In the ever-evolving landscape of cybersecurity tools, product security teams are faced with the daunting task of sifting through an increasing number of vulnerabilities to identify and address potential threats effectively. This challenge emphasizes the need for a data-driven system to streamline the prioritization process. Enter the Exploit Prediction Scoring System (EPSS), a helpful tool that is reshaping how product security teams can prioritize their cybersecurity findings.

What is EPSS?

Let’s start with the basics - EPSS is an algorithm designed to predict the likelihood of a publicly disclosed vulnerability being exploited by attackers in the near future. EPSS is based on an advanced analysis of threat intelligence and historical exploit data mapped to a binomial XGBoost model, which assigns a score to all published CVEs based on their potential impact and the probability of future exploitation. 

EPSS scores are presented as a probability and a percentage. The EPSS probability score represents the probability that the vulnerability will have exploitation activity in the next 30 days. This value is between 0 and 1 and is the primary EPSS score. EPSS also publishes a percentile score that represents the likelihood of exploitation activity as compared to other vulnerabilities. This percentile number represents “how many vulnerabilities are less severe than this vulnerability” and is a more easily comprehended value than the probability score.

An important detail is that EPSS scores are updated every night as threat intelligence changes and new data becomes available for the model to use in its scores. If you use EPSS, you need to be aware that a dramatic change in score is possible when a new vulnerability begins to be exploited in the wild. This is good, because it keeps your team and your products very responsive to actual business risk. But for a lot of companies, this can mean a change to their processes.

How to Apply EPSS to Product Security Programs

Product security teams can leverage EPSS in multiple ways to get an edge. Especially for product security teams that are working with multiple product lines and potentially hundreds of models, this can be a significant help. 

Initial Product Line and Model Prioritization Assessment

Evaluate your product portfolio holistically based on the overall risk of each product. If you have multiple product lines with multiple models, consider your product line total revenue and your product line business risk exposure, and then look more granularly at the individual models in those top product lines. Inside each critical product line, the individual models that are top sellers or are most critical (for example, models sold into critical infrastructure or government entities) are good places to start with remediation and mitigation efforts. 

Leveraging EPSS in Triaging

EPSS enables product security teams to move beyond the traditional one-size-fits-all approach to vulnerability prioritization. Once you know which of your product lines and models that you want to focus on, you can dig into each model more granularly and begin applying EPSS for your vulnerability prioritization. 

Since CVSS scores include severity in their calculations, looking at vulnerabilities that have high CVSS scores and also high EPSS percentiles will allow you to focus on real-world exploitable vulnerabilities that could have a severe impact for your organization. Finite State makes this easy, since those two numbers are the basis of our finding scores, and using our default prioritization will bubble up these vulnerabilities.

To see how effective this can be, FIRST lays out the calculated accuracy for remediating high EPSS scores (in this case, set to 10% and higher). The “wasted effort” between vulnerabilities that were remediated but not exploited and vulnerabilities that were correctly prioritized is .9%. The miss rate of vulnerabilities that were not remediated but were exploited is 1%. For stretched cybersecurity teams, these stats translate to a lot of saved time and effort with a very small likelihood of error.

By assigning a dynamic threat-based, future-looking score to each vulnerability, EPSS allows teams to focus their efforts on addressing the most critical threats first. Pulling in these individual vulnerability EPSS scores allows product security teams to understand which vulnerabilities need to be addressed first when working with their software development teams.

Moving to Risk-Based Decision Making

EPSS empowers product security teams to make informed, risk-based decisions on a product basis. Rather than being overwhelmed by a large number of vulnerabilities, teams can prioritize their efforts based on the severity and exploitability of an overall product or model and then prioritize down to each vulnerability. This approach aligns with the principle of risk-based vulnerability management, where attention is directed towards vulnerabilities with the highest potential impact.

Reducing Response Time

The real-time nature of EPSS means that product security teams can respond rapidly to emerging threats. By identifying vulnerabilities with a high likelihood of exploitation, teams can proactively address issues before they are leveraged by malicious actors. This proactive stance significantly reduces the window of opportunity for attackers.

When you can’t use EPSS

At this point, using EPSS to prioritize your product vulnerabilities hopefully makes sense. But sometimes, this isn’t possible in your environment. Many recent cybersecurity regulations focused on connected products require manufacturers to address all vulnerabilities - even if there are thousands and most of them are not exploitable. Regulations like the recent FDA filing regulations and the EU CRA don’t allow for risk-based prioritization, and you will need to triage all your vulnerabilities, regardless of the EPSS score. However, you can still use EPSS to prioritize which vulnerabilities you remediate and mitigate first, and which you can remediate at a later time.

At other organizations, your corporate policy might stipulate CVSS scores that set the levels at which you should remediate and mitigate vulnerabilities. These sometimes are phrased like, “We remediate or mitigate all vulnerabilities above a CVSS 7.5”. If that is your situation, you can still use CVSS but again leverage EPSS scores to guide your personal remediation/mitigation strategy for your list of vulnerabilities. That way, you are still abiding by your policy, but addressing the highest risk issues first, and keeping your products and organization safe.

Using EPSS to prioritize your product portfolio in Finite State

Finite State leverages EPSS in our vulnerability scoring by default, so if you’re a Finite State customer, you can use our out-of-the-box prioritization framework and start reaping the benefits right away. EPSS is factored into all applicable finding scores (primarily CVEs). EPSS isn’t available on non-CVE findings, so our Finite State Security Issues are scored without them. Our Artifact scores are a rolled-up calculation of individual finding scores, so the higher your Finite State Artifact score, the higher priority the device. Once you use the Artifact score for overall prioritization of your artifacts, you can use the filtering and sorting on our finding scores to prioritize your individual remediation and mitigation efforts. Easy peasy!

Want to see how EPSS can help prioritize your product security? Request a free trial to try it out with your own artifacts!

Leveraging EPSS can be a huge help for your product security team and go beyond CVSS and other scoring systems to give you an advantage over attackers. By leveraging the power of EPSS, organizations can strengthen their cybersecurity defenses and stay one step ahead of cyber adversaries. Embrace EPSS, and empower your team to prioritize cybersecurity findings strategically, reducing risk and fortifying your organization's security posture.