Accelerating Vulnerability Management: Anthropic’s Mythos and the Shift in Cybersecurity
The introduction of Anthropic’s Mythos has exacerbated a persistent issue in vulnerability management programs: the overwhelming number of vulnerabilities coupled with insufficient information on prioritizing which ones to address. Vulnerability management has always faced challenges, but the speed at which software flaws can now be identified and potentially exploited increases the urgency of determining which vulnerabilities demand immediate attention.
According to Anthropic, a pivotal recommendation for cybersecurity professionals has emerged from their guidance linked to AI-accelerated offense. The company advocates the use of the Exploit Prediction Scoring System (EPSS), a probabilistic framework developed by data scientists from Empirical Security, which facilitates the prioritization of vulnerabilities as their discovery rate surges. This model, endorsed by Anthropic, emphasizes the need to patch vulnerabilities from the Known Exploited Vulnerabilities (KEV) list provided by the Cybersecurity and Infrastructure Security Agency (CISA) first, followed by those vulnerabilities that exceed a predetermined EPSS threshold. By employing this methodology, defenders can potentially refine an overwhelming number of Common Vulnerabilities and Exposures (CVEs) into a manageable list.
Michael Roytman, co-founder and CTO of Empirical Security, described EPSS as employing predictive models akin to those used by meteorologists. This allows organizations to forecast which vulnerabilities are likely to be exploited on the internet over the next 30 days. He elaborated with an analogy stating, “We don’t deal with rain by constantly having an umbrella over our heads. Instead, predictive models inform us about whether it’s prudent to carry one.”
Ed Bellis, the CEO of Empirical Security, underscored the significance of Anthropic’s endorsement of EPSS, highlighting its unique nature. This endorsement marks a historic moment where a prominent large language model provider has recognized a probabilistic model specifically designed for vulnerability prioritization. Bellis suggested that this development signifies a notable shift in how cybersecurity tools may approach vulnerability assessment.
A System Under Imminent Strain
The backdrop against which Mythos debuts is a vulnerability ecosystem already under unprecedented strain. One of the most pressing challenges has been the soaring volume of new vulnerabilities, prompting the National Institute of Standards and Technology (NIST) to temper its enrichment efforts concerning the National Vulnerability Database (NVD). As a result, NIST has narrowed its focus to select CVEs, while EPSS continues to provide exploitation likelihood assessments that are updated daily.
Bellis pointed out that NIST’s decision to limit focus to certain vulnerabilities is linked to the human-driven constraints of its processes. In contrast, EPSS is driven by a machine-learning model that can be applied universally across all CVEs. This distinction offers a compelling alternative, especially considering that vulnerability management today often neglects machine-learning and data-driven methodologies.
As indicated by the Zero Day Clock, the time to exploit a vulnerability after its discovery has dramatically decreased and is projected to reach as low as one hour this year, with predictions suggesting it could drop to just one minute by 2028, compared to a significant 2.3 years in 2018.
Assessing Promise and Practicality
Security leaders and vendors are increasingly integrating EPSS scores into their systems, a trend that suggests a collective shift towards data-driven vulnerability management. Roytman noted that EPSS has found its way into over 120 security products from companies such as CrowdStrike, Cisco, and Palo Alto Networks. James Robinson, CISO at Netskope, remarked on the encouraging adoption of EPSS, stating that it enables organizations to better gauge whether vulnerabilities are pertinent to their specific implementations.
Meanwhile, Aaron Weismann, CISO at Main Line Health, welcomed the rapid vulnerability discovery capabilities but raised concerns about the applicability of guidance to essential sectors such as healthcare and utilities. Weismann emphasized the complexities surrounding immediate and automated patching in industries often burdened by legacy systems.
Not all cybersecurity professionals are enthusiastic about the reliance on EPSS or the Common Vulnerability Scoring System (CVSS). Ramy Houssaini, Chief Cyber Solutions Officer at Cloudflare, asserted that both methodologies may be outdated in the era of Mythos, which has seen AI significantly compress the time window for vulnerability exploitation. He urged organizations to pivot towards real-time defenses instead of relying solely on predictive scores.
Beyond CVEs: A Broader Perspective on Exposure Management
While much of the discourse surrounding Mythos has centered on vulnerabilities categorized under the CVE framework, its capabilities likely extend to uncover millions of vulnerabilities outside this definition. Roytman highlighted the ongoing challenges present across diverse cloud environments and applications, where no universal standard exists. He noted the unique configurations of applications, even when developed using the same programming language, further complicating vulnerability identification.
As organizations strive to manage vulnerabilities effectively, the call for localized predictive models tailored to specific applications, configurations, and potential misconfigurations grows more pressing. This approach must leverage existing security tools and create bespoke models to streamline the manual triage often required.
To summarize, while Mythos and competing AI systems promise unprecedented insights into vulnerabilities, they may also reveal millions of issues not categorized under traditional frameworks like CVEs. As Bellis pointed out, this could result in enterprises grappling with tens of millions of vulnerabilities. However, Roytman remains optimistic, asserting that avenues exist to navigate the complexity of this evolving landscape.