EPSS Best Practices: Your Guide to Success

EPSS Best Practices: Your Guide to Success
Nimrod Lavi
January 18, 2024
Share this post

In the era of cloud-first development, numerous remarkable security tools and vulnerability scanners have become integral components of our security stacks. Thus, the remediation challenge has shifted; it's no longer about identifying vulnerabilities but figuring out which ones to fix first.

The emergence of various scoring systems, such as EPSS, provides security teams with different ways to predict, prioritize, and focus on fixing what truly matters. However, relying solely on these scoring systems can be overwhelming and time-consuming, leading to bottlenecks that hinder fixes and contribute to growing backlogs and attack surfaces.

While traditional methods offer valuable insights into the technical severity of vulnerabilities, relying solely on these insights for prioritization means depending exclusively on predictions of "usage" without considering factors such as impact, context, and the ease of fixing (aka Low Hanging Fruit). This approach may result in missed opportunities to fortify the cybersecurity posture. Moreover, there are instances when methods prioritizing vulnerabilities based on probability become redundant, as we'll explain further down in this post.

First things first. What is EPSS?

EPSS, short for Exploit Prediction Scoring System, acts like a weather forecast for vulnerabilities. It predicts how likely a specific vulnerability is to be exploited by attackers in the next 30 days.

Think of it this way:

If CVSS (Common Vulnerability Scoring System) is like an average rain probability and amount forecast, measuring theoretical severity based on technical metrics of impact and exploitability, then EPSS is like the meteorology agency forecasting the likelihood of "exploit rain." It uses a data-driven approach to estimate the likelihood, similarity, and probability, but doesn't consider severity and impact.

Here's a breakdown:

  • EPSS Score: Ranges from 0 (very unlikely) to 1 (very likely).
  • EPSS Focus: Prioritizes vulnerabilities based on real-world exploit data and current threat intelligence, not just technical factors.
  • EPSS Goal: Helps patch the most probable vulnerabilities first, focusing on those most likely to be exploited by attackers.

In simple terms, EPSS helps answer the question: "Which vulnerable systems are most likely to be exploited, and should I focus on fixing them first?"

Challenges with Traditional Methods

While EPSS is a powerful tool for predicting the likelihood of exploitation, it may not be foolproof in all scenarios. It becomes redundant once one of the following conditions occurs: a threat actor is known to be exploiting a vulnerability (e.g., from CISA KEV), or an exploit is published.

However, it's crucial to acknowledge that relying solely on EPSS for prioritization has limitations, as demonstrated by real-world examples. Some vulnerabilities, like CVE-2023-4863, CVE-2023-5217, and CVE-2021-35211, have been exploited or are publicly exploited, despite not initially surfacing with high EPSS scores. These instances emphasize the importance of considering additional factors beyond EPSS predictions.

CVE-2023-4863 Score History

CVE-2023-5217 Score History

CVE-2021-35211 Score History

Examining Exploit Data

First.org published the graphic below in their EPSS User Guide, which displays actual exploit data for various vulnerabilities. Each row represents a unique vulnerability (CVE), with blue lines indicating observed exploits. Red dots mark the public disclosure of the CVE. It's important to clarify that this analysis focuses on tracking exploits, without determining their success.

EPSS Score vs CVSS Base Score

While CVSS captures a vulnerability's fundamental properties, combining it with data-driven threat information like EPSS is key for effective prioritization. The annotated diagram below from First.org's EPSS User Guide illustrates how this approach allows network defenders to focus on patching critical vulnerabilities that are both likely to be exploited and could fully compromise the information system, optimizing resource allocation.

Modern Approaches Include, but go beyond, EPSS 

This blog post now takes a closer look at how DevOcean, a leader in low-touch remediation management, addresses the challenges posed by traditional methods and goes beyond industry-standard tools like EPSS. By combining these tools with highly contextual insights gleaned from its end-to-end visibility across cloud and code, DevOcean provides customers with a more comprehensive remediation process that focuses on making impactful fixes.

Combine EPSS with other prioritization methods

DevOcean recognizes the complexities faced by security teams and offers unparalleled fix prioritization and decision-making capabilities for both security and development teams.

The platform maintains a balanced approach, acknowledging that no single scoring system is perfect. By incorporating multiple methods, including EPSS, CVSS, and exploit maturity assessments, and combining them with highly contextual insights gleaned from its end-to-end visibility across cloud and code, providing customers with a more comprehensive remediation process that focuses on making impactful fixes.

DevOcean not only provides smarter prioritization but also establishes a streamlined workflow connecting security team processes with development team processes. This creates a completely connected, unbroken, streamlined workflow that automates an organization's processes, turning "found vulnerabilities" into "resolved fixes," saving time, and enhancing overall security posture.

In a world where the cloud vulnerability landscape is ever-evolving, DevOcean is an innovator of efficient, low-touch remediation. By offering a unified and automated workflow approach to prioritizing and remediating fixes, DevOcean empowers security teams to make informed decisions swiftly and strategically.

Talk to us and start focusing on the fix, not the problem.

Efficiency ahead.

We take the manual work out of cloud remediation so you can accomplish more.