According to new research conducted by Cyentia and first, the number of published vulnerabilities (CVE) is increasing every year, highlighting the importance of predicting which vulnerabilities require the attention of vulnerability management teams. The study revealed that the Exploit Prediction Scoring System (EPSS) is an effective tool for prioritizing vulnerabilities.
The research focused on analyzing the time, prevalence, and volume of operation activity, as well as collecting and reviewing feedback on the functionality of EPSS. The report provides valuable data and analysis for the growing community of corporate users and security products utilizing EPSS.
Key research findings include:
- The percentage of exploited vulnerabilities: With nearly 250,000 CVEs published to date, the number has increased by 16% over the past 7 years. Prioritizing tracking and forecasting of exploited vulnerabilities becomes essential, as approximately 6% of all published CVEs have been subjected to exploitation.
- Model of operation activity: There is no uniform pattern of operation activity. Some vulnerabilities experience sporadic attacks, while others are targeted regularly on weekdays or even daily or weekly with peak activity at specific times. The intensity and duration of operation vary, underscoring the importance of considering these factors in prioritization.
- Prevalence of operation across organizations: Analysis of data from over 100,000 organizations worldwide revealed that attempts to exploit a specific vulnerability are rare. Less than 5% of vulnerabilities are targeted in more than 10% of organizations, dispelling the notion that exploit implies widespread prevalence.
EPSS’s effectiveness in predicting operation:
EPSS offers a reliable assessment of the likelihood that a software vulnerability will be exploited in real-world scenarios. By evaluating all known CVEs daily, EPSS provides a probabilistic score indicating the probability of exploitation.
The study demonstrated that the predictive capabilities of EPSS improve with each version. Key metrics used to evaluate effectiveness include:
- Coverage: Assessing the completeness of prioritizing operation activity by correctly assigning priority to the percentage of all known vulnerabilities that have been exploited.
- Efficiency: Evaluating the accuracy of priorities by determining the percentage of vulnerabilities identified for elimination that have been exploited.
- Efforts: Assessing the overall workload of prioritization by calculating the percentage of priority vulnerabilities relative to all vulnerabilities.