive. By adopting MTTI as a key security and IT metric, enterprises start to have a mechanism to see and secure critical assets.
In one of our latest white papers, we highlight how security teams can overcome the limitations of traditional solutions to monitor and remediate critical issues that arise during cloud migration projects and after CVE announcements—while dramatically decreasing MTTI in the process.