We applied survival analysis (Kaplan-Meier) to Qualys VMDR data ingested into the Elastic Stack to more accurately measure time-to-patch and account for censored (still-open) vulnerabilities, revealing that common mean/median metrics can hide long tails and open-case dynamics. The approach enables stratified comparisons across teams, environments, and severities and supports operational metrics like SLO adherence, arrival rate, burndown rate, and escape rate. #QualysVMDR #KaplanMeier
Keypoints
- Survival analysis models time-to-patch while including censored observations (vulnerabilities still open), avoiding biases inherent in mean/median MTTR metrics.
- Data was ingested from Qualys VMDR into the Elastic Stack (ECS mapping) using the native Qualys integration and an Elastic agent with tailored query parameters.
- Vulnerability age was calculated as days between last found and first found to represent exposure duration, accounting for reintroduced or long-lived findings.
- Analysis used Python (Elasticsearch client) with two extraction methods: ES|QL (arrow format into pandas) and paginated DSL with scan for larger result sets.
- Kaplan-Meier survival curves and month-over-month CDFs were used together: survival curves show full lifecycle and long-tail persistence; CDFs show patching velocity for closed items.
- Stratified survival analysis (by severity, team, environment, cloud provider, asset criticality) exposes differences and bottlenecks masked by aggregate metrics.
- Additional operational metrics (Arrival Rate, Burndown Rate, Escape Rate) were proposed to complement survival analysis and better characterize workload pressure and process failures.
MITRE Techniques
- [T1082 ] System Information Discovery – Used implicitly by vulnerability scans to collect asset and package details via Qualys agent integration (article: “show_results=1: details about what is the current installed package and which version should be installed”).
- [T1592 ] Gather Victim Host Information – Vulnerability ingestion includes asset identifiers and cloud tags to map vulnerabilities to hosts (“show_asset_id=1: retrieve asset id”, “show_cloud_tags=1: retrieve Cloud tags”).
- [T1046 ] Network Service Discovery – Qualys VMDR findings include discovered vulnerabilities and services as part of the vulnerability detection pipeline (“qualys_vmdr.asset_host_detection.vulnerability” dataset used to identify vulnerable services and packages).
Indicators of Compromise
- [File/Record Fields ] Qualys vulnerability records used as IOCs/context – vulnerability.id (CVE IDs), qualys_vmdr.asset_host_detection.vulnerability.unique_vuln_id
- [Timestamps/Fields ] Date fields used to compute age/context – qualys_vmdr.asset_host_detection.vulnerability.first_found_datetime, qualys_vmdr.asset_host_detection.vulnerability.last_found_datetime
- [Tags/Assets ] Asset and environment context – asset id (show_asset_id=1), cloud tags (show_cloud_tags=1) and team/environment fields (elastic.owner.team, elastic.environment)
Read more: https://www.elastic.co/security-labs/time-to-patch-metrics