Goals and SLAs

Goals and SLAs is an InsightVM feature that helps you reduce overall risk and improve the security of your environment. Track your remediation efforts or asset configuration by setting goals and defining metrics to measure against those goals. To view your progress, you can add goal cards to dashboards.

This guide will introduce concepts about goals and SLAs.

Goal types

A goal is a metric that you can use to evaluate your remediation efforts. You can build goals to track and measure progress against your vulnerability and asset data to help evaluate your organization’s overall security performance.

You can create three types of goals:

Time bound goals

A time bound goal is a one-time goal with a set deadline. It’s suited for data scopes that do not change.

For example, let’s say you have 150 assets that use Windows 10, but that operating system will become obsolete by October 2025. Since you’ll need to upgrade those 150 assets before October, you can create a time bound goal to help you track the systems that need to be upgraded before that date.

Examples include:

  • Remove 100% of Windows 7 desktops across the entire organization by January 14, 2020.
  • Reduce the number of exploitable vulnerabilities in Boston by 50% by December 2020.
  • Reduce the number of assets with critical vulnerabilities to less than 10% by June 15, 2022.

Continuous goals

A continuous goal lets you monitor progress or criteria without a time limit, such as a rule or a key performance indicator. If you want to keep track of a recurring event or condition to ensure you’re compliant, use a continuous goal to monitor any new occurrences or status changes. A continuous goal helps you track repeatable events or conditions that can change with each scan or agent data collection.

For example, if you need to keep port 22 closed on all assets, you can create a continuous goal to monitor if any assets have an open port 22.

Examples include:

  • All external facing assets must have a closed SSH port every time.
  • All critical assets should have had a successful credential scan every time.
  • The Insight Agent is installed on at least 90% of my Windows servers.

SLAs

An SLA lets you track remediation over a dynamic time span. An SLA monitors recurring events or conditions that can change with each scan, like a continuous goal, but under a designated time frame. This time frame starts on a rolling basis for each new vulnerability or asset discovered during scans or agent collection, so the SLA must be met or fixed for all instances within this designated time.

For example, you can use an SLA to monitor critical vulnerabilities on production systems to ensure they are patched within seven days after they are discovered. Since new vulnerabilities are constantly being discovered, you can’t make a time bound or continuous goal, since systems should be patched and protected as soon as possible.

Examples include:

  • Remediate all critical vulnerabilities in production environments within three days of discovery.
  • Remediate all vulnerabilities that have a CVSS of 5 or greater on Windows Servers within 15 days of discovery.
  • Remediate all assets in Boston to achieve asset risk score to be less than 1000 within 10 days of discovery.

Now that you’ve learned more about our goals and SLAs, learn how to create them.