EPSS vulnerability scores can help focus on key patches, study says

The new machine learning (ML) based Exploit Prediction Scoring System (EPSS) can help overcome limitations from existing vulnerability tracking systems, according to a study by Rezilion.

According to Rezilion, leading vulnerability tracking systems such as the Common Vulnerability Scoring System (CVSS) and the catalog of Known Exploited Vulnerabilities (KEV) maintained by the US Cybersecurity and Infrastructure Security Agency (CISA) still fall short of effectively predicting the severity and exploitability of a vulnerability, leaving the need for a complete and accurate scoring system.

"Relying solely on a CVSS severity score to assess the risk of individual vulnerabilities has been shown to be equivalent to randomly selecting vulnerabilities for remediation," said the study. "Additional context is required in order to allow for a more scalable and effective prioritization strategy."

Issues with CVSS and KEV

The study notes that CVSS isn't scalable or effective and doesn't even reflect the actual risk. To support its claim, Rezilion said that more than 57% of the vulnerabilities currently listed in the US National Vulnerability Database (NVD) with CVSS V3 have a high or critical base score, while an average organization can only patch around 10% of the vulnerabilities in its environment each month.

In a recent survey conducted with Ponemon, Rezilion found huge vulnerability backlogs and patching debt reported by most surveyed organizations.

Fewer than 5% of vulnerabilities will ever be exploited and only a fraction of those vulnerabilities will be exploitable in the context of a given environment, it said, noting that zeroing in on the highly exploitable ones is most critical and CVSS fails at that.

"Only 2.24% of the vulnerabilities in NVD have weaponized exploit code," the study added. "Hence, wasting valuable efforts triaging thousands of high- and critical-severity vulnerabilities according to their CVSS score isn't necessarily an effective use of resources."

KEV fails to provide a complete view of vulnerabilities because it only lists those that are or have been exploited and that have a CVE ID and clear remediation guidance. This allows for listing vulnerabilities even years after their first exploits.

Michael Sampson, an analyst at Osterman Research, sees some benefits in adopting a new classification system.

 "I agree that CVSS alone is insufficient for prioritization of vulnerabilities to address within a given organization," said Sampson. "With the weakness in the timeliness of the data in CISA KEV, assuming that the EPSS approach is scalable and more timely, it is something that organizations should investigate using."

EPSS as an alternative

EPSS is a data-driven scoring system that predicts the probability a known vulnerability will be exploited and is the outcome of a collaboration of more than 170 global security experts.

As it is based on a machine learning algorithm, EPSS also adapts to new information published after the initial disclosure of a vulnerability. To predict the probability of exploitation EPSS uses a gradient-boosting decision tree algorithm which is trained on a corpus of data characterized by 1478 variables drawn from the NVD and MITRE CVE lists, as well as other sources.

EPSS currently lists 206,859 out of the 220,914 vulnerabilities in the NVD, excluding the ones listed under "rejected" or "reserved". It scores the majority of CVEs with a very low likelihood of exploitation, with only 6% having a likelihood of exploitation greater than 10%, aligning with the security evidence that only 5% of vulnerabilities are ever exploited.

Rezilion cautioned in its study that EPSS is a probabilistic model and may have training data limitations.

That needn't put off potential users, according to Osterman's Sampson.

"In principle, anything that provides prioritization of what a given security team should address first, second, nth based on multiple real-world inputs from their organization (and beyond) is a good thing," Sampson said. "But it does need to be up to date."