EPSS 3.0 + CVSS: Why Prioritizing Software Risk is Key
In this episode, Matt explains what the newest version of the Exploit Prediction Scoring System (EPSS) is, and how it compares to the Common Vulnerability Scoring System (CVSS) when it comes to minimizing alert fatigue — and prioritizing the highest-risk vulnerabilities.
- Related blog: EPSS vs CVSS: Exploit prediction could move the needle on risk management
- Blog: 6 reasons to go beyond legacy vulnerabilities
- Report: NVD Analysis: A Call to Action on Software Supply Chain Security
MATT ROSE: Welcome back to another episode of ReversingGlass. I'm Matt Rose, Field CISO at ReversingLabs. Today's episode is a little bit of a discussion around vulnerability fatigue. I don't know if you've seen the press about EPSS 3.0 versus CVSS. And if you're not familiar with these are ways to score vulnerabilities to see how bad they are, but really take it to that next level.
So the thing that I really want to talk about people have alert fatigue. You're just getting so many different alerts and vulnerabilities and these are critical vulnerabilities. But how do I score this? So EPSS or exploit predictive scoring system 3.0 really takes it to the next level. So CVSS or Common Vulnerability Scoring System, you have your rating of these are really bad P1, P0, P3, and then you spend all this time and effort to explore it, fix it, which ones are more important than others. Let's say you have, 30 P0s that you need to fix, which ones are more important.
What EPSS 3.0 really does is It takes a snapshot in time and a 30-day window to say, Hey, this is really bad, but it may be exploited more than these other vulnerabilities within the next 30 days, which goes back to something that I've been very passionate about when talking about what you need to fix is number one impact, and two likelihood.
What this means is the impact is really bad. It's a P0. If somebody finds this, if this is a vulnerability that's exploited, it's going to be really bad. But when you take that additional layer of risk of likelihood, what is the likelihood of this potentially getting reached? If you're talking about it's really bad and it's really easy to access or formulate an exploit against it, that's something you need to fix.
But the impact is really bad. And it's really not going to be exploited due to compensating controls, or it's not accessing any type of important information. That's where EPSS 3.0 adds that 30-day window of risk. So if you have 20 high critical vulnerabilities, but only five fit in the realm of possibility to be executed or acted upon in the next period of time, you may want to focus your attention. Everyone's dealing with this alert fatigue. Too many different lenses of risk from too many different areas. CVSS is an industry standard. Everybody uses it. It's very effective. But it's really like you're living on a desert island. You don't know what's happening.
Are there sharks out here? Is there a boat out here? You don't know what's happening around it. So EPSS 3.0 gives you that lens to say, Hey, this is what's around you. This is potentially going to be compromised because of X, Y, Z, because of these variables, because it's accessing this type of information, or there's additional vulnerabilities that may lead into the potential for an attack.
So as you're going through the process, CVSS is great, but that additional lens of understanding of if this is going to be potentially compromised in the next 30 days as it uses. That's how you actually prioritize risk and make your teams work smarter, not harder or chasing their tails, trying to fix everything, which we all know is very difficult.
I'm Matt Rose. This is another episode of ReversingGlass. Thanks for watching, everybody.