Share with Your Network
Every decision to remediate is a prediction about the future—paraphrasing from the first Prioritization to Prediction report published in 2018 by Kenna Security (now Cisco) and the Cyentia Institute.
It’s been several years since we started our journey with Jay Jacobs and the Cyentia team to unpack the effectiveness and efficiency of different remediation strategies. It was in that first report where we first formally proposed the idea of a predictive model for vulnerabilities. Exploitation signals risk, and the ability to accurately predict exploitation of a vulnerability can be a boon for enterprises wading through millions of vulnerabilities.
In late 2019, we were thrilled to join Jay and a team of industry experts to celebrate the debut of the industry’s first ever open-source predictive model, Exploit Prediction Scoring System (EPSS), intended to assist organizations in taking the first step and being able to predict the risk of a vulnerability.
With a few years having passed since the initial release, we can say with confidence that the model is serving the intended purpose. We see EPSS increasingly being used by practitioners—the scoring system has even been leveraged by fellow risk-based vulnerability management vendors. But with the popularity of EPSS, we also get our fair share of questions about it. So, let’s shine a light on a couple of common asks.
What is EPSS doing for the industry?
Let’s start with a clear definition: EPSS is an open-source tool that is estimating the probability of observing any exploitation attempts against a vulnerability in the next 30 days. The current EPSS model (v2022.01.01) was trained with 1,164 variables, most of which were Boolean values representing the presence of a specific attribute (eg., was Microsoft the vendor? Does this CVE have an exploit included in the Metasploit framework?).
The value of this is in the operationalization. For the first time, practitioners have a defensible way to forecast how likely a newly published vulnerability is to become exploited before attackers have a chance to build new ransomware or exploits. This will help them get ahead of attackers and plan their response from a vulnerability management perspective.
As I said at the time of the release, the model essentially allows organizations to operate like weather forecasters instead of firefighters—predicting exploitability rather than relying on CVSS. It’s an effective, light-weight approach organizations can take to begin to understand how to shift their remediation efforts to a more risk-centric strategy.
Is EPSS a silver bullet for risk-based vulnerability management?
With the benefits of prediction, you might naturally wonder if EPSS is the solution to transforming your vulnerability management program to a risk-based approach. While EPSS can aid you in forecasting which vulnerabilities may have exploits, it doesn’t give you all the information to actually deprioritize vulnerabilities. The probability of exploitation is just one factor in determining whether or not to remediate a vulnerability, but it’s not the only factor. You still need to consider other strategies and real-time threat data to ultimately drive that decision.
Using EPSS, you will have a quantitative way to factor in the probability of exploitation as part of your analysis which is a significant improvement over leveraging static CVSS or scanner scores that err on the side of everything being a priority. The very same scanner’s adoption of EPSS is all the proof a practitioner needs.
EPSS is a useful tool to use as a stop gap until you have actual data about the vulnerability having exploits available or whether attackers are truly going after that particular vulnerability. Leveraging real-time threat data to ultimately drive the decision to prioritize or deprioritize remediation efforts is the key to embracing risk-based vulnerability management.
Did Kenna (now Cisco) help create the tool?
Yes, the Kenna Security (now Cisco) team did play a role. Cisco licenses the Kenna Security patent “Exploit Prediction Based on Machine Learning” to FIRST.org in order to facilitate EPSS development. Anonymized data from the Kenna (now Cisco) platform enabled the creators to compare which vulnerabilities were being exploited in the wild to which vulnerabilities organizations were remediating; the findings showed that remediation strategies were inconsistent and ad-hoc. By looking at the evidence of what was being exploited, the creators were able to build a data model to predict exploitability.
Some people are indeed surprised to learn that as a vendor, we supported the creation of this free tool. Our belief is that EPSS is an incredibly valuable way to educate vendors on evidence –driven, risk-based vulnerability management and help the scanning market catch up to the research we’ve been publishing over the past decade.
The reality of most enterprises is that while the predictions from EPSS are useful at the moment of vulnerability publication (we use the model ourselves!), over time and against the backlog of most enterprises, we need real-time exploitation data to guide our decision making.
If you want to take a deeper dive into EPSS, head on over to the site and browse the data: www.first.org/epss. It’s free and open.
This blog was originally written for Kenna Security, which has been acquired by Cisco Systems. Learn more about Cisco Vulnerability Management.
