The brand new machine studying (ML) primarily based Exploit Prediction Scoring System (EPSS) may also help overcome limitations from present vulnerability monitoring methods, in keeping with a research by Rezilion.
In keeping with Rezilion, main vulnerability monitoring methods such because the Widespread Vulnerability Scoring System (CVSS) and the catalog of Recognized Exploited Vulnerabilities (KEV) maintained by the US Cybersecurity and Infrastructure Safety Company (CISA) nonetheless fall quick at successfully predicting the severity and exploitability of a vulnerability, leaving the necessity for an entire and correct scoring system.
“Relying solely on a CVSS severity rating to evaluate the danger of particular person vulnerabilities has been proven to be equal to randomly deciding on vulnerabilities for remediation,” stated the research. “Extra context is required in an effort to enable for a extra scalable and efficient prioritization technique.”
Points with CVSS and KEV
The research notes that CVSS is not scalable or efficient and would not even mirror the precise danger. To help its declare, Rezilion stated that greater than 57% of the vulnerabilities presently listed within the US Nationwide Vulnerability Database (NVD) with CVSS V3 have a excessive or essential base rating, whereas a mean group can solely patch round 10% of the vulnerabilities in its atmosphere every month.
In a latest survey performed with Ponemon, Rezilion discovered big vulnerability backlogs and patching debt reported by most surveyed organizations.
Fewer than 5% of vulnerabilities will ever be exploited and solely a fraction of these vulnerabilities might be exploitable within the context of a given atmosphere, it stated, noting that zeroing in on the extremely exploitable ones is most important and CVSS fails at that.
