SECURITY 101

EPSS vs CVSS vs KEV for Nuanced Risk Management

Simon Wenet
Head of Growth
February 20, 2024
Simon has spent the last decade in security leading product management & growth teams at various companies focused on DNS security, DLP, and now application security.

TL;DR

In cybersecurity, the management and prioritization of vulnerabilities are critical for safeguarding digital assets. And getting it wrong can lead to major headaches from drowning in “noise.” But when you look for solutions, you’re met with an acronym soup of risk scoring systems. This blog clarifies what those systems give you, what they do well, and what they do poorly. We will cover the Exploit Prediction Scoring System (EPSS), the Common Vulnerability Scoring System (CVSS), and the Known Exploited Vulnerabilities (KEV). And we will provide an option for a more comprehensive, nuanced, and effective framework for vulnerability management.

{{arnica-top-signup-banner="/template-pages/try-arnica-banner"}}

Leveraging EPSS, CVSS, and KEV for Comprehensive Risk Management

Using EPSS to Predict ‘Likelihood’ of a Vulnerability being Exploited

The Exploit Prediction Scoring System (EPSS) was developed by Mike Roytman and Jay Jacobs and revealed in their joint presentation at Blackhat 2019. To develop EPSS, they analyzed 25,159 Common Vulnerability Enumerations (CVEs) between June 1, 2016, to June 1, 2018. They matched this data with 921 instances of actual exploits occurring in that timeframe. By applying machine learning techniques to this data, they identified characteristics that are strong indicators of a vulnerability being exploited. While many of the findings aligned with expectations, the analysis also uncovered several intriguing subtleties.

How does Exploit Prediction Scoring System (EPSS) work?  

The Exploit Prediction Scoring System (EPSS) is a tool designed to estimate the likelihood that a given software vulnerability will be exploited. It aims to help network defenders prioritize which vulnerabilities need urgent fixing. Unlike other industry standards that focus on the inherent traits and severity of vulnerabilities, EPSS leverages recent threat data and real-world exploit statistics to assess potential threats more accurately. It provides a numerical probability score ranging from 0 to 1 (or 0 to 100%) to indicate the risk of exploitation, with higher scores indicating a greater risk. By focusing on the future rather than the past, EPSS enables a strategic allocation of resources towards mitigating the most imminent threats.

Pros & Cons of using Exploit Prediction Scoring System (EPSS)

Pros:

  • Proactive Approach: EPSS’s predictive analytics enable organizations to anticipate and mitigate threats before they're exploited, enhancing preemptive security measures.
  • Data-Driven Decision Making: By relying on a data-driven model, EPSS helps prioritize vulnerabilities based on empirical evidence, reducing guesswork and focusing efforts on high-risk areas.

Cons:

  • Predictive Limitations: The predictive model may not always account for emerging or zero-day threats that lack historical data, potentially overlooking new vulnerabilities.
  • Resource Intensification: Focusing on likelihood may require significant resources to monitor and analyze data constantly, which can be taxing for smaller security teams.

Using CVSS for Assessing a Vulnerabilities Potential Impact

The Common Vulnerability Scoring System (CVSS) is a widely recognized, open standard for evaluating the severity of security vulnerabilities in computer systems. CVSS version 1 was the culmination of research conducted by the National Infrastructure Advisory Council (NIAC) in 2003/2004. NIAC handed over stewardship of CVSS to the Forum of Incident Response and Security Teams (FIRST) in April 2005. User feedback highlighted significant shortcomings in the first version, leading to the development of CVSS version 2 (CVSSv2), which was officially released in June 2007. Continued evaluations and suggestions prompted the initiation of CVSS version 3 (CVSSv3) in 2012, culminating in the release of CVSSv3.0 in June 2015.

How does the Common Vulnerabilities Scoring System (CVSS) work?

While EPSS predicts exploitability, the Common Vulnerabilities Scoring System (CVSS), which provides scores ranging from 0 to 10 (with 10 indicating the highest severity), provides an exhaustive assessment of a vulnerability's potential impact. In order to assess ‘exploitability’ of a vulnerability, CVSS examines various factors such as confidentiality, integrity, and availability, offering a severity score that helps organizations gauge the criticality of vulnerabilities. The integration of CVSS scores into vulnerability management processes ensures that the impact of potential exploits is fully understood and appropriately prioritized.

Pros & Cons of using Common Vulnerabilities Scoring System (CVSS)

Pros:

  • Comprehensive Impact Analysis: CVSS offers a detailed assessment of how a vulnerability can affect an organization's confidentiality, integrity, and availability, providing a clearer understanding of its potential damage.
  • Standardized Scoring: The standardized scoring system facilitates easier comparison and prioritization across different vulnerabilities and systems, helping streamline vulnerability management processes.

Cons:

  • Complexity in Interpretation: The detailed nature of CVSS scores can sometimes be complex to interpret, requiring specialized knowledge to fully understand and act upon.
  • Lacks Exploitability Insight: While assessing impact, CVSS does not directly account for the exploitability of a vulnerability, potentially underprioritizing easily exploitable but lower-impact vulnerabilities.

Leveraging Known Exploited Vulnerabilities (KEV) for Critical Initiatives

The Known Exploited Vulnerabilities (KEV) catalog was developed by the US Cybersecurity & Infrastructure Security Agency (CISA) and maintains “the authoritative source of vulnerabilities that have been exploited in the wild,” according to the CISA homepage. In addition to CVSS and EPSS, the KEV catalog serves as a critical resource for security teams. A vulnerability will only be added to the KEV catalog if it:  

  1. Is assigned a Common Vulnerabilities & Exposure (CVE) ID
  1. Has been actively exploited in the wild
  1. There is a clear mitigation action for the vulnerability  

This ensures that the list remains highly curated and only contains immediate threats.  

How does the Known Exploited Vulnerabilities (KEV) catalog work?

The Known Exploited Vulnerabilities (KEV) catalog works by aggregating, analyzing, and publishing information on vulnerabilities that have been confirmed to be exploited by threat actors in real-world attacks.

  1. Collection and Analysis: Cybersecurity entities, such as government agencies or cybersecurity firms, collect data on cyber incidents, malware campaigns, and threat actor tactics from various sources, including intrusion detection systems, threat intelligence feeds, and reports from affected organizations.
  1. Verification: The collected data is verified to confirm that the vulnerabilities have indeed been exploited in the wild. This verification process involves analyzing the technical details of the attacks, the nature of the vulnerabilities, and the impact of their exploitation.
  1. Cataloging: Once a vulnerability is confirmed as exploited, it is cataloged with relevant information such as the Common Vulnerabilities and Exposures (CVE) identifier, a description of the vulnerability, the software or systems affected, and mitigation or patching recommendations.
  1. Prioritization: The KEV catalog may also include prioritization guidance based on factors such as the severity of the vulnerability, the ease of exploitation, the potential impact of an exploit, and the availability of a patch or workaround. This helps organizations focus on the most critical vulnerabilities first.
  1. Publication and Update: The catalog is made publicly available and regularly updated to include new exploited vulnerabilities and to provide updated mitigation advice. Organizations and IT professionals can subscribe to updates or regularly check the catalog to stay informed about high-risk vulnerabilities.
  1. Mitigation and Response: Organizations use the KEV catalog to identify and prioritize vulnerabilities that need immediate attention. By patching these vulnerabilities or implementing recommended mitigations, organizations can significantly reduce their exposure to cyber attacks.

The effectiveness of the KEV catalog as a cybersecurity tool depends on timely updates, comprehensive coverage of exploited vulnerabilities, and the proactive actions taken by organizations in response to the information provided.

Pros & Cons of using Known Exploited Vulnerabilities (KEV)

Pros:

  • Immediate Threat Identification: KEV provides actionable intelligence on actively exploited vulnerabilities, enabling swift remediation of threats that pose an immediate risk.
  • Focused Remediation Efforts: By highlighting vulnerabilities already exploited in the wild, KEV allows organizations to focus their resources on mitigating known threats, optimizing resource allocation.

Cons:

  • Reactive Nature: Relying solely on KEV can lead to a more reactive security posture, as it focuses on vulnerabilities after they've been exploited.
  • Potential for Oversight: While KEV emphasizes known threats, it may lead to the neglect of emerging vulnerabilities not yet exploited but potentially harmful if discovered by attackers.
  • Smaller Library: Because of the stringent requirements for being added to the KEV catalog, the number of vulnerabilities for teams to focus on tends to be much lower than with other scoring systems. The flip side of the coin shows up in our “pro” section of course since organizations can remain highly focused when working with KEV.  

Using custom severity metrics for effective prioritization  

Leveraging industry standards is obviously a great foundation upon which you can build your risk prioritization framework. But, at the end of the day, no external standard is intimately aware of the intricacies of your business, it’s needs, and it’s resourcing. Two other factors that should be included in your prioritization equation are ‘business importance’ and ‘patch availability’.  

What is the business importance of the asset where a risk is identified?

Business importance refers to the criticality of a code asset to an organization's operations, reputation, and bottom line. It's a subjective measure that varies from one organization to another, depending on their unique business models, regulatory environments, and strategic priorities. That said, certain characteristics like frequency of commits, volume of code, and more, can be used to gauge a code asset’s importance. Incorporating business importance into the severity scoring process enables security teams to not just identify vulnerabilities based on their technical severity but to also evaluate them in the context of their potential impact on the business.

How available and effective is the recommended fix for a risk? 

The presence or absence of a patch for a known vulnerability significantly influences the urgency of remediation efforts. Vulnerabilities for which patches are readily available should be prioritized for quick remediation to reduce the window of exposure.

Furthermore, not all patches fully mitigate the associated vulnerability. Evaluating the effectiveness of a patch in addressing the vulnerability without introducing new risks is crucial. This includes assessing any potential impact on system performance or compatibility issues that the patch may cause.

Conclusion: Using the best of EPSS, CVSS, & KEV plus custom scoring factors

Incorporating a comprehensive approach to vulnerability management is not just about leveraging the predictive power of EPSS, the detailed impact assessment provided by CVSS, or the real-world exploit insights from KEV. It also involves integrating critical factors such as business importance and patch effectiveness into the decision-making process. These elements, when combined, offer a multi-dimensional framework that enables organizations to navigate the complex cybersecurity landscape more effectively.

Arnica's approach to vulnerability management embodies this comprehensive framework by incorporating EPSS, CVSS, KEV, business importance, and patch effectiveness into its solution. This holistic strategy empowers security teams to prioritize vulnerabilities with precision, focusing on those that pose the greatest risk to the organization and are most likely to be exploited. By understanding which vulnerabilities have readily available and effective patches, organizations can optimize their remediation efforts, ensuring that resources are allocated efficiently and effectively.

Learn more about how Arnica helps security teams prioritize what is truly important by combining EPSS, CVSS, and KEV, along with other factors like business importance.  

THE LATEST UPDATES

More from our blog

How to prioritize third-party package (SCA) vulnerabilities
How to prioritize third-party package (SCA) vulnerabilities
October 30, 2024
Why Risk Scanning Needs to be Free: Don't Just Find Risks, Fix Them
Why Risk Scanning Needs to be Free: Don't Just Find Risks, Fix Them
March 25, 2024
How to Evaluate a Static Application Security Testing (SAST) Solution
How to Evaluate a Static Application Security Testing (SAST) Solution
September 6, 2024

{{arnica-bottom-signup-banner="/template-pages/try-arnica-banner"}}