SKIP TO CONTENT

Risk Management & EPSS Input

Bill Jones
July 30, 2024
5 min read

How many times have you generated a CSV file filled with thousands of rows of flagged vulnerabilities from your discovery session and let out a sigh? Furthermore, how often do you get pushback because the number of vulnerabilities seems impossible to conquer? If you have let out a sigh of “OH MY GOSH” or received a CSV file filled with hundreds or thousands of vulnerabilities, this blog post is for you!

We often face a lot of noise in our discovery process when identifying and triaging new vulnerabilities. At Softrams, we’re reluctant to have a standardized method to manage these issues while eliminating noise by utilizing feedback loops and inputs from various data sources to determine the likelihood of a risk that is likely to be realized. But what happens if you’re part of a team and don’t have a mature risk management model developed yet? Is there hope for you? Can the process be simplified by introducing a single element?

I aim for you to read the blog post and remove a single element to enhance your operational capacity and begin triaging for risk over noise. Let’s dive right in and look at Risk Management and EPSS input.

Risk Management Woes

When I am asked about risk management within our programs by others, typically, it’s followed up with, “Do we have metrics?” Well, certainly! We do have data, lots of data! If you’re reading this blog post and working within cybersecurity, you also have a plethora of vulnerability data. However, there is one distinguishing difference between having data and having data with feedback. Let’s frame a few questions fellow team members will likely ask you if you manage risks within a program as a security engineer.

  • How well are we triaging risks?
  • What are our current risks?
  • How are we projecting risk going into the future?
  • How effective were our mitigations over the last two sprint cycles?
  • Where can we improve our mitigation strategies?

The above questions certainly aren’t a comprehensive list, but out of the many questions asked, these are probably the top five essential questions to consider. Let’s examine the above questions further, outline problems, and pose solutions to help kick-start your EPSS journey toward a proper risk mitigation decision-making process.

Before going any further, I want to point out that the below section is from a very antagonistic perspective, with the assumption that triage is often performed poorly by some engineers and that the answers to the questions posed as responses from a security engineer are also poorly given. However, this is to showcase a raw behind-the-scenes look into cybersecurity that is often left out of discussions because it is painful to explore or admit.

  1. How well are we triaging risks? If you’re generating a CSV file filled with hundreds or thousands of vulnerabilities from various scanning tools and delivering it as is for other teams to remediate, then the answer to this question is: Not very well. You could be triaging risks by labels such as Critical, High, Medium, and Low and still be performing poorly.
  2. What are our current risks? If you’ve already delivered vulnerabilities without triage, your answer to this question is: Not very well.
  3. How are we projecting risk going into the future? Odds are, if you answered the first two as mentioned then not very well turns into, I don’t know.
  4. How effective were our mitigations over the last two sprint cycles? You may read or hear something along these lines: “We were able to resolve 72% of the vulnerabilities reported; however, we missed a few that became exploited in the wild, and therefore our mitigation efforts were poorly performed.”
  5. Where can we improve our mitigation strategies? Well, yes, we can certainly do better. However, with that antagonistic view in full effect: “We will tweak our tooling to reduce noise and to address vulnerabilities that matter.” This response would be typical because we’re giving an improvement and a focal point to address issues that matter the most.

Let’s recap on the issues presented:

  • Risk is not managed effectively by engineers because of the lack of input.
  • Overwhelming odds are a mountain of vulnerabilities that seem challenging to tackle.
  • Stress levels across teams are likely very high.
  • The engineer shows uncertainty about the overall risk and lacks confidence.
  • Uncertainty of a future state.
  • Insufficient feedback loop.

Exploit Prediction Scoring System

Welcome the Exploit Prediction Scoring System (EPSS) input into the triage process. EPSS is a data-driven effort that estimates the likelihood or, in security-minded terms, the probability of a threat being realized and impacting the system, an attempt to measure the actual risk faced. Armed with this scoring mechanic, you can triage actual risk more effectively but not perfectly! Keep this in mind: While this is a probability of an exploit occurring, it isn’t always accurate. This inaccuracy is where feedback loops are essential and why I asked questions in the previous section. Let’s tackle the same questions but add EPSS as input into our risk-based determination while triaging discovered vulnerabilities. Note: Anyone who loves math must ignore the percentages and numbers listed as they’re fictitious, but they might drive you crazy if you’re calculating in your head.

  1. How well are we triaging risks? We’ve implemented EPSS and have reduced the number of reported vulnerabilities by 52% based on the likelihood of risk. This EPSS score is the probability that the system will realize the vulnerability because attackers will likely exploit it soon. Our posture has shifted to reducing noise by assigning actual risk values to vulnerabilities.
  2. What are our current risks? Our report indicates we have 78 vulnerabilities likely to be exploited soon by attackers, and our efforts will primarily focus on remediating this sub-group of overall discovered vulnerabilities.
  3. How are we projecting risk going into the future? We’ve indicated over the last two reporting periods, we’ve had an increase of 3.7% in newly discovered risks with a high likelihood of being exploited.
  4. How effective were our mitigations over the last two sprint cycles? We were able to remediate 100% of the targeted vulnerabilities. We were also able to inject 17 newly discovered vulnerabilities during the current sprint due to the high likelihood of exploitation occurring before the next sprint cycle.
  5. Where can we improve our mitigation strategies? We’ve looked at the feedback from our cross-team support and performance metrics to determine our current capacity to perform remediations has decreased. We will re-evaluate our scoring system to determine if we can reduce additional findings based on historical data. Some reported issues never became true exploits, so time was wasted remediating them.

EPSS scoring has allowed us to achieve clear, result-driven responses. Granted, EPSS has helped; plenty of other resources on risk mitigations and data-drive security are out there, and I encourage you to check them out. I’ll leave one of my other favorites in the Resources section below for you to explore further regarding security metrics.

Let’s recap on what difference is presented by adding EPSS input:

  • Clearly defined risks are managed and reported on by engineers.
  • Engineers perform effective triage to focus on actual risks.
  • Stress levels are lower, and engineers show more confidence across all teams.
  • Understanding current risks and being able to project future likelihood of new risks.
  • The feedback loop is visible, and cross-team communication is occurring to assist in refining the mitigation processes.

Improve Over Time

Here are the most important things I would like you to take away from reading this blog post. First, feedback loops are critical to understanding where engineers can improve reporting and remediating efforts. Second, adding EPSS will undoubtedly reduce the noise and better evaluate potential risk immediately, allowing teams to focus on what matters and reducing the noise levels from false positives. Lastly, reducing the volume of perceived work and effectively triaging risk will reduce stress across teams and improve the overall security posture of the system while reducing true risk.

Resources

Sign up for our newsletter to join our impact-driven mission.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.