ON-DEMAND TRAINING:  
Build your risk-based vulnerability program
Contact Us
Talk to an Expert
Request a demo

What Are the Odds? A Powerful Open Source Tool Helps Predict Exploits

Mar 18, 2021
Kenna Security

Share with Your Network

In a perfect world, you’d have the time and resources to apply every single patch to every identified vulnerability before it’s exploited. But the reality is that no organization is able to achieve 100% coverage for very long, if ever. 

But that’s not even the real problem. The real problem is that Security teams need to prioritize their patch management strategy to ensure the most critical patches are applied first before they worry about the small stuff. But too often we see patching strategies that are arbitrary and ad-hoc. This leaves high-risk vulnerabilities unaddressed while remediation teams chase down vulns that may generate headlines and executive angst, but actually present little to no threat to their organization. 

In fact, Security, IT, and AppDev teams need to identify the most important action to take in the moment—priorities based on data and evidence, not instinct. 

Exploit Prediction Scoring System (EPSS)

That’s where the Exploit Prediction Scoring System (EPSS) comes in. Collaboratively designed by Kenna Research and the Cyentia Institute, this open-source, data-driven approach gives you the ability to calculate the probability a specific vulnerability will be exploited in the wild within the first 12 months after public disclosure. 

Watch: Kenna Security’s Chief Data Scientist Michael Roytman explains the need to predict the potential for a vulnerability to be exploited.

 

Here’s how it works: You can select a specific Common Vulnerabilities and Exposures (CVE) record for a listed vulnerability, or describe the specific vulnerability yourself based on the vendor and a series of vulnerability attributes. Once you enter the information, the tool can calculate the odds the vulnerability will be weaponized by cybercriminals, state-sponsored attackers, or your average hacker. A low probability means you can likely put that patch in your low- to medium-risk batch, while a high probability suggests you would be wise to remediate that vuln sooner rather than later.

The EPSS calculator makes it simple to understand your risk without having to use specialized software or tools. Because the calculator uses a series of objective, yes-or-no parameters to determine the risk, you can be confident that the probability number you get isn’t the result of subjective opinions or bias. In addition to the calculator, you can easily build your own EPSS tool using applications like Excel or Python. 

Watch: Cyentia Institute’s Chief Data Scientist Jay Jacobs provides tips on how to get started using EPSS.

 

Even if a patch doesn’t exist today, EPSS can give you lead time to prepare and protect your infrastructure (by isolating particularly vulnerable assets, for example) until a patch is available so you aren’t caught unaware. 

Focusing on what moves the risk needle most

EPSS is an example of how a modern vulnerability management approach that is based on risk can help you effectively utilize your resources to do the most good. By using a tool like EPSS, you can focus on the small minority of vulnerabilities that can do the most damage to your infrastructure, your users, your customers, and your reputation. 

Want to learn more? Read this primer on EPSS from Kenna Security’s Chief Data Scientist Michael Roytman, one of the creators of EPSS.  Or go even deeper and read the paper the team submitted at Black Hat 2019.  

Share with Your Network

Read the Latest Content

Risk-Based Vulnerability Management

Analysts Agree: Risk-Based Vulnerability Management a Priority for 2021

Taking a risk-based approach to vulnerability management has always been our priority, and lately the industry has followed suit. Now in a new blog listing Gartner’s Top 10 Security Projects for 2020-2021, it’s clear that Gartner thinks it should be a priority for you, too. For a sense of why RBVM is a top priority…

READ MORE
Vulnerability Management

11 Tips for Choosing a Vulnerability Management Solution

“These tips go to 11.” – Nigel Tufnel It can be daunting to choose between vulnerability management (VM) solutions when all vendors describe their offerings in very similar ways. So making the best choice for you means identifying what your organization needs, and ensuring the solutions you’re evaluating meet those needs. It’s safe to say…

READ MORE
Risk-Based Vulnerability Management

What is Modern Vulnerability Management?

Modern vulnerability management is an orderly, systematic, and data-driven approach to enterprise vulnerability management. It leverages full visibility into a technology stack to target the riskiest vulnerabilities, enabling companies to adhere to designated SLA’s, respond to threats rapidly, and have meaningful discussions about organizational risk tolerance. Got that? Let’s unpack it.  To understand what modern…

READ MORE
FacebookLinkedInTwitterYouTube

© 2021 Kenna Security. All Rights Reserved. Privacy Policy.