mosi-k-platt
commented
1 year ago I don't think it's useful to update the metric to focus on authenticated scans or agents, but I do think the implementation guidelines for this metric could be updated to state reporters should specify what type of scans provide the numerator in the existing TVM-07-M1 metric.
This is a coverage metric not an effectiveness metric. I think an effectiveness metric for vulnerability detection would measure an org's mean time to discover vulns against some target - like the mean time to discover vulns on the internet (as reported by sources like https://attacksurfacetop10.com) or some risk-based targets for vuln discovery time set in a vuln management policy or standard.
This is a proposed effectiveness metric from Walt Williams
TVM-07-M1 To test for effectiveness, measure either the number of authenticated scans (where authentication is successful) or the number of deployed agents reporting vulnerabilities to the number of scanned hosts. If the number of authenticated scans does not match the asset count, or the number of agents doesn't match the asset count, this control is not effective.