EPSS and Its Role in Vulnerability Management Risk Scoring
Vulnerability and patch management are critical security functions that mitigate risks. By applying security updates to operating systems, firmware, and software, organizations mitigate risks arising from threat actors who seek to use them to gain a foothold in systems and networks. Unfortunately, in complex connected environments, many companies struggle to identify all vulnerabilities and apply software updates in a timely manner. In 2023, the National Vulnerability Database added over 24,000 new common vulnerabilities and exploits (CVEs), making it difficult for organizations to continuously identify the ones that most impact their environments.
In an attempt to assist organizations, the non-profit organization FIRST which owns and operates the Common Vulnerability Scoring System (CVSS) established the Exploit Prediction Scoring System (EPSS). Organizations can use the EPSS to better prioritize their vulnerability remediation efforts because this score provides context about whether attackers are currently using or likely to use the vulnerability during an attack.
What is the EPSS Score for Vulnerabilities?
The Exploit Prediction Scoring System (EPSS) is a predictive analytics model that combines technical data from various resources with CVE list information and threat intelligence, providing insight into whether threat actors are likely to use the vulnerability within the next thirty days.
The EPSS calculates a probability score ranking likelihood on a scale from 0 (0% chance of attackers exploiting it) to 1 (100% chance of attackers exploiting it) so that the teams responsible for vulnerability remediation can efficiently and effectively focus their activities. The EPSS provides two metrics:
- Probability: overall likelihood that attackers will use the vulnerability during an attack within the next 30 days
- Percentiles: context into a relative or localized threat that helps determine the rank ordering
The EPSS expands the technical characteristic and severity data contained in the CVSS score so that security and IT teams can make informed decisions about which security weaknesses pose the greatest risk to their sensitive systems, networks, and data.
How Does the EPSS Work?
As a predictive analytics model, understanding the variables used to train it and the underlying data provides insight into how organizations can use it.
The EPSS expands upon the CVSS so that organizations can use it more effectively. Building on that foundation means that it relies on the following CVSS base score vectors as published in the NVD:
- Attack Vector (AV)
- Attack Complexity (AC)
- Privileges Requires (PR)
- User Interaction (UI)
- Scope (S)
- Confidentiality (C)
- Integrity (I)
- Availability (A)
For example, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H is the vector string for CVE-2021-44228, infamously known as Log4Shell.
The EPSS leverages vulnerability data from a wide variety of resources. Since it enriches and contextualizes the vulnerability’s technical data, it enables organizations to assess impact more appropriately.
Some examples of the vulnerability databases and data include:
- MITRE’s CVE List – Only CVEs in the “published” state are scored
- Text-based “Tags”: CVE description and other sources talking about the vulnerability
- Age: Count of how many days the CVE has been published
- References: Count of how many references are listed in the CVE
- Common Platform Enumeration (CPE): structured naming scheme or information technology systems, software, and packages as published in NVD
Since the EPSS incorporates ongoing threat intelligence, it is dynamic. For example, it can give defenders insights into an old vulnerability that attackers suddenly begin exploiting, maybe as a result of a new kit being developed.
Some examples of locations where the EPSS obtains threat intelligence include:
- Published Exploit code: Metasploit, ExploitDB and/or Github
- Security Scanners: Jaeles, Intrigue, Nuclei, sn1per
- Ground Truth: Daily observations of exploitation-in-the-wild activity from AlienVault and Fortinet.
Limitations Applying EPSS to IoT
As organizations embrace Internet of Things (IoT) devices, the EPSS creates various challenges because it was intended to evaluate traditional devices. IoT complicates these issues because they often lack robust security controls.
Many organizations segment their IT and IoT environments to mitigate risks. Despite using similar network elements, the unique nature of IoT devices impacts the way organizations implement them within their network architectures. Some examples of these differences and their impact include:
- Form factors: As smaller, modularized devices, IoT devices may be located anywhere or even move across an organization’s campus, making it difficult to track and secure them.
- Hardening: IoT devices often fail to support typical security controls, like encryption, making it difficult to implement secure configurations.
- Network interfaces: IoT devices expand the attack surface by relying on open ports that attackers can exploit.
- Protocols: IoT devices often use weak communication protocols, not commonly used in a traditional IT environment.
The teams managing IT and IoT vulnerabilities often have different skill sets associated with historic responsibilities, creating challenges as the two teams begin working together. For example, organizations should help the two teams collaborate more effectively by recognizing these differences:
- Technical backgrounds: IoT often leverages proprietary protocols that the enterprise IT may not have experience with.
- Responsibilities: Teams responsible for IoT focus on device availability for continued safety while enterprise IT teams focus on sensitive data’s confidentiality, integrity, and availability.
- Risk concerns: IoT vulnerability management teams worry about risks to human health and safety while enterprise IT teams focus on risks to data security and privacy.
- Language: The same term can have different meanings based on the teams’ background and experience.
Best Practices for Applying EPSS to IoT Environments
As organizations continue to add new IoT devices to their environments, they need a comprehensive approach to leverage the EPSS as a way to prioritize their vulnerability remediation strategies.
Adopt a Standardized Framework
Since IT and IoT devices have different security concerns, organizations should adopt a standard framework to address both. For example, in 2021, the National Institute of Standards and Technology (NIST) released Special Publication (SP) 800-213A IoT Device Cybersecurity Guidance for the Federal Government. Although targeted toward Federal agencies, the publication includes direct mappings to NIST SP 800-53, giving organizations that use that NIST Cybersecurity Framework a way to incorporate it into their risk identification and mitigation strategies.
Regardless of the chosen framework, organizations should have a comprehensive approach to managing:
- Device identification
- Device configuration
- Data protection
- Logical access to interfaces
- Software updates
- Cybersecurity state awareness
- Device security
Use a Passive Scanner
The active network scanners that organizations use to identify vulnerabilities on traditional IT devices often interrupt IoT device services when they test exploits on them. With a passive scanner that detects and fingerprints devices, organizations can create a comprehensive, authoritative, and continuously updated IoT device asset inventory that includes device:
- Hardware: manufacturer, model, serial number
- Software: operating system, version, firmware revisions
- Device type and function
- Security assessment: vulnerabilities and risks
- Abnormal activity: identifying normal network activity and detecting anomalous behavior indicating a potential security incident
Combine IT and IoT Vulnerability Monitoring
Monitoring IT and IoT environments separately creates additional risks by creating security blind spots. Attackers often use an IoT device to gain a foothold in the organization’s network, then move laterally and escalate privileges to access sensitive data.
By integrating IT and IoT vulnerability monitoring data, organizations can create a comprehensive, layered approach to endpoint security, incorporating IoT into their overarching risk management program.
Prioritize Vulnerability Remediation Activities
The EPSS should enable organizations to identify the vulnerabilities posing the greatest risks to their environments. However, its inability to adequately respond to IoT risks means that organizations need additional insights. Further, IoT device manufacturers may not have a security update available for an at-risk device, or the update may not be appropriate within the organization’s unique environment.
When prioritizing vulnerability remediation, organizations should also look to compensating controls that can limit attackers’ ability to exploit an IoT device’s vulnerability. Some examples of these remediation activities may include:
- Deactivating unneeded services that don’t impact intended device functioning
- Using a Network Access Control (NAC) tool to block risky ports
- Hardening vulnerable devices by altering their configurations
- Implementing micro-segmentation for devices whose clinical function would be impaired by altering configurations
Asimily: Risk and Exploit Visibility for IoT Risk Management
With Asimily’s patented vulnerability prioritization capabilities, organizations gain holistic visibility into all IoT devices connected to their networks so that vulnerability management, patch management, and security teams can begin working toward a comprehensive security program. Since Asimily includes EPSS as one part of its analysis of each vulnerability faced by its customers, organizations don’t have to have intimate familiarity or monitor changes in exploitability.
Organizations can efficiently identify high-risk vulnerabilities using our proprietary patented algorithm that cross-references vast amounts of data from resources like Manufacturer Disclosure Statements for Medical Device Security (MDS2s), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. By understanding an organization’s unique environment, Asimily’s deep contextual recommendation engine can provide real-time, actionable remediation steps to reduce risk and save time.
To learn more about Asimily, download our Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk whitepaper or contact us today.
Reduce Vulnerabilities 10x Faster with Half the Resources
Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.