Exploring the Exploit Prediction Scoring System (EPSS) for Enhanced Vulnerability Management

by | Jul 11, 2024

We all know that vulnerabilities are documented in a centralized list known as Common Vulnerabilities and Exposures (CVE). To gauge the severity of these vulnerabilities, they are assessed using various scoring systems. Among these, the Common Vulnerability Scoring System (CVSS) is widely recognized, currently in its fourth iteration. 

However, CVSS has its limitations, primarily focusing on the intrinsic characteristics of the vulnerabilities without considering their likelihood of exploitation. This approach often leads to treating all vulnerabilities with similar scores equally, regardless of their real-world risk implications. 

Exploit Prediction Scoring System (EPSS) Overview 

Administered by FIRST (Forum of Incident Response and Security Teams), same as CVSS, EPSS estimates the likelihood of a vulnerability being exploited using a model based on actual data of exploitation attempts. This system was introduced at BlackHat 2019, with its framework continuously updated, the latest being in March 2023. 

EPSS Methodology 

EPSS scores are updated daily and available in CSV format on the FIRST website. Each entry in this data set includes: 

  • CVE ID: The unique identifier assigned by MITRE
  • EPSS Score: A probability score between 0 and 1, indicating the likelihood of exploitation in the next 30 days. 
  • Percentile: A value showing how a CVE scores relative to others, with higher percentiles indicating higher risks. 

The EPSS model uses machine learning to analyze data from multiple sources, including vulnerability databases and real-world exploitation attempts. It incorporates details such as vendor information, age of the vulnerability, CVSS scores, and more, to predict exploitation likelihood. 

Why Consider EPSS? 

We previously discussed the limitations of relying solely on CVSS for vulnerability management. EPSS addresses this gap by providing an estimation of the actual risk of exploitation, which is crucial for resource allocation. For instance, patching vulnerabilities based solely on high CVSS scores can lead to significant resource wastage, as demonstrated by the small percentage of high-scoring CVEs that are actually exploited. 

The diagram reveals that a mere 2.3% of the high-severity vulnerabilities (CVSS 7 or above) were exploited (True Positives). Surprisingly, most prioritized vulnerabilities for remediation (CVSS > 7) were not exploited (False Positives), signifying a substantial resource wastage. Addressing this issue is crucial for optimizing resource allocation and enhancing security practices.  

Incorporating EPSS for Efficient Remediation 

Adopting an EPSS-based approach for vulnerability management allows security teams to focus on the most likely threats, enhancing resource efficiency. For example, focusing on vulnerabilities with an EPSS score of 10% or higher can drastically reduce unnecessary efforts on low-risk issues. 

This data reveals that 96% of vulnerabilities with an EPSS score below 10% were not exploited or prioritized for remediation (True Negatives), whereas 1.8% were both exploited and prioritized for remediation (True Positives). This signifies a remarkable decrease in the workload for the security team and a more precise, efficient strategy for handling vulnerability patches. It empowers the remediation teams to concentrate their efforts and resources on the most critical areas within their environment.  

While there is some correlation between EPSS and CVSS scores, EPSS provides additional insights, particularly for vulnerabilities that, despite high CVSS scores, have low exploitation probabilities. This nuanced understanding helps prioritize remediation efforts more effectively. 

Looking Beyond EPSS and CVSS 

While EPSS and CVSS provide valuable insights, they are not definitive. Effective vulnerability management also requires understanding the potential impact on specific systems and the broader network, necessitating a comprehensive assessment of exposure and attack paths. 

Veriti’s platform integrates EPSS to prioritize vulnerabilities effectively, allowing security teams to focus on the most critical issues first. This approach not only saves time but also enhances the overall security posture by addressing the most impactful vulnerabilities promptly. 

For more information on how EPSS can refine your security strategies or to see Veriti’s platform in action, schedule a demo with our experts

Get your security controls assessment now


Recommended Articles

Subscribe to our BLOG

Get the latest security insights, news and articles delivered to your inbox.

Product

Product Overview

Maximize security posture while ensuring business uptime

Odin

AI-Powered Contextual Cybersearch

Automated Security Controls Assessment

Validate your security control

Integrations

Connect Veriti with your security solutions

THE STATE OF ENTERPRISE SECURITY CONTROLS

Prioritize Remediation based on business impact

Read the Report >>

Use Cases

Agentless OS-Level Remediation

Proactively safeguard your systems directly at the OS-Level on the endpoint

Vulnerability Remediation

Safely remediate vulnerabilities in one click

Business Continuity

Reduce alert fatigue. Increase Security Effectiveness

MISCONFIGURATION MANAGEMENT

Proactively neutralize misconfigurations to minimize exposure risks

Mobilizing Threat Remediation

Identify and mobilize threat remediation across the security stack automatically.

GENERATIVE AI SECURITY

Chat with your environment to cut MTTR times drastically

Solutions

Safe Remediation

Ensure remediation actions do not give rise to additional exposures

MITRE ATT&CK®

Quickly respond to live threats with safe and precise remediation

VERITI FOR Enterprises

Increase business outcomes

VERITI FOR MSSPs

Efficiently manage multiple clients in a consolidated platform

VERITI FOR HEALTHCARE

Neutralize security gaps without impacting healthcare operations

VERITI FOR MANUFACTURING

Protect the heart of your production processes

SEC AND THE BUSINESS

A security pro’s guide to exposure assessments and remediation

 

Read Whitepaper >>

Resources

See all resources

Blog

Veriti's security blog

Downloads

The latest guides, white papers and infographics

Events

Live event and on-demand webinars

Glossary

Our Comprehensive Definitions Guide

MASTERING MODERN OS-LEVEL SECURITY: THE AGENTLESS APPROACH

WATCH NOW>>

Our Story

Learn about Veriti

Careers

Work with us

Newsroom

Our latest updates

Contact US

Get in touch

CHANNEL PARTNERS

Become a partner

MSSPs

Reduce operational costs