EPSS Scoring: A Quick Guide for MSPs on Vulnerability Prioritization

How do you know which vulnerabilities pose the biggest threat to your SMB clients? As cyber threats continue to evolve and become more sophisticated, managed service providers (MSPs) must adapt to protect their clients and themselves. A key piece of the cybersecurity management puzzle is not only identifying but understanding the risk posed by various vulnerabilities.

Enter the Exploit Prediction Scoring System (EPSS), a dynamic framework that rates vulnerabilities based on certain factors to determine the probability of exploitation. ConnectSecure recently added support for EPSS to our comprehensive platform for vulnerability management, remediation, and compliance, giving our clients the ability to:

• Use the Exploitation Probability Score to prioritize among vulnerabilities
• Leverage the suggestive remedial time frame to scale remediation rather than trying to solve everything at once

How does EPSS work? And how can you and your clients benefit from using EPSS scoring? Here’s a quick overview.

Understanding EPSS Scoring

EPSS is a data-driven framework designed to predict the likelihood of a vulnerability being exploited in the wild. EPSS scoring assigns each vulnerability a score ranging from 0 to 100, with higher scores indicating a greater likelihood of exploitation in the next 30 days. This system allows you to prioritize the remediation of vulnerabilities based on their risk, ensuring that your resources are allocated effectively.

As FIRST (Forum of Incident Response and Security Teams) points out, only a small subset — 2%-7% — of published vulnerabilities are exploited. In other words, knowing which ones pose the greatest risk is crucial since the consequences of a breach can damage business reputations and cost millions of dollars. According to IBM, the average total cost of a data breach reached an all-time high in 2022, averaging $4.35 million.

EPSS scoring considers several factors, including:

1. Vulnerability age: Older vulnerabilities are more likely to have known exploits and are therefore assigned a higher score.
2. Vulnerability type: Certain types of vulnerabilities are more commonly exploited than others, and this is reflected in their EPSS score.
3. Vendor reputation: Vendors with a history of prompt and effective patch releases are assigned lower EPSS scores, as their vulnerabilities are less likely to be exploited.
4. Public exploit availability: Vulnerabilities with publicly available exploits receive a higher score, as they are more accessible to threat actors.

The Origins of EPSS

The EPSS was developed in response to the growing need for a more accurate and actionable vulnerability prioritization system. Traditional methods, such as the Common Vulnerability Scoring System (CVSS), provide valuable and important insight into the severity of vulnerabilities but can fall short when it comes to predicting the likelihood of exploitation.

Researchers from several organizations, including the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), the CERT Coordination Center (CERT/CC), and the software engineering institute at Carnegie Mellon University, collaborated to create EPSS. Drawing on extensive historical vulnerability data, the team developed a machine learning model that can accurately predict the probability of a vulnerability being exploited within 12 months of its disclosure.  

Since the release in 2019, a dedicated Special Interest Group (SIG) at FIRST has been constructing a scalable computing infrastructure capable of handling and processing various data sources. As a result of the collaborative efforts with community partners and the contributions of EPSS SIG members, EPSS now gathers data from numerous sources on a daily basis.

Why EPSS Matters for Managed Service Providers

Small to midsize businesses are becoming increasingly aware of the cyber threats they face from malicious actors. Although many still remain in the dark, believing cyberattacks mostly concern larger enterprises, the raft of publicity on the topic is quickly pushing cybersecurity up the priority list.

Regardless of your clients’ knowledge level, EPSS offers an opportunity for you to show value by 1) pinpointing which vulnerabilities require urgent attention and 2) remediating the vulnerability with the help of ConnectSecure.

Some of the key benefits of leveraging EPSS as part of your cybersecurity practice include:

1. Improved prioritization: With potentially hundreds or thousands of vulnerabilities to manage across various clients, you need an effective way to prioritize remediation efforts. EPSS scores help you identify the most critical vulnerabilities, allowing them to focus their resources on the highest-risk issues first.
2. Better resource allocation: By understanding the likelihood of a vulnerability being exploited, you can make informed decisions about how to allocate their resources. This ensures that they can deliver the best possible security outcomes for their clients while maximizing the efficiency of their operations.
3. Enhanced client communication: EPSS scores provide a clear and objective way for MSPs like yours to communicate the risk posed by various vulnerabilities to their clients. This helps them understand the importance of timely patching and enables MSPs to demonstrate the value of their services more effectively.
4. Comprehensive risk management: Integrating EPSS scoring into your vulnerability management process helps to create a more comprehensive and proactive approach to risk management. By considering the likelihood of exploitation in addition to severity, MSPs can build more resilient defenses against cyber threats.

Summing up

The Exploit Prediction Scoring System (EPSS) offers a valuable tool for MSPs to improve their cybersecurity practices by prioritizing vulnerabilities based on their likelihood of exploitation. By incorporating EPSS into your vulnerability management processes, you can better allocate resources, enhance client communication, and develop a more comprehensive approach to risk management.

ConnectSecure is here to help you win more SMB deals by empowering you to flag and remediate vulnerabilities before they become breaches. Start leveraging ConnectSecure, featuring EPSS, today. Contact us to learn more or sign up for a free 14-day trial.

More good reads: 
Whitepaper: How to win business with cybersecurity assessments
5 ways vulnerability management can drive profits for MSPs
Understanding the big picture of cybersecurity starts with NIST