Kenna Security, the enterprise leader in risk-based vulnerability management, announces the Exploit Prediction Scoring System (EPSS), a free, open model that uses 16 variables to predict the likelihood of a vulnerability being exploited in the wild in its first 12 months.
Created in collaboration with leading data scientists and security researchers from academia and the private sector, the new system will serve as a weather-like forecasting tool for the cybersecurity community, providing a faster and more accurate way to gauge the risk of specific vulnerabilities.
“With this new system backed by data science, we can stop the massive impact of the next BlueKeep or WannaCry,” said Michael Roytman, Chief Data Scientist at Kenna Security.
“Just like we’ve seen in weather forecasting or disease control, data science has reached a level of sophistication that allows us to make predictions on cyber risk and give security teams the information they need to protect data and systems.”
By using EPSS, companies will be able to accurately assess the risk of future exploitation for a new vulnerability using objective and validated criteria, and they will be able to compare the results to those of other vulnerabilities, providing valuable context. This gives security teams the ability to focus on immediate risks and to allocate resources appropriately.
EPSS was designed by a team of data scientists and IT professionals, including Michael Roytman at Kenna Security, Jay Jacobs and Ben Edwards at the Cyentia Institute, Sasha Romanosky at the Rand Corporation, Idris Adjerid at Virginia Tech, and professionals who contributed the data that we used to perform analysis.
“The current CVSS system for measuring cyber risk and prioritizing vulnerabilities is inefficient,” said Jay Jacobs, co-founder and partner at the Cyentia Institute.
“Security teams have the unenviable task of being held responsible for remediating vulnerabilities when they only have the ability to address a small percentage of them.
“We developed EPSS to help security practitioners make more well-informed decisions, and address threats more efficiently. We expect that organizations using EPSS will be able to improve their security posture and better manage resources.”
Most organizations rely on the Common Vulnerability Scoring System (CVSS) to assess the risk of a newly released vulnerability. But CVSS has several shortcomings. For one, it assigns risk based on the subjective judgments of experts.
CVSS also does not consider, for example, whether a vulnerability is found in software deployed by millions globally or a highly specialized application used by a single company, despite evidence that threat actors tend to develop exploits for vulnerabilities that are widespread.
It also takes up to 6 weeks for a vulnerability to be scored correctly, which is time security teams don’t have when it comes to effectively patching and protecting their organizations.
Research shows that most organizations end each day with more reported vulnerabilities than they started. On average, companies can remediate just one out of every ten potential avenues for attack. This puts tremendous pressure on companies with limited resources, who must decide, often with inadequate information, when to remediate and when to delay remediation.
What’s more, some organizations end up wasting resources by remediating vulnerabilities that appear risky, but in fact have little chance of ever being exploited. In our analysis, a firm relying on EPSS would reduce false positive responses by 85%, allowing organizations to better allocate their security resources and budget.