Many enterprises depend on the Common Vulnerability Scoring System (CVSS) to evaluate the gravity of vulnerabilities for prioritization. Although these ratings offer some perspective on the possible consequences of a vulnerability, they do not consider real-world threat intelligence, such as the probability of exploitation. Given the continuous discovery of new vulnerabilities, teams cannot afford to squander time or resources on fixing vulnerabilities that do not effectively reduce risk.
Discover more about the comparison between CVSS and EPSS and how leveraging EPSS can revolutionize your vulnerability prioritization procedure.
What does vulnerability prioritization involve?
Vulnerability prioritization refers to the assessment and ranking of vulnerabilities based on the potential harm they could inflict on an organization. The objective is to assist security teams in determining which vulnerabilities should be resolved, when they should be addressed, or whether they need resolution at all. This process guarantees that the most critical threats are addressed before they can be exploited and is a crucial component of attack surface management.
In an ideal scenario, security teams would promptly rectify every vulnerability upon discovery, but this is neither feasible nor effective. Studies have revealed that most teams can only address about 10-15% of their open vulnerabilities on a monthly basis, underscoring the significance of efficient prioritization.
Ultimately, accurate vulnerability prioritization ensures that organizations optimize their resources. Why is this significant? Because businesses cannot afford to allocate funds unless they are impactful, and risk management revolves around guaranteeing that resources are channeled into activities that genuinely minimize risk.
The shortcomings of CVSS in vulnerability prioritization
Conventionally, organizations have commonly prioritized vulnerabilities by relying on CVSS base scores.
CVSS base scores are established on factors that remain unchanged across different timeframes and user settings, such as the simplicity and technical mechanisms for exploiting a vulnerability and the repercussions of a successful exploit. These elements are quantified and melded to produce a final score within the range of 0 to 10 – the higher the value, the more severe the vulnerability.
CVSS scores serve as a foundation and a standardized method for assessing severity, which is occasionally essential for compliance purposes. However, they have constraints that make relying solely on them less effective than incorporating real-time information sources.
One of the primary limitations of CVSS scores is their omission of the current threat landscape, like whether a vulnerability is actively under exploitation in the wild. Consequently, a vulnerability with a high CVSS score may not necessarily be the most critical issue confronting an organization. For instance, consider CVE-2023-48795, where the current CVSS score is 5.9, denoting a ‘medium’ severity. However, by referencing alternative threat intelligence outlets, such as EPSS, one can ascertain a high likelihood of exploitation within the subsequent 30 days (at the time of authorship).
This highlights the necessity of embracing a more comprehensive approach to vulnerability prioritization that incorporates not only CVSS scores but also real-time threat intelligence.
Enhancing prioritization with exploit data
To elevate vulnerability prioritization, organizations should transcend CVSS scores and contemplate other variables, including exploitation activity identified in the wild. EPSS, a model devised by FIRST, is a valuable fountain for this information.
What does EPSS entail?
EPSS is a model delivering a daily forecast of the likelihood that a vulnerability will be exploited in the wild within the subsequent 30 days. The model furnishes a score ranging from 0 to 1 (0 to 100%), with heightened scores indicating a greater likelihood of exploitation.
The model functions by aggregating an extensive array of vulnerability data from various sources, like the National Vulnerability Database (NVD), CISA KEV, and Exploit-DB, coupled with evidence of exploitation activity. Leveraging machine learning, it trains its model to recognize subtle correlations among these data points, enabling it to foresee the likelihood of future exploitation.
CVSS versus EPSS
How precisely do EPSS scores ameliorate vulnerability prioritization?
The visualization below illustrates a scenario where vulnerabilities with a CVSS score of 7 or higher are accorded priority for remediation. All CVEs with these criteria recorded on 1 October, 2023, are represented by the blue circle. The red section delineates CVEs with CVSS scores that were exploited within the subsequent 30 days.
Evidently, the count of vulnerabilities exploited in the wild forms a small fraction of the vulnerabilities possessing a CVSS score of 7 or higher.
 |
| Original source: FIRST.org |
Now, juxtapose this with a scenario in which vulnerabilities are prioritized based on an EPSS threshold set at 10%.
An observable contrast between the two illustrations below lies in the size of the blue circles, denoting the tally of vulnerabilities necessitating prioritization. This provides an insight into the effort required for each prioritization strategy. With a 10% EPSS threshold, the effort involved is significantly reduced, as there are markedly fewer vulnerabilities to prioritize, thereby diminishing the time and resources needed. The effectiveness also sees a substantial boost.greater, as companies can concentrate on weaknesses that would have the most significant impact if not dealt with first.
 |
| Source: FIRST.org |
When evaluating EPSS in the prioritization of vulnerabilities, companies can more effectively match their remediation activities with the current threat landscape. For instance, if EPSS indicates a high chance of exploitation for a vulnerability with a comparatively low CVSS score, security teams may decide to prioritize that vulnerability over others with higher CVSS scores but a lower probability of exploit.
Streamline vulnerability prioritization with Intruder
Intruder is a cloud-hosted security solution that assists enterprises in overseeing their attack surface and detecting vulnerabilities before they become exploitable. By providing continuous security monitoring, attack surface management, and smart threat prioritization, Intruder enables teams to concentrate on the most critical threats while simplifying cybersecurity.
 |
| A snapshot of the Intruder platform |
Intruder is preparing to introduce a new vulnerability prioritization feature driven by the Exploit Prediction Scoring System (EPSS) – a model that relies on machine learning to predict the likelihood of a vulnerability being exploited in the next 30 days.
Soon, you will have the ability to access EPSS scores directly within the Intruder platform, providing your team with real-world context for more informed prioritization. These scores will be shown alongside the current scoring system, combining CVSS scores with insights from Intruder’s team of security specialists to strategically prioritize your findings.
Register now to stay ahead of the upcoming release. Begin your 14-day free trial or schedule a discussion to learn more.
About Author
