In our March 2023 blog, “What is EPSS and Why Does It Matter?”, Michael Roytman, Distinguished Engineer at Cisco (former Chief Data Scientist at Kenna Security) and co-creator of EPSS, covers the role the Exploit Prediction Scoring System (EPSS) plays in a security program. To sum it up, EPSS enables practitioners to have a defensible way to forecast how likely a newly published vulnerability is to become exploited before attackers have a chance to build new ransomware or exploits.
In this blog, we’ll cover more details about EPSS, how it compares to CVSS, as well as the role it plays in Cisco Vulnerability Management’s risk scoring.
EPSS is an open-source, “data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild” (FIRST.org). Its overall goal is to help security teams better prioritize vulnerability remediation work.
Fun fact: Cisco (formerly Kenna Security) licenses the patent “Exploit Prediction Based on Machine Learning” to FIRST.org to enable EPSS development.
Anonymized data from the Cisco Vulnerability Management platform was used by the creators of EPSS to compare which vulnerabilities were being exploited in the wild to which vulnerabilities organizations were remediating. The findings revealed that remediation strategies were inconsistent and ad-hoc. Based on the evidence collected that showed what was being exploited, the creators built a data model to predict exploitability.
EPSS was initially inspired by the Common Vulnerability Scoring System (CVSS). CVSS assigns scores to vulnerabilities based on their principal characteristics; the score indicates the severity of a vulnerability, providing a range from 0.0 to 10.0 (the higher the score, the greater severity). CVSS can be categorized into low, medium, and high severity, and organizations can use CVSS to help prioritize vulnerabilities that exist in the system. However, CVSS on its own doesn’t indicate a likelihood of exploitation, leading to criticisms that call out its ineffectiveness in prioritizing and predicting threats.
EPSS, on the other hand, estimates the probability that a vulnerability will be exploited in the wild in the next 30 days, with a score ranging between 0 to 1. EPSS looks at two key prioritization strategies: coverage and efficiency. Coverage is the proportion of vulnerabilities with known exploitation activity that are prioritized. Efficiency is the proportion of all prioritized vulnerabilities with known exploitation activity. Despite its ability to help in predicting which vulnerabilities will be exploited in the wild, EPSS doesn’t provide all the information needed to deprioritize vulnerabilities, which makes it difficult to make decisions on what to fix first.
Coupling EPSS and CVSS scoring data enables organizations to more effectively prioritize vulnerabilities based on both severity and probability of exploitation. Even so, there are other data sources like real-time threat data that should be incorporated into vulnerability prioritization scoring for optimized results. More on that in just a bit.
Risk Scoring in the Cisco Vulnerability Management platform helps customers prioritize the vulnerabilities that pose the greatest risk to their specific organizations, while deprioritizing the ones that don’t. Our risk score is continuously evolving to include the latest inputs for the most accurate prioritization. This update easily enables customers to identify and remediate top priority vulnerabilities based on the prediction that it will become an Active Internet Breach in the near future.
Figure 1: Explore page in Cisco Vulnerability Management platform
While it’s important to understand a vulnerability may be exploited in the future, it’s even more important to know which vulnerabilities are already being exploited. That’s why, in conjunction with EPSS and CVSS, Cisco Vulnerability Management risk scoring incorporates an organization’s internal security data and threat and exploit intelligence from 19+ feeds, including Cisco Talos, to not only determine how risky a vulnerability is, but to also understand the volume and velocity at which the vulnerability is being targeted. By leveraging the risk score in Cisco Vulnerability Management, customers can determine which vulnerabilities pose the biggest risk to their organization and which vulnerabilities are low risk and, therefore, can be deprioritized. The result is that customers are focusing their limited resources on remediating the vulnerabilities that matter most.
In addition to identifying which vulnerabilities are most likely to result in an exploit, Cisco Vulnerability Management uses Risk Meter scoring to also highlight the impact of those exploits by measuring the risks of assets, groups of assets, and organizations. With accurate and quantifiable risk scores, customers can understand their organizations’ current risk posture and identify the actions needed to reduce the greatest amount of risk.
Interested in learning more about EPSS? Check out the site and browse the data (it’s open and free): www.first.org/epss
Want to take a deeper look at Cisco Vulnerability Management? Visit our page: https://www.cisco.com/site/us/en/products/security/vulnerability-management/index.html
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels