Key Points
Many businesses rely on the Common Vulnerability Scoring System (CVSS) to assess the severity of vulnerabilities for prioritization. While these scores provide some insight into the potential impact of a vulnerability, they don’t factor in real-world threat data, such as the likelihood of exploitation. With new vulnerabilities discovered daily, teams don’t have the time - or the budget - to waste on fixing vulnerabilities that won’t actually reduce risk.
Read on to learn more about how CVSS and EPSS compare and why using EPSS is a game changer for your vulnerability prioritization process.
What is vulnerability prioritization?
Vulnerability prioritization is the process of evaluating and ranking vulnerabilities based on the potential impact they could have on an organization. The goal is to help security teams determine which vulnerabilities should be addressed, in what timeframe, or if they need to be fixed at all. This process ensures that the most critical risks are mitigated before they can be exploited and is an essential part of attack surface management.
In an ideal world, security teams would be able to remediate every vulnerability as soon as it is discovered, but that’s neither possible nor efficient. Research has shown that most teams can only remediate about 10-15% of their open vulnerabilities per month, which is why prioritizing effectively is so important.
Ultimately, getting vulnerability prioritization right ensures organizations can make the best use of their resources. Why does this matter? Because businesses can’t afford to spend money on things unless it makes a difference, and risk management is all about making sure money is spent on genuinely reducing risk.
The limitations of CVSS for vulnerability prioritization
Historically, one of the most common ways organizations prioritize vulnerabilities is by using CVSS base scores.
CVSS base scores are determined by factors that are constant across time and user environments, such as the ease and technical means by which a vulnerability can be exploited and the consequence of a successful exploit. These factors are quantified and combined to generate a final score between 0 and 10 – the higher the score, the higher the severity.
CVSS scores offer a baseline and a standardized way of assessing severity and are sometimes necessary for compliance. However, they have limitations that make relying on them less efficient than considering them alongside real-time data sources.
One of the main limitations of CVSS scores is that they do not consider the current threat landscape, such as whether a vulnerability is being actively exploited in the wild. This means that a vulnerability with a high CVSS score may not necessarily be the most critical issue an organization faces. Take CVE-2023-48795, for example. Its current CVSS score is 5.9, which is ‘medium’. But if you consider other threat intelligence sources, such as EPSS, you’ll see there’s a high chance of it being exploited within the next 30 days (at the time of writing).
This shows the importance of taking a more holistic approach to vulnerability prioritization that considers not only CVSS scores but also real-time threat intelligence.
Improving prioritization with exploit data
To improve vulnerability prioritization, organizations should move beyond CVSS scores and consider other factors, such as exploitation activity identified in the wild. A valuable source for this is EPSS, a model developed by FIRST.
What is EPSS?
EPSS is a model that provides a daily estimate of the probability that a vulnerability will be exploited in the wild within the next 30 days. The model produces a score between 0 and 1 (0 and 100%), with higher scores indicating a higher probability of exploitation.
The model works by collecting a wide range of vulnerability information from various sources, such as the National Vulnerability Database (NVD), CISA KEV, and Exploit-DB, along with evidence of exploitation activity. Using machine learning, it trains its model to identify subtle patterns between these data points, allowing it to predict the likelihood of future exploitation.
CVSS vs EPSS
So how exactly do EPSS scores help improve vulnerability prioritization?
The diagram below illustrates a scenario in which vulnerabilities with a CVSS score of 7 or higher are prioritized for remediation. The blue circle represents all of these CVEs recorded on 1 October, 2023. In red, you can see all the CVEs with CVSS scores that were exploited in the following 30 days.
As you can see, the number of vulnerabilities that were exploited in the wild represents a small number of the vulnerabilities with a CVSS score of 7 or higher.
Let’s compare this to a scenario where vulnerabilities are prioritized based on an EPSS threshold set to 10%.
A noticeable difference between the two diagrams below is the size of the blue circles, which indicate the number of vulnerabilities that need to be prioritized. This gives an idea of the amount of effort required for each prioritization strategy. With a 10% EPSS threshold, the effort is significantly lower, as there are far fewer vulnerabilities to prioritize, reducing the time and resources needed. Efficiency is also significantly higher, as organizations can focus on vulnerabilities that would have the most impact if not addressed first.
By considering EPSS when prioritizing vulnerabilities, organizations can better align their remediation efforts with the actual threat landscape. For example, if EPSS indicates a high probability of exploitation for a vulnerability with a relatively low CVSS score, security teams might consider prioritizing that vulnerability over others that may have higher CVSS scores but a lower likelihood of exploitability.
Simplify vulnerability prioritization with Intruder
Intruder is about to release a vulnerability prioritization feature, powered by the Exploit Prediction Scoring System (EPSS) – a model that leverages machine learning to predict how likely a vulnerability is to be exploited in the next 30 days.
You’ll soon be able to view EPSS scores right inside the Intruder platform, giving your team real-world context for smarter prioritization. These scores will be displayed alongside our existing scoring system, which combines CVSS scores with input from our team of security experts to intelligently prioritize your results.
Sign up now to get ahead of the new release. Start your 14-day free trial or book some time to chat with us to learn more.
Tom has 10 years experience managing cyber security products at high growth startups. He has built products for customers ranging from FTSE 100 companies to one person startups. The product he last worked on was acquired for $160m.
Chris has over a decade of experience in cyber security working with the big four consulting and international finance organizations. He has provided counsel on the cybersecurity operations of numerous FTSE 100 companies, as well as blue teams defending critical national infrastructure.
