Managing vulnerabilities can feel like the end of the first act of Les Misérables as you sing to yourself, “one day more, another day another vulnerability.” Like Jean Valjean, you attempt to put up barricades to protect your environment from attackers exploiting these security weaknesses. Keeping pace with the number of vulnerabilities and threat actor activities becomes overwhelming, leaving you to feel outnumbered and outmanned.
The Exploit Prediction Scoring System (EPSS) seeks to help you prioritize your vulnerability remediation activities so understanding its intended use case and limitations enables you to incorporate it into your security program more effectively.
What is the EPSS Model?
Created by the Forum of Incident Response and Security Teams (FIRST), the Exploit Prediction Scoring System (EPSS) is a tree-based predictive model that combines vulnerability information with real-world exploit activity to predict the likelihood that attackers will attempt to use a specific vulnerability over the next thirty days. FIRST updates the data daily offering both a downloadable CSV file and an API that security teams can use.
EPSS measures the threat that a vulnerability presents, not its risk. It focuses entirely on whether malicious actors are likely to use a vulnerability from the Common Vulnerabilities and Exposures (CVE) list during an attack. It fails to take a company’s unique environment or risk mitigation controls into account. The current version of EPSS provides two related insights:
- Probability: global measure, expressed as a value from 0 to 1, to estimate the threat to an IT system with many vulnerabilities
- Percentile: measure of an EPSS vulnerability relative measure of threat compared to provides insights into localized context
Vulnerability Information
To collect as much quality data as possible, the EPSS incorporates the following vulnerability information:
- Vendor
- Days since the vulnerability was published
- References for where data came from, like MITRE CVE or National Vulnerability Database (NVD)
- Normalized expressions extracted from the vulnerability’s description
- Weakness
- Common Vulnerability Scoring System (CVSS) metrics
- Public discussions of CVE, like CISA KEV, Google Project Zero, Trend Micro Zero Day Initiative
- PUblicly available exploit code, like from Exploit-DB, GitHub, or Metasploit
- Security tools and scanners, like Intrigue, sn1per, jaeles, and nuclei
Exploitation Activity
The EPSS collects information about attempts to exploit a vulnerability rather than whether an attempt proved successful. Most data comes from:
- Honeypots
- Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS) sensor
- Host-based detection methods
Since the EPSS tracks exploitation activity, it provides insights into current activity that can happen in short, infrequent, unpredictable bursts.
EPSS vs. CVSS
CVSS provides insight into a vulnerability’s characteristics to create a common language about severity. The Base Score focuses on technical information about the vulnerability with no connection to environment or threats.
The EPSS machine learning model identifies patterns and relationships between vulnerability information, like CVSS, and exploitation activity to mathematically identify the likelihood that attackers will use a vulnerability. As part of this process, it buckets vulnerabilities into four categories:
- True positives (TPs): Prioritized vulnerabilities with a CVSS Base Score of 7 or more with identified real-world exploitation activity
- False positives (FPs): Prioritized vulnerabilities with a CVSS Base Score of 7 or more without identified real-world exploitation
- False negatives (FNs): Not prioritized vulnerabilities with a CVSS Base Score below 7 with identified real-world exploitation activity
- True negatives (TNs): Not prioritized vulnerabilities with a CVSS Base Score below 7 without identified real-world exploitation activity
EPSS vs. Vulnerability Exploitability eXchange (VEX)
VEX is a machine-readable data format that collects vulnerability information about products or components. Unlike the EPSS, the VEX data only provides the following information about a product’s status:
- Fixed: Vendor remediated a CVE in a product or component.
- Known Affected: A product or component contains a CVE, but no fix is available.
- Known Not Affected: CVE does not affect a product or component.
- Under Investigation: Vendor is currently reviewing whether a CVE impacts the product or component.
The VEX data provides additional information about whether a CVE impacts a product in your environment. You can combine this data with the EPSS score to help focus your remediation activities.
What benefits does EPSS score provide?
If you’re struggling to remediate vulnerabilities, then you can use the EPSS to improve your processes to respond to threats faster. Some typical benefits include:
- Increased productivity: By prioritizing remediation activities based on TPs and TNs, vulnerability and patch management teams can focus on high-value activities.
- Improved efficiency: By prioritizing TPs over FPs, vulnerability and patch management teams can more efficiently allocate resources.
- Enhanced coverage: By reviewing the number of TPs and FNs, vulnerability and patch management teams gain insight into the number of exploited vulnerabilities they remediated.
What are the limitations of the exploit prediction scoring system?
EPSS helps you identify vulnerabilities that attackers are currently using in attacks, enabling you to prioritize your remediation activities. However, you should understand its limitations within the context of your overarching security program.
Focused on Vulnerabilities
The EPSS enables you to prioritize vulnerability remediation actions. While the 2024 Data Breach Investigations Report noted that attacks exploiting vulnerabilities increased by 180% last year, EPSS is not related to security alerts. Your security program should include rapid vulnerability remediation as a risk mitigation control, but EPSS won’t help your security team identify anomalous activity.
Threats Not Risk
Threats fall into the category of “what could go wrong?” They’re an action that can happen. Risk is more complicated. It considers the likelihood that something could go wrong and the business impact if something goes wrong. EPSS only provides insight into the likelihood that attackers will use a vulnerability. It does not consider your organization’s:
- Environment
- Risk mitigation controls
- Business impact from an attack
Limited View
EPSS’s focus on vulnerabilities provides a limited view into your organization’s overall security posture. You can use the different EPSS categories to help measure your vulnerability and patch management program’s success, but you still need insight into things like:
- User access
- API security
- Network traffic
- Indicators of Compromise
For comprehensive visibility into your security posture, you should incorporate additional threat intelligence feeds and correlate data from across your environment.
Detection and Response
An unpatched vulnerability is a way into your systems and networks. However, while the threat intelligence underlying EPSS can provide insight into the vulnerabilities attackers might be using, it won’t help your security team to detect an incident or trace the incident’s root cause. If you look at the MITRE ATT&CK Framework , vulnerability exploitation is only one sub-technique under Obtain Capabilities which is only one of 202 total techniques. To rapidly respond to an incident, you need to investigate the alert as quickly as possible to reduce the time malicious actors spend in your systems.
Graylog Security and API Security: Risk-Based Threat Detection and Incident Response
Using Graylog Security, you can rapidly mature your TDIR capabilities without the complexity and cost of a traditional Security Information and Event Management (SIEM) technology. Graylog Security’s Illuminate bundles include detection rulesets so that you have content, like Sigma detections, enabling you to uplevel your security alert, incident response, and threat hunting capabilities with correlations to ATT&CK tactic, techniques, and procedures (TTPs).
By leveraging our cloud-native capabilities and out-of-the-box content, you gain immediate value from your logs. Our anomaly detection ML improves over time without manual tuning, adapting rapidly to new data sets, organizational priorities, and custom use cases so that you can automate key user and entity access monitoring.
With our intuitive user interface, you can rapidly investigate alerts. Our lightning-fast search capabilities enable you to search terabytes of data in milliseconds so that you can reduce dwell times, shrinking investigations by hours, days, and weeks.
To learn how Graylog Security can help you implement robust threat detection and response, contact us today.