EPSS is a relatively recent addition to the world of freely available security scoring systems.
While it's not without its flaws and limitations, EPSS can be a powerful predictor of exploits to come and a useful tool in your arsenal, as long as you wield it correctly.
EPSS is designed as a new approach to prioritizing vulnerability remediation.
The EPSS model makes use of over a thousand variables and machine learning to fine tune its predictive powers.
While FIRST maintains a special interest group for EPSS that is open to the public, the actual special sauce of producing an EPSS score is not publicly available.
An EPSS score predicts the likelihood of a vulnerability going from theoretical to having a public exploit in the near future, so you'd expect a vulnerability that already has an exploit to have an EPSS score of 100% but the EPSS model doesn't actually take into account if a public exploit already exists.
CVSS scores do get updated, such as when new exploits are found, but they don't attempt to predict the future like EPSS scores do.
CVSS calculators exist for you to determine the severity of any vulnerability, including those that are not yet publicly disclosed, whereas the models behind EPSS are closed source and thus EPSS scores are published only by FIRST and are presently only available for CVEs with IDs.
Another difference is that the EPSS model is more complex and updated more frequently.
CVSS is a far more static and simple system, having just released its fourth version in its 18th year of existence, whereas EPSS is already on its third version and is only just coming up to its third birthday.
The creators of EPSS argue that the common security strategy of fixing vulnerabilities with a CVSS score of X or above results in a high amount of wasted effort as most of those vulnerabilities will not end up being exploited.
The benefit of prioritizing vulnerability remediation based on EPSS instead of CVSS is a reduced amount of effort and increased efficiency due to the large reduction of false positives.
It is also worth noting that the documentation on EPSS compares its current version with CVSS 3.0.
EPSS scores can't be the be-all and end-all of prioritization metrics.
As mentioned above, EPSS scores are only available for those CVEs that have IDs.
If there is, then it should be prioritized, and the EPSS score isn't particularly relevant.
Confidence levels are not given separately but are baked into the EPSS score and the higher the EPSS score, the higher the confidence.
On the other hand, CVEs with high EPSS scores should be treated as if there is already a public exploit, because there's a very good chance there will be.
Many SCA vendors provide proprietary prioritization scores that weigh CVSS and EPSS. If you plan to do your own weighing, a comfortable threshold for either or both metrics will need to be established based on your organization's needs.
One extra bonus use of EPSS: even if your organization chooses not to rely on EPSS for prioritization, EPSS scores, unlike CVSS scores, can be combined and then utilized to measure and compare your security posture over time.
This Cyber News was published on securityboulevard.com. Publication date: Wed, 03 Jan 2024 17:13:05 +0000