Understanding CVSS and EPSS: Your Key to Prioritising Cybersecurity Threats
As we saw in the timeline in our previous blog post, The Growing Threat of Vulnerabilities, many new developments have been made to improve the information we all have to help prioritise vulnerabilities.
Despite this progress, identifying the vulnerabilities that expose organisations to the most significant risk remains challenging. In an ideal world, we would remediate all vulnerabilities as soon as possible, but this is not feasible.
Many organisations will have compliance standards to adhere to, which will dictate their approach to vulnerability management. This will vary depending on the compliance standard in use. Some will require that you have a process for timely identification and remediation.
Others, like Cyber Essentials, will have very specific requirements. Cyber Essentials requires all high and critical security updates to be applied within 14 days. Any vulnerabilities with a CVSS Base Score of 7 or higher would be marked as failures on audit day.
Focusing on severity alone can leave you addressing a high volume of vulnerabilities with a low likelihood of exploitation and potentially missing that one lower severity vulnerability with a high likelihood of exploitation that unlocks an attack path into your organisation.
The point density in this chart is represented by colour; yellow is less dense going through red and to a deep purple for most dense areas. The highest density of vulnerabilities commonly falls into the sub 5% EPSS likelihood score.
A more balanced approach would be to map a vulnerability's CVSS Base Score against its associated EPSS score. Using these two data points, we can build a quadrant chart for prioritisation, as shown below.
This can be enhanced further by integrating the Known Exploited Vulnerabilities catalogue produced by CISA, a data set which has also been integrated in the NIST NVD. This catalogue contains entries for every vulnerability known to be exploited in the wild, regardless of severity.
With all this in mind, we could adopt a prioritisation plan along the lines of the following:
- 1st Priority – CVEs found in the CISA’s KEV Catalogue
- 2nd Priority – CVEs in the upper-right quadrant.
- 3rd Priority – CVEs in the lower-right quadrant.
- 4th Priority – CVEs in the upper-left quadrant.
- 5th Priority – CVEs in the lower-left quadrant.
This is just one example of how vulnerability remediation efforts can be prioritised.
Compliance will be crucial in guiding organisations, but the approach must also fit the business and the resources available to perform remediation actions. When resources are limited, organisations can look at other tools to help refine the focus further.
Stay tuned for the next blog, where we’ll dive into the advent of Cyber Threat Exposure Management (CTEM) and its impact on prioritising vulnerabilities.
Struggling to prioritise vulnerabilities in your organisation?
We can help!
Click below to contact us and learn how to implement a balanced vulnerability management approach, ensuring your most critical threats are prioritised and mitigated first.
