Five Key Findings from the Inaugural EPSS Report
Last month, Cyentia and First.org published the inaugural Exploit Prediction Scoring System (EPSS) performance report. The report goes beyond just assessing the EPSS predictive scoring model. It looks at historical vulnerability data and published CVEs, as well as provides comparisons to the other popular scoring models: CVSS and CISA-KEV.
The report’s analysis provides useful context for vulnerability management teams, both on using the different scoring models and understanding the broader vulnerability landscape. We encourage vulnerability management and enterprise cybersecurity leaders and practitioners to check out the report and, to help you get started, we pulled a few key findings from the data.
EPSS Performance Is Improving
The EPSS scoring model is on its third version since 2019. As could reasonably be expected, the performance of the model has increased over time. EPSS, as a predictive model, will never be 100% exact, but the significant leaps in efficiency – especially for CVEs ranked as higher likelihood of exploitation – is an encouraging sign. Having a reliably accurate predictive measure for vulnerability exploitation is a valuable tool in the vulnerability management arsenal.
CVE Volume is Overwhelming
As of May 31, 2024, there were 237,687 published CVEs. More than 30k of these were published within the last year, showing a recent acceleration of new vulnerabilities. This number isn’t included as a scare tactic; it’s just a reflection of the diversity of modern technologies on the market. It does, however, speak to the overwhelming volume of vulnerabilities and exploits that security teams deal with in their daily work.
A Small Percentage of CVEs Are Ever Exploited
While there is a high volume of published CVEs, not every CVE gets exploited. In fact, only about 6% of all CVEs published have ever been exploited. That 6% still represents nearly 15k exploited vulnerabilities but, as you’ll see, even that number isn’t what it appears to be on the surface.
Not All Vulnerabilities Are Exploited Forever
The threat landscape is dynamic. New vulnerabilities arise, creating new attack vectors. Defenders react, remediation occurs, and the noise around a given vulnerability may continue or it may go dormant.
The report shows that previously exploited vulnerabilities are no longer actively targeted. The pattern is sporadic, but also is an opportunity. Organizations can adopt a prioritization and remediation strategy that fits into their overall risk tolerance, using measures like EPSS to frame and inform that strategy.
On a related note, just because a vulnerability isn’t being actively exploited today doesn’t mean it won’t return in the future. It’s important to remember past vulnerabilities, keeping detailed documentation and relying on tools that comprehensively recognize and assess all manner of vulnerabilities, especially if new exploits start occurring. The report says it best: “Newly exploited vulns get the most attention, but the older ones get the most action.”
EPSS Supports a Strategic Remediation Approach
The EPSS score for any CVE shouldn’t be the sole driver in a remediation decision. We discussed operationalizing the EPSS score when the report first came out. Building a strategy around the EPSS threshold that includes your organization’s risk tolerance, business context, and other relevant factors is a much more effective use of the model than a one-dimensional application of the score.
EPSS: An Effective Addition to Vulnerability Exploit Prediction
As a predictive score, EPSS has come a long way since it was first presented in June 2019. With rising accuracy and trust in the industry, EPSS has become a valuable tool for vulnerability management teams building remediation strategies. By assessing the likelihood of an exploit occurring, EPSS offers a proactive alternative to other scoring models.
We encourage you to check out the report, if you haven’t already. If you want to learn more about EPSS scoring and how it works with Nucleus, don’t hesitate to contact us.