Its purpose is to make it easier for security teams to prioritize vulnerability remediation better.
The EPSS model collects information about the vulnerability from all the sources I mentioned above.
On this phase the machine analyzes the connection between the vulnerability features and its exploitation.
On a daily basis, researchers look for updates about the vulnerability.
The Common Vulnerability Scoring System estimates most vulnerabilities as Medium to Critical severity level.
A look on the National Vulnerability Database dashboard will show why Security Officers can`t use this scoring system alone to prioritize vulnerabilities.
First, let's focus on the differences of those vulnerability scoring systems.
Usually, for risk analysis, Security Officers use this formula Risk= Threat x Vulnerability x Impact.
In this frame, the EPSS probability score deals with the Threat factor, while the CVSS evaluates the severity of the Vulnerability.
EPSS scores, on the other hand, predict whether a vulnerability will be exploited in the next 30 days.
None of them reflects the impact of a vulnerability.
You can use the EPSS scores as an initial vulnerability prioritization tool for the CVEs you detected in your environment.
I recommend you use this tool along with the CVSS scores and your regular vulnerability management solution.
Although the EPSS score adds valuable information, it doesn't replace CVSS or a vulnerability assessment tool.
EPSS predicts the probability of a CVE being exploited and thus helps detect high risk vulnerabilities.
The EPSS percentile is a percentage score that shows how likely a vulnerability is to be exploited compared to others.
An 85% EPSS percentile suggests the vulnerability is more likely to be exploited than 85% of other analyzed CVEs.
EPSS scores predict whether hackers will exploit a vulnerability.
They do not assess the severity of the vulnerability.
You should use it along with CVSS scores or vulnerability management tools that integrate CVSS data.
This Cyber News was published on heimdalsecurity.com. Publication date: Wed, 20 Dec 2023 15:43:05 +0000