Creating a Weather Forecast for Predicting Cybersecurity Vulnerabilities

When we read about major security breaches, we often are all too quick to point the blame at the company failing to patch a critical vulnerability. It’s easy to think that these breaches are entirely the fault of lax security teams, but that belief doesn’t hold water.

Security teams are overwhelmed. Most companies can only patch about one out of every 10 vulnerabilities they encounter in their infrastructure. Even more so, most security teams simply tread water, ending each day with more vulnerabilities discovered than at the beginning of each day.

In short, the industry needs a better way to prioritize risk. If you’ve been following Kenna Security, you’ll know that this is a mindset we have been championing for a while now. Organizations simply don’t have the capacity to patch every vulnerability. In fact, they shouldn’t have to.

But how can they prioritize what needs to be patched, and delay what doesn’t? For decades, companies have relied on the Common Vulnerability Scoring System (CVSS) for this. The system serves a specific purpose, but it shouldn’t be used as the standard for measuring security risk (see my argument here if you’d like learn why).

Introducing the Exploit Prediction Scoring System

Today, we released the Exploit Prediction Scoring System (EPSS) calculator. It is a free, open-source tool that does what many people wrongly think CVSS does. It uses objective, public source data to accurately predict whether hackers will exploit a vulnerability within the next 12 months. Only between 2 to 5 percent of vulnerabilities are ever exploited in the wild, the industry’s strategy for patching should reflect this.

With EPSS, security teams can act more like weather forecasters, predicting which vulnerabilities need to be patched first, instead of firefighters, reactively relying on CVSS scores.

EPSS offers several advantages over CVSS. Unlike CVSS scores, EPSS factors in objective attributes about a vulnerability such as whether a known exploit exists. Patching vulnerabilities using the EPSS scoring system frees up security teams’ time. Using EPSS, security teams can reduce their effort up to 85% compared to CVSS while achieving the same outcome. This allows organizations to better allocate their security resources and budget.

The introduction of EPSS gives security teams large and small the ability to act based on objective data, rather than judgment calls and internal debates. This system will allow security pros to stay in front of today’s complex threats, instead of using the reactive approach CVSS offers today.

What is EPSS?

We’ve identified the factors that offer the greatest contribution to overall vulnerability risk. With EPSS, we’re making those insights available to the public, for free. 

EPSS predicts risk of exploitation using 16 variables, all of which are public and objective. We selected these variables from over 3,000 others because they are based on things we know contribute to the likelihood of exploitation and are freely available:

• Applications developed by some vendors are more likely to be exploited than others
• Vulnerabilities that enable code execution, especially remotely, tend to be pursued by bad actors
• The publication of a proof-of-concept attack on websites tends to make full weaponization more likely

EPSS is a vital first step toward helping companies prioritize vulnerability management, one that will allow them to deploy resources more efficiently. 

Which brings us to an important part of this blog. We’d like to thank the numerous collaborators that contributed to the development of EPSS: Jay Jacobs and Ben Edwards at the Cyentia Institute, Sasha Romanosky (a member of the original team that developed CVSS) at the Rand Corporation, and Idris Adjerid at Virginia Tech. 

If you’d like to learn more about how we developed EPSS, check out this paper that explains our analysis. 

To test EPSS for yourself, go here.