EPSS vs. CVSS: Choosing the Best Approach for Vulnerability Prioritization

Many organizations rely on the Common Vulnerability Scoring System (CVSS) to prioritize vulnerabilities based on their severity. While CVSS provides a general assessment of potential impact, it lacks real-world threat data, such as the likelihood of exploitation. With new vulnerabilities emerging daily, teams cannot afford to spend time and resources on issues that won’t significantly reduce risk.

This article explores the differences between CVSS and the Exploit Prediction Scoring System (EPSS) and explains why incorporating EPSS can transform your vulnerability prioritization strategy.

What is Vulnerability Prioritization?

Vulnerability prioritization involves evaluating and ranking vulnerabilities based on their potential impact on an organization. The objective is to help security teams decide which vulnerabilities to address, when to address them, or whether they need to be fixed at all. Effective prioritization ensures that the most critical risks are mitigated before they can be exploited, playing a vital role in managing the organization’s attack surface.

In an ideal scenario, security teams would remediate every vulnerability as soon as it’s identified, but this is neither feasible nor efficient. Studies show that most teams can only address about 10-15% of their open vulnerabilities each month, highlighting the importance of effective prioritization.

Getting vulnerability prioritization right allows organizations to use their resources efficiently. This is crucial because businesses cannot afford to invest in security measures unless they make a meaningful impact, and effective risk management is all about ensuring resources are spent on truly reducing risk.

The Limitations of CVSS in Vulnerability Prioritization

Traditionally, organizations have relied on CVSS base scores to prioritize vulnerabilities. These scores are calculated based on factors that remain constant over time, such as how easily a vulnerability can be exploited and the potential impact of an exploit. The final score, ranging from 0 to 10, indicates severity: the higher the score, the more severe the vulnerability.

While CVSS scores provide a standardized baseline and are often required for compliance, they have limitations. One major drawback is that they do not account for the current threat landscape, such as whether a vulnerability is actively being exploited. This means that a high CVSS score does not necessarily indicate the most urgent issue for an organization. For example, CVE-2023-48795 has a current CVSS score of 5.9, which is classified as ‘medium.’ However, when considering threat intelligence sources like EPSS, the probability of exploitation within the next 30 days is high.

This demonstrates the need for a more comprehensive approach to vulnerability prioritization that incorporates both CVSS scores and real-time threat data.

Enhancing Prioritization with Exploit Data

To improve vulnerability prioritization, organizations should look beyond CVSS scores and consider additional factors such as observed exploitation activity. One valuable resource for this is EPSS, a model developed by FIRST.

What is EPSS?

EPSS estimates the likelihood that a vulnerability will be exploited in the wild within the next 30 days. The model assigns a score between 0 and 1 (or 0 to 100%), with higher scores indicating a greater probability of exploitation.

The model aggregates data from sources such as the National Vulnerability Database (NVD), CISA KEV, and Exploit-DB, along with evidence of exploitation activity. Using machine learning, it identifies patterns in this data to predict the probability of future exploitation.

CVSS vs. EPSS

How does EPSS enhance vulnerability prioritization?

Consider a scenario where vulnerabilities with a CVSS score of 7 or higher are prioritized for remediation. The blue circle represents all such CVEs recorded on October 1, 2023. In red, the diagram highlights the CVEs with high CVSS scores that were actually exploited over the next 30 days.

The results show that only a small subset of vulnerabilities with a CVSS score of 7 or higher were exploited in the wild, underscoring the importance of incorporating EPSS scores into the prioritization process to focus on the most imminent threats.

Let’s compare this with a scenario where vulnerabilities are prioritized using an EPSS threshold of 10%.

The difference between the two diagrams is evident in the size of the blue circles, representing the number of vulnerabilities that need prioritization. This visual comparison highlights the level of effort required for each strategy. With a 10% EPSS threshold, the workload is significantly reduced, as there are far fewer vulnerabilities to address, saving time and resources. This approach greatly enhances efficiency, allowing organizations to concentrate on vulnerabilities that pose the highest risk if left unmitigated.

The consideration of EPSS in vulnerability prioritization makes it possible for organizations to focus their prevention strategies on threats that exist in practice. Further, suppose EPSS is used to analyze further why a vulnerability with a low CVSS score is more likely to be exploited in real life as compared to other counter vulnerabilities, then that fortress will be prioritized over others with higher CVSS scores but fewer users.

Use Intruder to perform simple Vulnerability Prioritization

Intruder is a vulnerability management system which works in a cloud environment for the businesses to discover if any attacks are made and also help in discovering the weaknesses in the system before the weaknesses are exploited. Through continuous monitoring of security, monitoring of the attack surface and rationalization of threats, Intruder makes it easier for the respective teams to spend time on the most critical threats thus contributing to wider efficiency and ease of responsibilities in the area of cyber security

Intruder is introducing a new feature for prioritizing vulnerabilities where the Exploit Prediction Scoring System (EPSS) is being used to predict the chances of a vulnerability being abused in the period of 30 days and recounts on machine learning.

Very soon, the Intruder system will also display EPSS scores, which will allow your team to work on real EPSS scoring products better. These scores will be used in conjunction with Intruder’s current approach, which provides a CVSS scoring system with expert opinions to help prioritize your results more efficiently.