Why CVSS is not enough
Are you sure that you are prioritising the right vulnerabilities?
Many companies rely on the CVSS score to assess IT security vulnerabilities. This is a common and sensible practice, as the CVSS score provides an initial assessment of the technical severity of a vulnerability.
But what if this is not meaningful enough? The CVSS alone says nothing about how likely a vulnerability really is to be exploited. As a result, there is a danger of wasting valuable resources on theoretical risks while actually critical vulnerabilities go unnoticed.
This is where EPSS and percentiles come into play: they help to prioritize vulnerabilities according to their real threat level. In this blog, you will learn why these factors are crucial and how you can use them to optimize your cyber risk management.
CVSS
(Common Vulnerability Scoring System)
A rating system for assessing the technical severity of a vulnerability from 0 to 10, but without taking into account the actual probability of an attack.
EPSS
(Exploit Prediction Scoring System)
A data-driven model that calculates the probability of a vulnerability being exploited in the next 30 days.
Perzentile
A statistical method for evaluating a vulnerability in comparison to all others. A percentile of 0.84 means that the vulnerability is more dangerous than 84% of all others – it is therefore a kind of “ranking” for better assessment.
An example from the field
Let's compare two vulnerabilities in a real scenario:
CVE-2019-17531:
CVSS 9.0 (critical)
The probability of exploitation is only 0.8 % (EPSS value 0.008).
CVE-2021-45105:
CVSS 5.9 (moderate)
Exploitation probability of 80 % (EPSS value 0.8).
It is one of the 1% most frequently exploited vulnerabilities. (percentile of 0.99)
Those who only look at the CVSS score would focus on fixing the critical vulnerability first, while neglecting the potentially high risk posed by the moderate vulnerability.
What do “percentiles” mean in risk assessment?
The percentile shows how a vulnerability is classified in comparison to others – de facto a kind of “ranking” for quicker assessment:
Percentile of 0.84 = This vulnerability is more dangerous than 84% of all other vulnerabilities.
Percentile of 0.99999 = This vulnerability belongs to the 0.001% of the most dangerous vulnerabilities – an absolute high risk!
This helps companies to identify the most critical threats and target their resources.
Challenges in prioritization
Incorrectly prioritized CVEs cost time and money due to measures for irrelevant vulnerabilities
False positive: A vulnerability is incorrectly classified as critical, even though it does not pose a major risk in practice.
= Cost trap
Incorrectly postponed CVEs are an unnoticed danger for the company
False Negative: An actually dangerous vulnerability is overlooked or classified as harmless.
= Security gap
Intelligent risk assessment with SEQiFY
Why the combination of CVSS, EPSS and percentiles is crucial
CVSS assesses the theoretical severity of a vulnerability, but not its real impact. Only when combined with EPSS and percentiles do companies get a realistic picture of which vulnerabilities they should really prioritize.
In the Cyber Risk Management Platform, you benefit from the advantages of intelligent risk assessment:
- Targeted prioritization: fix vulnerabilities with a high probability of attack first.
- Efficient use of resources: Save time and costs by avoiding unnecessary fixes.
- Better protection: Detect and close really dangerous vulnerabilities in good time.
GENOA International GmbH
Kapuzinerstraße 84 A
4020 Linz | AUSTRIA
Tel.: +43(732)774770
© 2022 GENOA ISO 27001 certified
Quicklinks
