The prioritisation of vulnerabilities for remediation is a critical challenge. Traditional reliance on the Common Vulnerability Scoring System (CVSS) has been a standard practice for many organisations. However, as the threat environment and vulnerability identification process evolves, the limitations of CVSS scores in accurately reflecting the real-world risk of vulnerabilities have become increasingly apparent. Building upon our discussions on establishing a robust risk management framework, identifying your digital crown jewels, and defining the roles of risk owners and remediation teams, this article explores the imperative of rethinking vulnerability prioritisation. We delve into the integration of Known Exploited Vulnerabilities (KEV) and Exploit Prediction Scoring System (EPSS) scores into the vulnerability management process as a more dynamic approach to triage, prioritisation and remediation of risks.

The Limitations of CVSS Scores

CVSS provides a standardised framework for rating the severity of security vulnerabilities in software. While CVSS scores offer valuable insights, they primarily focus on the technical aspects of vulnerabilities without considering the context of exploitation in the wild or the specific environment in which an asset operates. This can lead to a skewed prioritisation that may not align with an organisation’s unique risk profile or adequately protect its most critical assets.

Integrating KEV and EPSS Scores

To address these limitations, supplementing CVSS scores with KEV and EPSS data presents a more nuanced approach to vulnerability management. KEV lists, such as the one maintained by the Cybersecurity and Infrastructure Security Agency (CISA), highlight vulnerabilities that have been actively exploited. EPSS, on the other hand, employs machine learning to predict the likelihood of a vulnerability being exploited in the future. Together, these scores offer a more comprehensive view of risk, focusing on both current exploitation trends and predictive analytics.

1. Understanding KEV: A Real-World Focus

KEV scores shine a spotlight on vulnerabilities that attackers are actively exploiting, thereby representing an immediate threat. By prioritising these vulnerabilities, organisations can ensure that they are addressing the most pressing risks to their environment. This real-world focus complements the theoretical nature of CVSS scores by highlighting the urgency of remediating certain vulnerabilities based on actual attacker behaviour.

2. Leveraging EPSS: Predictive Prioritisation

EPSS represents a significant advancement in vulnerability management by providing a forward-looking perspective on risk. By analysing various factors, including the characteristics of the vulnerability and trends in the cyber threat landscape, EPSS predicts the likelihood of a vulnerability being exploited in the future. This predictive capability allows organisations to proactively address vulnerabilities before they are exploited, aligning remediation efforts with potential threats.

Integrating KEV and EPSS into the Vulnerability Management Process

Incorporating KEV and EPSS scores into the vulnerability management strategy requires a structured approach:

1. Assessing the Landscape: Start by assessing your current vulnerability management processes. Identify how vulnerabilities are currently prioritized and where KEV and EPSS can complement or enhance these practices.
2. Identifying Critical Assets: Refer back to the process of categorizing assets and identifying your digital crown jewels. Understanding which assets are most critical to your organization will help in applying KEV and EPSS scores more effectively.
3. Customizing the Approach: Tailor the integration of KEV and EPSS scores to fit your organization’s risk tolerance and operational needs. This might involve setting specific thresholds for EPSS scores or prioritizing KEV-listed vulnerabilities for certain asset categories.
4. Operationalizing the Data: Ensure that risk owners and remediation teams are equipped with the information and resources they need to act on KEV and EPSS data. This includes establishing processes for regularly reviewing and updating prioritization based on new data.
5. Measuring Impact: Continuously monitor the effectiveness of incorporating KEV and EPSS scores into your vulnerability management process. Adjust your strategies as needed based on feedback and evolving threat intelligence.

The Recap

The dynamic nature of cyber threats necessitates a re-evaluation of traditional vulnerability management practices. By integrating KEV and EPSS scores alongside CVSS, organisations can achieve a more comprehensive and proactive approach to prioritization. This strategy not only addresses the immediate threats posed by actively exploited vulnerabilities but also anticipates future risks, ensuring that remediation efforts are aligned with the evolving threat landscape. As we continue to navigate the complexities of cybersecurity, the adoption of such nuanced approaches will be pivotal in securing our digital assets against the ever-changing backdrop of cyber threats.

Adam McHugh

+ posts

• From Vulnerable to Vigilant: Transforming Vulnerability Management Processes
• Managing Residual Risk: Understanding the Limits of Vulnerability Management
• Communicating Vulnerability Risks: Translating Technical Jargon into Business Impact
• Beyond NIST: Diversifying Sources for Accurate Vulnerability Context