Rezilion, a leading automated software supply chain security platform, has released a new report highlighting the critical importance of the Exploitability Probability Prediction Score (EPSS) in effective vulnerability management. The report, titled “CVSS, EPSS, KEV: The New Acronyms – And The Intelligence – You Need For Effective Vulnerability Management,” emphasizes the need for organizations to prioritize patching based on the EPSS score to enhance their cybersecurity measures.
Earlier this year, Rezilion conducted a study on the CISA KEV catalog, which revealed that millions of systems were exposed to Known Exploited Vulnerabilities (KEVs) despite available patches. The company’s latest research further expands on this issue, indicating that simply relying on the KEV catalog for vulnerability management is insufficient. The study suggests that newly discovered vulnerabilities are not promptly added to the database, resulting in a coverage gap.
During the research, Rezilion’s vulnerability researchers discovered over 30 actively exploited vulnerabilities with high EPSS scores that were not included in the CISA KEV catalog. This finding highlights the limitations of relying solely on the Common Vulnerability Scoring System (CVSS) for patch prioritization. The report establishes that vulnerabilities with high EPSS scores are more likely to be exploited compared to those with low EPSS scores.
Yotam Perkal, Director of Vulnerability Research at Rezilion, stresses the importance of considering multiple metrics for effective vulnerability management. He suggests that a comprehensive approach that incorporates CVSS, CISA’s KEV catalog, and EPSS provides the best defense against potential threats. Ignoring any of these components may result in gaps in an organization’s security posture. Perkal asserts that finding the right blend of these tools enables accurate prioritization, ensuring that the most dangerous vulnerabilities are addressed promptly.
The report offers several key takeaways for organizations to consider. Firstly, the conventional method of prioritizing vulnerabilities often falls short, and a holistic approach that includes CVSS, CISA’s KEV catalog, and EPSS, along with runtime validation to determine the exploitability of detected vulnerabilities in their respective contexts, offers the best defense. Secondly, relying solely on the KEV catalog is insufficient due to the delay in adding newly discovered vulnerabilities. Lastly, the research highlights that vulnerabilities with high EPSS scores are more likely to be exploited, underscoring the importance of this information in prioritization.
In response to their research findings, Rezilion has launched a new feature called Enrichment Feeds. This feature provides organizations with crucial intelligence to understand the exploitability of vulnerabilities based on their EPSS scores. By offering this EPSS data as a signal for prioritization, Rezilion aims to help organizations take a comprehensive approach to vulnerability management, incorporating layers of context such as CVSS, CISA’s KEV catalog, and EPSS.
To access the full report, interested parties can visit Rezilion’s website. Additionally, Rezilion will be sharing further insights on hidden vulnerabilities and vulnerability management at the upcoming Black Hat, BSides, and DEFCON 2023 events.
Rezilion is a leading software supply chain security platform that focuses on automating risk assurance in the software development lifecycle. The platform detects and assesses third-party software components across all layers of the software stack, filtering out up to 95% of identified vulnerabilities. Rezilion then automatically mitigates exploitable risk, reducing vulnerability backlogs and remediation timelines from months to hours, giving DevOps teams more time to focus on development activities.