EPSS vs. CVSS: A Deep Dive into Tomorrow’s Vulnerability Remediation 

by | Aug 28, 2023

Every day, we make decisions. Decisions regarding what to purchase, which route to take, whom to vote for, and whether to opt for more or less. We make decisions regarding the future, which can have serious repercussions.
But we’re deluged. There are just too many security alerts to investigate and too many security solutions, as a siloed source of knowledge.

Given the plethora of vulnerabilities emerging annually, organizations face the staggering task of pinpointing which to address first. And actually address them. The Exploit Prediction Scoring System (EPSS) and the Common Vulnerability Scoring System (CVSS) offer distinct solutions to this challenge, each with unique driving factors, techniques, and implications. 

EPSS: Exploitability is the new king 

Incentive 

Numerous vulnerabilities surface, yet only a select few are truly prone to exploitation. Research shows that a mere 2% to 7% of reported vulnerabilities ever face real-world exploitation. Contrastingly, organizations manage to patch just 5% to 20% of these vulnerabilities monthly, underscoring the need for strategic prioritization on the one hand, and a better remediation mechanism on the second hand. 

Framework Description 

EPSS’s primary goal is to ascertain the probability that a documented vulnerability might face exploitation within the subsequent 30 days. Scores vary between 0 and 1, with rising scores suggesting elevated exploitation risks. EPSS considers multiple factors: MITRE’s CVE list, “Tags” from CVE descriptions, reference counts, released exploit codes, security scanner details, CVSS attributes, vendor specifics, and exploitation data. 

Evaluating Vulnerability Management Efficiency with EPSS 

Vulnerability management efficacy hinges on two pivotal metrics: efficiency and coverage. 

Efficiency: It zeroes in on how efficiently resources address vulnerabilities that indeed face exploitation. 

  • True Positives (TP): Aptly flagged high-risk vulnerabilities that faced exploitation. 
  • False Positives (FP): Incorrectly flagged high-risk vulnerabilities that remained unexploited.  

Elevated false positives can hinder optimization due to the wasting of resources on non-threatening vulnerabilities. 

Coverage: A reflection of how many vulnerabilities, exploited in real-life scenarios, have been addressed by the organization. 

  • True Negatives (TN): Accurately flagged low-risk vulnerabilities remaining unexploited. 
  • False Negatives (FN): Overlooked or misjudged low-risk vulnerabilities later exploited. 

High false negatives can be alarming as they reflect overlooked critical threats. 

The CVE-2019-0541 Example

Let’s take a journey through the life of CVE-2019-0541 to highlight the importance of nuanced vulnerability management. 

  • Initial Release and Disposition – On January 8th, 2019, when CVE-2019-0541 was first introduced, the vulnerability landscape was ambiguous. While its Common Vulnerability Scoring System (CVSS) was pegged at 9.3, indicating a severe risk, its Exploitability Predictive Scoring System (EPSS) didn’t even make an appearance initially. 
  • The Catalyst – Fast forward to 16th December 2019. The first malware sample targeting CVE-2019-0541 surfaced. This was a critical turning point. By February 8th, 2023, while the CVSS score remained static at 9.3, the EPSS skyrocketed to 54%. 
  • The Paradigm Shift – Things took a sharper turn on 7th March 2023. The EPSS saw a dramatic surge of 42%, clocking in at a whopping 97.33% by August 4th 2023. Now, what caused this abrupt recalibration? The revelation that multiple threat actors, including Advanced Persistent Threat (APT) groups, had their hands on this vulnerability was a game-changer. Its attractiveness to the nefarious community had increased exponentially. 
  • The Underlying Factors – But that’s not the whole story. March 2023 also witnessed the discovery of JavaScript (JS) files that facilitated exploiting CVE-2019-0541. This was a double-edged sword: Not only did it signify that exploiting the vulnerability was within the grasp of many attackers, but it also provided them with the tools to do so. This likely played a pivotal role in influencing the EPSS score. 

.

DateAmount of samplesFileTypeMalware Family
16/12/2019 OneNote Research Sample – first actual apperence of a POC 
13/09/2021 chm GhostWriter APT 
27/12/2021 chm GhostWriter APT 
31/01/2022 chm GhostWriter APT 
4/3/2022 chm GhostWriter APT 
6/3/2022 14 chm GhostWriter APT 
9/3/2022 vbs GhostWriter APT(MicroBackdoor) 
23/2/2023 JS unknown 
27/4/2023 JS Research Sample 
27/4/2023 JS Research Sample 
27/4/2023 JS Research Sample 
1/5/2023   Research Sample 

CVSS: An Established Vulnerability Metric 

CVSS offers a consistent, open, and universal approach to assessing IT vulnerabilities. By considering various criteria, it assigns a severity grade between 0 and 10, guiding organizations in vulnerability prioritization. 

Challenges of Sole Reliance on CVSS 

Though CVSS provides a structured vulnerability ranking, exclusive dependence can be problematic: 

  • False Positives: Elevated CVSS grades might mark some vulnerabilities as paramount. Yet, if their exploitation likelihood is low in certain scenarios, patching them might drain unnecessary resources. This can lead to undue efforts on minimal threat vulnerabilities. 
  • False Negatives: Conversely, just because a vulnerability has a lower CVSS score doesn’t mean it’s harmless. When its exploitability in the real world — given specific threat actors or environmental nuances — is factored in, what seemed like a minor risk might escalate to a significant threat. 

In summary, relying solely on the CVSS score for patching can cause organizations to focus too much on less pressing threats, while neglecting more significant risks. It is crucial to find a balance between addressing current security gaps and using resources effectively for strong vulnerability management. 

EPSS and CVSS: Juxtaposing or Complementing Strategies? 

While CVSS is a widely recognized tool for assessing the severity of security vulnerabilities, its efficacy in risk prioritization has been debated. This draws attention to the potential synergy between CVSS and the Exploit Prediction Scoring System (EPSS).  

Balancing Severity and Exploitability 

Purely relying on CVSS may inadvertently direct resources to vulnerabilities based solely on their severity, not their exploitability. By integrating EPSS’s predictive approach, organizations can align remediation efforts with vulnerabilities that present both a high severity and a high likelihood of being exploited.

Potential Hurdles with EPSS

Questions arise about the system’s openness, especially since significant model updates or changes aren’t always transparent to stakeholders. 

EPSS’s reliance on pre-existing CVE IDs could limit its utility, especially concerning zero-day vulnerabilities. 

The Middle Ground 

While EPSS can serve as a powerful adjunct to CVSS, striking a balance is essential. Merging the severity scores of CVSS with the exploit predictions of EPSS might offer organizations a more holistic strategy. Such an integrated approach can ensure that limited security resources are employed judiciously, targeting vulnerabilities that are both severe and likely to be exploited. 

In sum, while both EPSS and CVSS have their respective strengths and limitations, their combined potential could pave the way for a more refined vulnerability management strategy. 

Veriti combines both EPSS and CVSS scores for a comprehensive risk assessment. This approach prioritizes vulnerability remediation by considering both the likelihood of exploitation (EPSS) and the severity (CVSS) of vulnerabilities and enables focusing efforts on critical vulnerabilities with high risk and potential impact. 

The Missing Piece of the Puzzle: Non-Disruptive Remediation 

Traditional remediation, primarily through vulnerability patching, is a vital process but is not without its pitfalls. The act of patching can sometimes disrupt operations, introduce new vulnerabilities, or even cause system failures. Moreover, in large organizations with complex IT architectures, patching isn’t always immediate. Testing patches to ensure they don’t negatively impact business processes can take time, sometimes weeks or even months. But, in the fast-paced world of cyber threats, time is a luxury that many organizations don’t have. 

Virtual patching is back in fashion, offering temporary protection from a vulnerability by preventing exploitation until a permanent patch is ready or can be safely applied. However, the crown jewel of modern remediation methods is the capability to validate actions for potential business impacts. By ensuring that remediation activities don’t result in false positive events, performance issues, or other disruptions, organizations can maintain their operational integrity while bolstering their security posture.  
 
So, while predictive tools like EPSS and CVSS are essential for identifying and assessing vulnerability risks, the non-disruptive remediation method fills the gap in the vulnerability management lifecycle. It addresses the “how” of vulnerability management – how to fix issues without negatively impacting business processes. In the complex jigsaw puzzle of cybersecurity, this approach is the piece that many organizations didn’t even realize was missing. 

Get your security controls assessment now


Recommended Articles

Subscribe to our BLOG

Get the latest security insights, news and articles delivered to your inbox.

Product

Product Overview

Maximize security posture while ensuring business uptime

Odin

AI-Powered Contextual Cybersearch

Automated Security Controls Assessment

Validate your security control

Integrations

Connect Veriti with your security solutions

Use Cases

Agentless OS-Level Remediation

Proactively safeguard your systems directly at the OS-Level on the endpoint

Vulnerability Remediation

Safely remediate vulnerabilities in one click

Business Continuity

Reduce alert fatigue. Increase Security Effectiveness

MISCONFIGURATION MANAGEMENT

Proactively neutralize misconfigurations to minimize exposure risks

Mobilizing Threat Remediation

Identify and mobilize threat remediation across the security stack automatically.

Solutions

Safe Remediation

Ensure remediation actions do not give rise to additional exposures

VERITI FOR Enterprises

increase business outcomes

VERITI FOR MSSPs

Efficiently manage multiple clients in a consolidated platform

VERITI FOR HEALTHCARE

Neutralize security gaps without impacting healthcare operations

VERITI FOR MANUFACTURING

Protect the heart of your production processes

State of Enterprise Security Controls

DOWNLOAD Report >>

Resources

See all resources

Blog

Veriti's security blog

Downloads

The latest guides, white papers and infographics

Events

Live event and on-demand webinars

Glossary

Our Comprehensive Definitions Guide

MASTERING MODERN OS-LEVEL SECURITY: THE AGENTLESS APPROACH

WATCH NOW>>

Our Story

Learn about Veriti

Careers

Work with us

Newsroom

Our latest updates

Contact US

Get in touch

CHANNEL PARTNERS

Become a partner

MSSPs

Reduce operational costs