What Are the Odds? A Powerful Open Source Tool Helps Predict Exploits
Share with Your Network
In a perfect world, you’d have the time and resources to apply every single patch to every identified vulnerability before it’s exploited. But the reality is that no organization is able to achieve 100% coverage for very long, if ever.
But that’s not even the real problem. The real problem is that Security teams need to prioritize their patch management strategy to ensure the most critical patches are applied first before they worry about the small stuff. But too often we see patching strategies that are arbitrary and ad-hoc. This leaves high-risk vulnerabilities unaddressed while remediation teams chase down vulns that may generate headlines and executive angst, but actually present little to no threat to their organization.
In fact, Security, IT, and AppDev teams need to identify the most important action to take in the moment—priorities based on data and evidence, not instinct.
Exploit Prediction Scoring System (EPSS)
That’s where the Exploit Prediction Scoring System (EPSS) comes in. Collaboratively designed by Kenna Research and the Cyentia Institute, this open-source, data-driven approach gives you the ability to calculate the probability a specific vulnerability will be exploited in the wild within the first 12 months after public disclosure.
Watch: Kenna Security’s Chief Data Scientist Michael Roytman explains the need to predict the potential for a vulnerability to be exploited.
Here’s how it works: You can select a specific Common Vulnerabilities and Exposures (CVE) record for a listed vulnerability, or describe the specific vulnerability yourself based on the vendor and a series of vulnerability attributes. Once you enter the information, the tool can calculate the odds the vulnerability will be weaponized by cybercriminals, state-sponsored attackers, or your average hacker. A low probability means you can likely put that patch in your low- to medium-risk batch, while a high probability suggests you would be wise to remediate that vuln sooner rather than later.
The EPSS calculator makes it simple to understand your risk without having to use specialized software or tools. Because the calculator uses a series of objective, yes-or-no parameters to determine the risk, you can be confident that the probability number you get isn’t the result of subjective opinions or bias. In addition to the calculator, you can easily build your own EPSS tool using applications like Excel or Python.
Watch: Cyentia Institute’s Chief Data Scientist Jay Jacobs provides tips on how to get started using EPSS.
Even if a patch doesn’t exist today, EPSS can give you lead time to prepare and protect your infrastructure (by isolating particularly vulnerable assets, for example) until a patch is available so you aren’t caught unaware.
Focusing on what moves the risk needle most
EPSS is an example of how a modern vulnerability management approach that is based on risk can help you effectively utilize your resources to do the most good. By using a tool like EPSS, you can focus on the small minority of vulnerabilities that can do the most damage to your infrastructure, your users, your customers, and your reputation.
Want to learn more? Read this primer on EPSS from Kenna Security’s Chief Data Scientist Michael Roytman, one of the creators of EPSS. Or go even deeper and read the paper the team submitted at Black Hat 2019.