Predictive Vulnerability Management: Operationalizing EPSS with Business Context

As risk-based vulnerability management programs evolve, the focus transitions from understanding current exploits to anticipating future threats.

The Exploit Prediction Scoring System (EPSS) addresses this forward-looking approach by estimating the likelihood of software vulnerabilities being exploited using probability and machine learning.

However, setting an EPSS threshold based solely on risk tolerance offers only a global prediction. To maximize the effectiveness of EPSS, it is crucial to integrate this threshold with your organization’s specific context.

In this webinar, EPSS report author Jay Jacobs (Cyentia), joins Stephen Shaffer (EPSS Sig Co-chair, FIRST), and Scott Kuffer (COO and Co-Founder, Nucleus) to guide you through the process of operationalizing EPSS by combining it with extensive business and asset information, including internet accessibility, data sensitivity, asset criticality, and compliance scopes.

Join us as we explore:

• Understanding EPSS and its role in vulnerability management
• Setting and operationalizing EPSS thresholds based on organizational risk tolerance
• Integrating EPSS with business context for effective risk-based prioritization
• Leveraging Nucleus Data Core for a unified and proactive vulnerability management strategy
• Real-world examples and best practices for shifting from reactive to proactive prioritization

• Scott Kuffer: Scott is co-founder of Nucleus Security, a security engineer by trade and an advisor. He is most adept at taking products from an idea to reality, building scalable business processes, and execution of strategic initiatives. Before Nucleus, Scott was a cybersecurity engineer in the defense industry.
• Jay Jacobs: Jay is Co-founder and Chief Data Scientist at the Cyentia Institute. He is well-regarded for his expertise in information security data analysis and visualization, contributing significantly to the advancement of the field. His work involves developing innovative methods and tools for analyzing complex security data. He is an active proponent on how we measure and manage risk.
• Stephen Shaffer: Stephen is the Co-Chair of the Exploit Prediction Scoring System (EPSS) Special Interest Group (SIG). He has extensive experience in enterprise vulnerability management, where he applies EPSS to model asset risk and prioritize vulnerability remediation efforts. His work emphasizes a quantitative approach to vulnerability management, aiming to enhance the effectiveness of security strategies by focusing on risk reduction rather than merely tracking vulnerabilities.

Understanding EPSS as a Data-Driven System

EPSS (Exploit Prediction Scoring System) stands as a testament to the power of data-driven methodologies in cybersecurity. Unlike the Common Vulnerability Scoring System (CVSS), which provides static scores, EPSS is dynamic and constantly evolving. It centralizes the process of predicting the probability of exploitation activity for published Common Vulnerabilities and Exposures (CVEs) by leveraging real-time data. This means that the score for each CVE isn’t fixed but continually updated based on observed exploitation activities, offering an efficient and robust tool for vulnerability prioritization within the next 30 days.

The Importance of a Feedback Loop

A standout feature of EPSS is its feedback loop, designed to keep the system highly adaptive and relevant. By collecting ongoing exploitation activity and retraining its predictive model, EPSS stays current. The consistent growth in exploitation activities underscores the necessity of this ongoing recalibration, ensuring that the model remains effective and aligned with real-world scenarios.

Prioritization Strategies in Vulnerability Management

Scott, Jay and Stephen discussed the development of effective prioritization strategies for vulnerability management, including a four-tiered model to categorize vulnerabilities:

1. Validated exposures
2. Active exploitation
3. Predictive exploitation
4. Impact and likelihood of exploitation

Using a decision tree approach helps organizations assign EPSS scores to Service Level Agreements (SLAs) for efficient remediation. This method also facilitates categorizing vulnerabilities based on their criticality and likelihood of being exploited, thereby streamlining the prioritization process.

The Role of Visualization in Understanding Asset Posture

Visual representation plays a significant role in understanding asset postures. By visualizing EPSS scores, organizations can better assess their current security standing and identify potential strategies for improvement. This approach aids in correlating the vulnerabilities present within an environment to their risk of exploitation, offering a clearer pathway to enhance security measures.

Balancing Efficiency and Security

Balancing the urgency of expedited remediation with the overall efficacy of vulnerability management is crucial. Precise prioritization and standard patch remediation are integral to building organizational trust. This balance ensures that business risks are addressed efficiently without compromising the security of the system.

Leveraging External Information and Human Judgment

While numerical data from systems like EPSS is invaluable, integrating external threat intelligence and human judgment is equally important. During the webinar, both Scott and Jay discussed how incorporating qualitative insights can enrich a vulnerability management program, providing a well-rounded approach that harmonizes quantitative data with expert analysis.

Operationalizing EPSS

To bring EPSS into practical application, the webinar introduced methods to operationalize the system by using a CSV file for prioritizing vulnerabilities. By coupling EPSS scores with asset attributes, organizations can perform comprehensive risk analyses and determine the likelihood of future exploitation. This operational approach brings real-world applicability to the theoretical aspects of EPSS scoring.

Future Prospects and Collaborations

Looking ahead, there are ongoing exploratory efforts to extend EPSS scoring to non-CVE vulnerabilities. However, this comes with the challenge of lacking a common language across various data sources. Potential collaborations with organizations like CISA and partnerships with vendors are on the horizon, aiming to foster a more integrated ecosystem of threat intelligence and vulnerability management.