High Level Statement (TL;DR)
There is a new vulnerability analysis scoring system that can be used to help prioritize vulnerability remediation. However, this isn't going to improve the effectiveness of your vulnerability management program.
Many cybersecurity vulnerability management programs aren't effective because they don't focus on identifying how the vulnerability was not addressed through existing IT patch or configuration management processes.
CVSS and newer vulnerability scoring systems like EPSS focus on the "exploitability" of a vulnerability. These programs will rarely get ahead of "whack-a-mole" efforts to remediate issues (unless an organization diverts many of its people to remediation efforts). Sadly, even if an organization were to address the majority of issues identified via a vulnerability scanner (like Tenable, Rapid7, Qualys), within 3 months the technology landscape will be at the same place.
What is a CVE?
CVE stands for "Common Vulnerabilities and Exposures." It is a system used to identify and provide a standardized reference for publicly known information security vulnerabilities and exposures. The primary purpose of the CVE system is to assist in the coordination and sharing of data about security vulnerabilities between organizations, security researchers, and software vendors.
What is a CVSS?
CVSS stands for the "Common Vulnerability Scoring System." It is a standardized system used to assess and rate the severity of security vulnerabilities in software and systems.
The CVSS score is typically represented as a number from 0.0 to 10.0, where 10.0 represents the most critical and severe vulnerability. The scores are divided into three severity levels:
Low (0.0 to 3.9): Minor vulnerabilities with limited impact.
Medium (4.0 to 6.9): Moderate vulnerabilities that may cause significant issues.
High (7.0 to 10.0): Critical vulnerabilities with severe consequences and high urgency for mitigation.
What is an EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild.
EPSS seeks to improve vulnerability prioritization by estimating the likelihood that a vulnerability will be exploited. The EPSS model produces a probability score between 0 and 1 (0% and 100%). The higher the score, the greater the probability that a vulnerability will be exploited (in the next 30 days)
Flaws in Focusing on EPSS, CVSS, or CVEs as a way to prioritize remediation actions.
Severities for vulnerabilities can change which can cause a significant change.
Focusing on exploitable vulnerabilities can create blind spots.
Only performing analysis on "criticality" of the vulnerability and not the organizational context or gap in control.
Does not provide understanding for the level of effort needed to resolve a vulnerability.
Which model does New Genesis Solutions use?
While these scoring systems are interesting, New Genesis Solutions focuses instead on mapping vulnerabilities to the average level of effort needed to remediate them and the IT control that needs to be improved to ensure automated tool continue to apply needed updates.
There is a variety of customizations that we apply within each client environment; below is one of the ways which we prioritize vulnerabilities based on level of effort.
Patching gaps for Windows OS updates
Patching gaps for Linux OS updates
Patching gaps for application updates
Patching gaps for infrastructure/network firmware updates
Configuration hardening gaps for windows systems
Configuration hardening gaps for Linux systems
Configuration hardening gaps for infrastructure/network systems
Updates to System Architecture
Using this method, New Genesis Solutions has helped our clients significantly reduce the amount of technology vulnerabilities within their organizations (so much so that we've had to change how we report on vulnerabilities since systems started having zero vulnerabilities during our analysis).
I ran across a new vulnerability scoring system called EPSS (https://www.first.org/epss/model) that might be a replacement for CVSS. I can definitely see the alure of it since it's always difficult for organizations to remediate vulnerabilities in a time effective mater. Meaning, within IT teams, there is an ever-increasing number of initiatives and activities that IT teams need to support. So, because time is limited, the EPSS prioritizes vulnerabilities that have the highest ability to cause a negative impact.
I love the idea. In fact, even NGS uses a prioritization filter to identify vulnerabilities that have an exploit available. However, the problem is that EPSS has the same problem as the CVSS. They don't have the ability to take the organizational systems in context.
Example: If you have two vulnerabilities, which would you try to solve first?
Windows Server 2008 with 3 vulnerabilities that have a critical CVEs (CVSS score of 10, EPSS score of 76). However, the system is in a protected VLAN and NOT accessible to the Internet.
Cisco Firewall that has one 2 vulnerabilities (1 firmware update, 1 configuration change) that are High-to-Medium CVEs (CVSS score of 6.5, EPSS score of 20). This device is the border firewall that also supports the organizations VPN.
2023 - EPSS SIG - Enhancing Vulnerability Prioritization