Many enterprises rely on the Common Vulnerability Scoring System (CVSS) to assess the severity of vulnerabilities for prioritization. While these estimates provide some insight into the potential impact of a vulnerability, they do not take into account actual threat data, such as likelihood of exploitation. With new vulnerabilities being discovered daily, teams have no time or budget to spend fixing vulnerabilities that don’t actually reduce risk.
Read on to learn more about how CVSS and EPSS compare and why using EPSS is a game-changer in your vulnerability prioritization process.
What is vulnerability priority?
Vulnerability prioritization is the process of evaluating and ranking vulnerabilities based on the potential impact they could have on the organization. The goal is to help security teams determine which vulnerabilities need to be patched, when, and whether they need to be patched at all. This process ensures that the most important risks are mitigated before they can be exploited and is an important part attack surface control.
In an ideal world, security services would be able to patch every vulnerability as soon as it is discovered, but this is neither possible nor efficient. Studies have shown that most teams can only remediate about 10-15% of their open vulnerabilities per month, which is why effective prioritization is so important.
Ultimately, prioritizing vulnerabilities correctly ensures that organizations can make the best use of their resources. Why is this important? Because businesses can’t afford to spend money on things that don’t matter, and risk management is about ensuring that money is spent on genuinely reducing risk.
CVSS limitations for vulnerability prioritization
Historically, one of the most common ways organizations prioritize vulnerabilities is by using CVSS baseline scores.
CVSS baselines are determined by factors that are invariant over time and the user environment, such as the ease and technical means by which a vulnerability can be exploited and the consequences of successful exploitation. These factors are quantified and combined to produce a final score from 0 to 10 – the higher the score, the higher the severity.
CVSS scores offer a baseline and standardized way of assessing severity and are sometimes required for compliance. However, they have limitations that make betting on them less efficient than considering them alongside real-time data sources.
One of the main limitations of CVSS scores is that they do not take into account the current threat, such as whether a vulnerability is being actively exploited in the wild. This means that a vulnerability with a high CVSS score may not necessarily be the most critical issue facing an organization. Take it CVE-2023-48795for example. His current CVSS score is 5.9, which is “average”. But if you consider other sources of threat information, e.g EPSSyou will find that there is a good chance that it will be used within the next 30 days (at the time of writing).
This highlights the importance of adopting a more holistic approach to vulnerability prioritization that considers not only CVSS results but also real-time threat information.
Improving prioritization using exploit data
To improve vulnerability prioritization, organizations must look beyond CVSS scores and consider other factors, such as exploits found in the wild. A valuable source for this is EPSS, a model developed FIRST.
What is EPSS?
EPSS is a model that provides a daily estimate of the probability that a vulnerability will be exploited in the wild over the next 30 days. The model assigns a score between 0 and 1 (0 and 100%), with higher scores indicating a higher likelihood of use.
The model works by gathering a wide range of vulnerability information from various sources, such as the National Vulnerability Database (NVD), CISA KEV and Exploit-DB, as well as exploit evidence. Using machine learning, it trains its model to detect subtle patterns between these data points, allowing it to predict the likelihood of future usage.
CVSS vs. EPSS
So how exactly do EPSS metrics help improve vulnerability prioritization?
The diagram below illustrates a scenario where vulnerabilities with a CVSS score of 7 or higher are prioritized for patching. The blue circle represents all those CVEs recorded on October 1, 2023. In red, you can see all CVEs with CVSS scores that were used in the following 30 days.
As you can see, the number of vulnerabilities that have been exploited in the wild represents a small number of vulnerabilities with a CVSS score of 7 or higher.
 |
| First source: FIRST.org |
Let’s compare this to a scenario where vulnerabilities are prioritized based on an EPSS threshold set at 10%.
A noticeable difference between the two charts below is the size of the blue circles, which show the number of vulnerabilities that need to be prioritized. This gives an idea of the amount of effort required for each prioritization strategy. With a 10% EPSS threshold, the effort is much lower as there are far fewer vulnerabilities to prioritize, reducing the time and resources required. Efficiency is also much higher as organizations can focus on the vulnerabilities that will have the greatest impact if they are not addressed first.
 |
| First source: FIRST.org |
By considering EPSS when prioritizing vulnerabilities, organizations can better align their remediation efforts with the actual threat landscape. For example, if the EPSS indicates a high likelihood of exploitation for a vulnerability with a relatively low CVSS score, security teams may consider prioritizing that vulnerability over others that may have a higher CVSS score but a lower likelihood of exploitation.
Simplify vulnerability prioritization with Intruder
The intruder is a cloud-based security platform that helps businesses manage the attack surface and detect vulnerabilities before they can be exploited. By offering continuous security monitoring, attack surface management, and intelligent threat prioritization, Intruder enables teams to focus on the most critical risks while simplifying cybersecurity.
 |
| A screenshot of the Intruder platform |
Intruder is about to release a vulnerability prioritization feature based on the Exploit Scoring System (EPSS), a model that uses machine learning to predict the likelihood of a vulnerability being exploited in the next 30 days.
Soon you’ll be able to view EPSS scores right in the Intruder platform, giving your team real-world context for smarter prioritization. These ratings will be displayed alongside an existing scoring system that combines CVSS ratings and data from Intruder’s team of security experts to intelligently prioritize your results.
Sign up now to get ahead of the new issue. Start your own 14-day free trial or book an appointment to chat and learn more.
