Five Key Findings from the Inaugural EPSS Report

Corey Tomlinson
August 21, 2024
Industry
EPSS Blog Feature

Last month, Cyentia and First.org published the inaugural Exploit Prediction Scoring System (EPSS) performance report. The report goes beyond just assessing the EPSS predictive scoring model. It looks at historical vulnerability data and published CVEs, as well as provides comparisons to the other popular scoring models: CVSS and CISA-KEV.

EPSS Report Webinar Banner

The report’s analysis provides useful context for vulnerability management teams, both on using the different scoring models and understanding the broader vulnerability landscape. We encourage vulnerability management and enterprise cybersecurity leaders and practitioners to check out the report and, to help you get started, we pulled a few key findings from the data.

EPSS Performance Is Improving

The EPSS scoring model is on its third version since 2019. As could reasonably be expected, the performance of the model has increased over time. EPSS, as a predictive model, will never be 100% exact, but the significant leaps in efficiency – especially for CVEs ranked as higher likelihood of exploitation – is an encouraging sign. Having a reliably accurate predictive measure for vulnerability exploitation is a valuable tool in the vulnerability management arsenal.

EPSS Performance Graph

CVE Volume is Overwhelming

As of May 31, 2024, there were 237,687 published CVEs. More than 30k of these were published within the last year, showing a recent acceleration of new vulnerabilities. This number isn’t included as a scare tactic; it’s just a reflection of the diversity of modern technologies on the market. It does, however, speak to the overwhelming volume of vulnerabilities and exploits that security teams deal with in their daily work.

CVE Volume History

A Small Percentage of CVEs Are Ever Exploited

While there is a high volume of published CVEs, not every CVE gets exploited. In fact, only about 6% of all CVEs published have ever been exploited. That 6% still represents nearly 15k exploited vulnerabilities but, as you’ll see, even that number isn’t what it appears to be on the surface.

Vulnerability Exploitation Activity

Not All Vulnerabilities Are Exploited Forever

The threat landscape is dynamic. New vulnerabilities arise, creating new attack vectors. Defenders react, remediation occurs, and the noise around a given vulnerability may continue or it may go dormant.

The report shows that previously exploited vulnerabilities are no longer actively targeted. The pattern is sporadic, but also is an opportunity. Organizations can adopt a prioritization and remediation strategy that fits into their overall risk tolerance, using measures like EPSS to frame and inform that strategy.

Unique CVE Exploitation

On a related note, just because a vulnerability isn’t being actively exploited today doesn’t mean it won’t return in the future. It’s important to remember past vulnerabilities, keeping detailed documentation and relying on tools that comprehensively recognize and assess all manner of vulnerabilities, especially if new exploits start occurring. The report says it best: “Newly exploited vulns get the most attention, but the older ones get the most action.”

EPSS Supports a Strategic Remediation Approach

The EPSS score for any CVE shouldn’t be the sole driver in a remediation decision. We discussed operationalizing the EPSS score when the report first came out. Building a strategy around the EPSS threshold that includes your organization’s risk tolerance, business context, and other relevant factors is a much more effective use of the model than a one-dimensional application of the score.

EPSS Thresholds

EPSS: An Effective Addition to Vulnerability Exploit Prediction

As a predictive score, EPSS has come a long way since it was first presented in June 2019. With rising accuracy and trust in the industry, EPSS has become a valuable tool for vulnerability management teams building remediation strategies. By assessing the likelihood of an exploit occurring, EPSS offers a proactive alternative to other scoring models.

We encourage you to check out the report, if you haven’t already. If you want to learn more about EPSS scoring and how it works with Nucleus, don’t hesitate to contact us.

Corey Tomlinson
Corey is a member of the Nucleus marketing team, responsible for driving awareness about the company’s solutions and topics relevant to the company’s customers and partners.

See Nucleus in Action

Discover how unified, risk-based automation can transform your vulnerability management.