EPSS vs. CVSS: What’s the Best Approach to Vulnerability Prioritization?

Many businesses rely on the Common Vulnerability Scoring System (CVSS) to assess the severity of vulnerabilities for prioritization. While these scores provide some insight into the potential impact of a vulnerability, they don’t factor in real-world threat data, such as the likelihood of exploitation. With new vulnerabilities discovered daily, teams don’t have the time - or the budget - to waste on fixing vulnerabilities that won’t actually reduce risk.

Read on to learn more about how CVSS and EPSS compare and why using EPSS is a game changer for your vulnerability prioritization process.

What is vulnerability prioritization?

Vulnerability prioritization is the process of evaluating and ranking vulnerabilities based on the potential impact they could have on an organization. The goal is to help security teams determine which vulnerabilities should be addressed, in what timeframe, or if they need to be fixed at all. This process ensures that the most critical risks are mitigated before they can be exploited and is an essential part of attack surface management.

In an ideal world, security teams would be able to remediate every vulnerability as soon as it is discovered, but that’s neither possible nor efficient. Research has shown that most teams can only remediate about 10-15% of their open vulnerabilities per month, which is why prioritizing effectively is so important.

Ultimately, getting vulnerability prioritization right ensures organizations can make the best use of their resources. Why does this matter? Because businesses can’t afford to spend money on things unless it makes a difference, and risk management is all about making sure money is spent on genuinely reducing risk.

The limitations of CVSS for vulnerability prioritization

Historically, one of the most common ways organizations prioritize vulnerabilities is by using CVSS base scores.

CVSS base scores are determined by factors that are constant across time and user environments, such as the ease and technical means by which a vulnerability can be exploited and the consequence of a successful exploit. These factors are quantified and combined to generate a final score between 0 and 10 – the higher the score, the higher the severity.

CVSS scores offer a baseline and a standardized way of assessing severity and are sometimes necessary for compliance. However, they have limitations that make relying on them less efficient than considering them alongside real-time data sources.

One of the main limitations of CVSS scores is that they do not consider the current threat landscape, such as whether a vulnerability is being actively exploited in the wild. This means that a vulnerability with a high CVSS score may not necessarily be the most critical issue an organization faces. Take CVE-2023-48795, for example. Its current CVSS score is 5.9, which is 'medium’. But if you consider other threat intelligence sources, such as EPSS, you’ll see there’s a high chance of it being exploited within the next 30 days (at the time of writing).

This shows the importance of taking a more holistic approach to vulnerability prioritization that considers not only CVSS scores but also real-time threat intelligence.

Improving prioritization with exploit data

To improve vulnerability prioritization, organizations should move beyond CVSS scores and consider other factors, such as exploitation activity identified in the wild. A valuable source for this is EPSS, a model developed by FIRST.

What is EPSS?

EPSS is a model that provides a daily estimate of the probability that a vulnerability will be exploited in the wild within the next 30 days. The model produces a score between 0 and 1 (0 and 100%), with higher scores indicating a higher probability of exploitation.

The model works by collecting a wide range of vulnerability information from various sources, such as the National Vulnerability Database (NVD), CISA KEV, and Exploit-DB, along with evidence of exploitation activity. Using machine learning, it trains its model to identify subtle patterns between these data points, allowing it to predict the likelihood of future exploitation.

CVSS vs EPSS

So how exactly do EPSS scores help improve vulnerability prioritization?

The diagram below illustrates a scenario in which vulnerabilities with a CVSS score of 7 or higher are prioritized for remediation. The blue circle represents all of these CVEs recorded on 1 October, 2023. In red, you can see all the CVEs with CVSS scores that were exploited in the following 30 days.

As you can see, the number of vulnerabilities that were exploited in the wild represents a small number of the vulnerabilities with a CVSS score of 7 or higher.

Original source: FIRST.org

Let’s compare this to a scenario where vulnerabilities are prioritized based on an EPSS threshold set to 10%.

A noticeable difference between the two diagrams below is the size of the blue circles, which indicate the number of vulnerabilities that need to be prioritized. This gives an idea of the amount of effort required for each prioritization strategy. With a 10% EPSS threshold, the effort is significantly lower, as there are far fewer vulnerabilities to prioritize, reducing the time and resources needed. Efficiency is also significantly higher, as organizations can focus on vulnerabilities that would have the most impact if not addressed first.

Original source: FIRST.org

By considering EPSS when prioritizing vulnerabilities, organizations can better align their remediation efforts with the actual threat landscape. For example, if EPSS indicates a high probability of exploitation for a vulnerability with a relatively low CVSS score, security teams might consider prioritizing that vulnerability over others that may have higher CVSS scores but a lower likelihood of exploitability.

Simplify vulnerability prioritization with Intruder

Intruder is a cloud-based security platform that helps businesses manage their attack surface and identify vulnerabilities before they can be exploited. By offering continuous security monitoring, attack surface management, and intelligent threat prioritization, Intruder allows teams to focus on the most critical risks while simplifying cybersecurity.

A screenshot of the Intruder platform

Intruder is about to release a vulnerability prioritization feature, powered by the Exploit Prediction Scoring System (EPSS) – a model that leverages machine learning to predict how likely a vulnerability is to be exploited in the next 30 days.

You’ll soon be able to view EPSS scores right inside the Intruder platform, giving your team real-world context for smarter prioritization. These scores will be displayed alongside the existing scoring system, which combines CVSS scores with input from Intruder’s team of security experts to intelligently prioritize your results.

Sign up now to get ahead of the new release. Start your 14-day free trial or book some time to chat and learn more.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post.