A new study conducted by cybersecurity company Rezilion has revealed that existing vulnerability tracking systems, such as the Common Vulnerability Scoring System (CVSS) and the catalog of Known Exploited Vulnerabilities (KEV) maintained by the US Cybersecurity and Infrastructure Security Agency (CISA), have limitations in effectively predicting the severity and exploitability of vulnerabilities. This has led to the development of a new machine learning (ML) based system called the Exploit Prediction Scoring System (EPSS) by Rezilion, which aims to address these limitations and provide a more complete and accurate scoring system.
According to Rezilion, relying solely on the CVSS severity score to assess the risk of vulnerabilities has been proven to be equivalent to randomly selecting vulnerabilities for remediation. The study argues that additional context is necessary in order to develop a scalable and effective prioritization strategy. CVSS, in particular, has been criticized for its lack of scalability and effectiveness, as well as its failure to accurately reflect the actual risk associated with vulnerabilities.
Rezilion cites statistics from the US National Vulnerability Database (NVD) to support its claim. It reveals that over 57% of the vulnerabilities listed in the NVD with a CVSS V3 score have a high or critical base score. However, the average organization is only able to patch around 10% of the vulnerabilities in its environment each month. This disparity highlights the need for a more efficient and accurate system for prioritizing vulnerabilities.
In a recent survey conducted by Rezilion in collaboration with Ponemon, it was found that most organizations reported significant vulnerability backlogs and patching debt. This indicates that organizations are struggling to keep up with the volume of vulnerabilities and prioritize the most critical ones for remediation.
The study also emphasizes that only a small fraction of vulnerabilities will ever be exploited, and even fewer will be exploitable in a specific environment. It is therefore crucial to identify the highly exploitable vulnerabilities and prioritize their patching. However, CVSS falls short in this aspect.
To address these issues, Rezilion has developed the EPSS, a machine learning-based system that utilizes additional context and data to predict the severity and exploitability of vulnerabilities more accurately. By leveraging ML algorithms, EPSS can analyze large volumes of data and identify patterns and indicators that can help determine the likelihood of a vulnerability being exploited.
The introduction of EPSS marks a significant advancement in vulnerability tracking and prioritization systems. It offers an opportunity to improve security measures and ensure that organizations can effectively allocate their resources to mitigate the most critical vulnerabilities. With the ever-increasing threat landscape and the need to stay one step ahead of attackers, a more comprehensive and precise scoring system like EPSS can provide the necessary support for organizations to enhance their cybersecurity defenses.
In conclusion, the study conducted by Rezilion highlights the limitations of existing vulnerability tracking systems, such as CVSS and KEV, in effectively predicting the severity and exploitability of vulnerabilities. The development of the ML-based EPSS by Rezilion aims to address these issues by providing a more accurate and scalable scoring system. With the increasing number of vulnerabilities and the need for efficient prioritization, EPSS offers organizations a valuable tool to enhance their cybersecurity measures and protect against potential exploits.