Here’s How to Measure Your Organization’s Exploitability
Share with Your Network
We’ve had a few big goals throughout our research series, “Prioritization to Prediction,” and we accomplished a big one with the release of our eighth edition: A way for organizations to measure and reduce their exploitability.
The findings, based on research by Kenna Security and the Cyentia Institute, uncovered a few interesting tidbits along the way. For starters, not all vulnerability management strategies are created equal. Prioritizing vulnerabilities with exploit code is 11 times more effective than Common Vulnerability Scoring System (CVSS) scores in minimizing exploitability. Mentions on Twitter, surprisingly, also have a much better signal-to-noise ratio than CVSS (about 2 times better). We also learned that, given the choice, it’s far more effective to improve vulnerability prioritization than increase remediation capacity…but doing both can achieve a 29x reduction in exploitability.
Measuring that exploitability is perhaps the most important finding and the base for measurement is a collaborative effort (including us at Kenna and our friends at Cyentia) known as the Exploit Prediction Scoring System (EPSS). EPSS uses current information from Common Vulnerabilities and Exposures (CVEs) and real-world exploit data to predict whether and when vulnerabilities will be exploited in the wild. We coupled EPSS with remediation velocity and ran it all through a simulation.
It’s virtually impossible to eliminate all risk, but with the right methodologies, organizations can get pretty close. For the “Perfect info” group, we prioritized vulnerabilities with the highest EPSS scores or known exploits in the wild as a proxy for having the perfect forecast for what will be exploited.
As you can see, the “do nothing crew” is in pretty dire straits and it looks like they’ll need more than the Sultans of Swing to get them on the other side of that pendulum. The analysis shows it’s possible to reduce the volume of risk quickly, though.
Only one-third of published CVEs are ever detected by a scanner in any enterprise environment (and certainly no single organization will detect that many). Our vulnerability intelligence identifies exploit code or activity for about 16% of all vulnerabilities on the CVE List. If we narrow further to both observed exploits AND high-risk vulns, we’re looking at only 4%. Suddenly the CVE List isn’t so daunting.
The data shows that taking this more measured approach of prioritizing exploitability over CVSS scores is the way to go and the recent Cybersecurity and Infrastructure Security Agency (CISA) directive agrees. This is the strategy for the future.
We’ve come a long way in our Prioritization to Prediction series and the first “P” shines in this report. It’s not an end game, though. We can still get to a point where we can accurately predict which vulnerabilities will be exploited and we hope you’ll go on that journey with us.
To read the latest research on the exploitability of vulnerabilities and organizations, download Volume 8 of the P2P series: Measuring and Minimizing Exploitability.