This open source ML model will help you predict vulnerability exploits

The The Transform Technology Summits begin October 13 with Low-Code / No Code: Enabling Enterprise Agility. Register now!

Managing vulnerabilities is notoriously difficult. Most organizations are tackling the threat landscape without a clear strategy for where to start patching and what needs to be prioritized. This leads them into a wild and ineffective goose hunt.

Research shows that organizations only have the capacity to fix 5-20% of the thousands of known vulnerabilities each month. Fortunately, only 2-5% of these vulnerabilities are exploited in the wild. This means that most organizations can address the riskiest vulnerabilities, provided you know which ones are risky, and preferably before the exploitation event.

A special interest group of security experts, of which I am a co-creator and 38 other experts, have developed a free and open source tool called the Exploit Prediction Scoring System (EPSS) to solve this problem. We first presented EPSS at the Black Hat 2019 conference, and starting next week, we’ll be adding real-time rating of Common Vulnerabilities and Exposures (CVEs) as they are announced. So instead of waiting weeks to see if a vulnerability is being exploited, this tool can serve as a forecast of the potential for exploitation of a vulnerability.

This will allow users to gain instant insight without having to collect data on a CVE elsewhere. EPSS uses an open source, data-driven approach to quantify the risk of a particular vulnerability, so you know exactly which ones require the most urgent attention. The EPSS Special Interest Group will continue to improve this evolving model and add new data sources.

EPSS has produced risk scores for all 71,000 CVEs published since 2017 and can now help security teams predict the likelihood of a vulnerability being exploited within 12 months of public disclosure.

Let’s take a closer look at how EPSS works and how you can use it to better prioritize vulnerabilities as they arise.

How partitions are created

EPSS provides a model based on proprietary data from Fortinet, Kenna Security, Reversing Labs, Proofpoint, and Alienvault, as well as data from public sources and external commercial data providers. The most important data is that which identifies the actual exploitation of vulnerabilities. This is crucial for the predictive model. If you would like to contribute to these datasets, contact our working group, which is constantly incorporating new sources.

Using public data such as MITER’s CVE, the NIST National Vulnerability Database, CVSS scores, and common platform enumeration information, the EPSS reads the descriptive text of each CVE and searches for expressions common to several words. It also searches different repositories for the exploitation code. From there, it creates a list of 191 tags coded as binary features for each vulnerability.

Risk scores are calculated on the basis of 15 variables correlated with exploitation. Among the most important issues that EPSS considers are the hardware or software vendor on which the vulnerability lives and the number of reference links for the vulnerability. The more noise there is at the start, the more likely it is that the vulnerability will end up being exploited. Common platform enumerations are not always available when the vulnerability is published, but as soon as they are, the EPSS scores are updated accordingly.

What the scores can tell you

Where EPSS is most useful is as a response to risk as it appears. It is simply not possible to patch 100% of all vulnerabilities that appear, nor would you want to spend time and resources patching vulnerabilities that pose no risk.

Ninety percent of organizations still rely on CVSS as an isolated threat intelligence tool, which is problematic because not only does the national vulnerability database provide few updates of CVSS scores, but it only addresses the severity of the vulnerabilities and does not address the likelihood that a CVE will actually be exploited. Even if your organization has a team or intelligence flow on threats, threats typically answer the question “of these vulnerabilities, which are currently at risk?” EPSS has the distinct advantage of being predictive, so you can answer this question long before anyone asks – or any of the threat intelligence teams see the data.

A low EPSS score may suggest to a CIO that despite similar vulnerabilities turning into high profile stories, this one is not likely to be exploited and therefore not worth wasting precious time or slowing down processes. job to solve. A high score, on the other hand, can set off a red flag and require correction before the next headline hits your business. At the very least, it’s a quantitative way to make time-consuming investment decisions usually taken on a hunch.

Compared to an all-vulnerability remediation strategy with CVSS scores of 9+, EPSS produces big efficiency gains. By examining coverage (the percentage of exploited vulnerabilities that were patched) and effectiveness (the percentage of patched vulnerabilities that were exploited), research shows that companies that focus on CVSS scores of 9+ can patch the same number of vulnerabilities exploited while reducing their efforts. by 78% using EPSS instead.

Most of the vulnerability management is done on weekly or monthly cycles, but vulnerabilities and attacks are tracked in real time and live. Having a more real-time resource like EPSS creates a feature that forces the vulnerability management process to deal with everything closer to real time, which is just as valuable as the tool itself. When the CIO asks “What are we doing about this vulnerability?” »You will have a real-time response, instead of searching a vulnerability management tool or configuration management database (CMDB), which gives you data on a week-long ticket.

However, EPSS should not be a stand-alone prioritization method. It is designed as an early warning system for emerging vulnerabilities and does not help repair security debt or arrears. You should also be aware of exactly what the vulnerability exposes, how accessible those assets are to attackers, and the potential severity of an attack.

An important new tool

EPSS could level the playing field by encouraging more companies to take a risk-based approach to vulnerability management. It could also potentially fill a gap in public infrastructure, serving as a model for what the government should fund as an early warning system for both government agencies and private sector companies.

President Biden’s cybersecurity executive order focuses on sharing information and better tools to detect and respond to security threats. With more data than other tools, EPSS can support this mission with proactive alerts.

While there is no single optimal prioritization strategy, adding EPSS significantly saves resources and helps you more effectively remediate vulnerabilities that pose a risk to your organization.

EPSS has a getting started guide here, and new data and statistics are usually updated daily and can be viewed and downloaded here. We are always looking to add new perspectives and skills to EPSS members. To inquire about joining the group, email us at [email protected]

Michael Roytman is Chief Data Scientist at Kenna Security (now part of Cisco) and has spoken to RSA, BlackHat, SOURCE, Bsides, Metricon, Infosec Europe and SIRAcon. His work focuses on cybersecurity data science and Bayesian algorithms, and he has served on the boards of the Society of Information Risk Analysts and Cryptomove. He currently sits on the Forbes Technology Council and is a member of the board of directors of Social Capital. He holds a master’s degree in operations research from Georgia Tech and recently turned his home roasting business into a Chicago south side cafe, Sputnik Coffee.


VentureBeat’s mission is to be a digital public place for technical decision-makers to learn about transformative technology and conduct transactions. Our site provides essential information on data technologies and strategies to guide you in managing your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the topics that interest you
  • our newsletters
  • Closed thought leader content and discounted access to our popular events, such as Transform 2021: Learn more
  • networking features, and more

Become a member

Comments are closed.