Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,334
- Points
- 113
The study confirms the usefulness of the tool for prioritizing vulnerabilities.
Every year, the number of published vulnerabilities (CVEs) increases, which makes it increasingly important to predict those that require the attention of vulnerability management teams. A new study by Cyentia and FIRST has found that the Exploit Prediction Scoring System (EPSS) is a useful tool for making informed decisions about prioritizing vulnerabilities.
The study was aimed at studying the time, prevalence, and volume of user activity, as well as collecting and analyzing feedback about the work of EPSS. The report provides data and analysis that will be useful to the growing community of enterprise users and security products that use EPSS.
Key findings of the study
Efficiency of EPSS in operation forecasting
EPSS is a data-based assessment of the probability that a software vulnerability will be exploited in real-world conditions. EPSS evaluates all known CVEs on a daily basis and provides a probability score showing the probability of exploitation.
The study showed that with each new version of EPSS, the ability to predict risks improves. The 3 key metrics used to measure performance include:
Fixing vulnerabilities with an EPSS score of 0.6+ provides coverage of about 60% with an efficiency of 80%, while fixing vulnerabilities with a score of 0.1+ changes the coverage to 80% with an efficiency of 50%. Each organization has a different level of risk tolerance, which affects prioritization strategies. Understanding the metrics of reach, effectiveness, and effort helps organizations make better vulnerability management decisions.
Source
Every year, the number of published vulnerabilities (CVEs) increases, which makes it increasingly important to predict those that require the attention of vulnerability management teams. A new study by Cyentia and FIRST has found that the Exploit Prediction Scoring System (EPSS) is a useful tool for making informed decisions about prioritizing vulnerabilities.
The study was aimed at studying the time, prevalence, and volume of user activity, as well as collecting and analyzing feedback about the work of EPSS. The report provides data and analysis that will be useful to the growing community of enterprise users and security products that use EPSS.
Key findings of the study
- Percentage of exploited vulnerabilities: To date, almost 250,000 CVEs have been published, and their number has increased by 16% over the past 7 years. No one has the time or resources to fix all vulnerabilities, so an important step in prioritization is tracking and predicting the number of exploitable vulnerabilities. The study shows that about 6% of all published CVEs were exploited, and the indicator remains stable.
- Operational Activity model: There is no uniform pattern of operational activity. Some vulnerabilities may have short-term and rare exploits, others-regular attacks on weekdays, and still others-daily or weekly attempts with peaks of activity during certain periods. This highlights that the intensity and duration of operation can vary greatly, and it is important to take such parameters into account when prioritizing them.
- Prevalence of exploitation among organizations: an analysis of data from more than 100,000 organizations around the world has shown that attempts to exploit a specific error are infrequent. Less than 5% of vulnerabilities are attacked in more than 10% of organizations, which refutes the idea that exploiting a vulnerability means that it is widespread.
Efficiency of EPSS in operation forecasting
EPSS is a data-based assessment of the probability that a software vulnerability will be exploited in real-world conditions. EPSS evaluates all known CVEs on a daily basis and provides a probability score showing the probability of exploitation.
The study showed that with each new version of EPSS, the ability to predict risks improves. The 3 key metrics used to measure performance include:
- Coverage: Assess the completeness of prioritization of exploitative activity (percentage of all known exploitable vulnerabilities that were correctly prioritized).
- Effectiveness: an assessment of the accuracy of prioritizations (the percentage of vulnerabilities prioritized for elimination that were exploited).
- Effort: Estimate the overall workload by prioritization (percentage of prioritized vulnerabilities out of all vulnerabilities).
Fixing vulnerabilities with an EPSS score of 0.6+ provides coverage of about 60% with an efficiency of 80%, while fixing vulnerabilities with a score of 0.1+ changes the coverage to 80% with an efficiency of 50%. Each organization has a different level of risk tolerance, which affects prioritization strategies. Understanding the metrics of reach, effectiveness, and effort helps organizations make better vulnerability management decisions.
Source
