Discussing EPSS Vulnerability Scoring with Asaf Atzmon

Discussing EPSS Vulnerability Scoring with Asaf Atzmon

In this session of “Meet the Expert,” Rafi Spiewak hosts Asaf Atzmon, Chief Product Officer at Cybellum, to explore the complex world of cybersecurity vulnerabilities through the Exploit Prediction Scoring System (EPSS). They dissect the EPSS framework, contrasting it with traditional vulnerability assessment tools like CVSS and CISA’s KEV, to provide a nuanced understanding of its role in predicting exploit likelihood. The conversation illuminates the dynamic nature of EPSS, its integration with existing security strategies, and its practical implications for product security teams facing the ever-evolving landscape of cyber threats.


Rafi Spiewak: Hey everyone, welcome to Meet the Expert. Today I’m here with Asaf Atzmon, Chief Product Officer here at Cybellum. And Asaf, we’re going to be talking about a new way to understand vulnerabilities through EPSS. Is that correct? 

Asaf Atzmon: He’s right.

Rafi: All right. I don’t know much about it, so I’m really looking forward to this conversation. So I’m just going to dive in with some questions. The idea here is that we keep it quick and let’s go. My first one, obvious. 

What is EPSS? 

Asaf: Yes. So it’s actually fairly new. EPSS stands for Exploit Prediction Scoring System.

It’s an initiative by the FIRST organization. And EPSS is actually uses data driven machine learning model to score the likelihood that a certain vulnerability, or more specifically a certain CVE will be exploited in the wild. And that scoring runs from zero, which means no probability.

You shouldn’t be worried right now about the exploitability to one, which is 100% probably already has been exploited. And maybe most importantly is that this scoring is dynamic. It’s being updated, on a daily basis. So, so invulnerability that, you know, one day was very low on its EPSS scoring if something happens in the wild that can actually goes up in a matter of days.

Rafi: That’s good. It’s dynamic. It’s not like you’re looking at logs from six months back or a year back because it is such a changing landscape. I mean, how does it play to other exploitability tools? There’s plenty of other metrics and measurements that are used currently to understand the impact and the, the, you know, certain details about different vulnerabilities.

So comparing it to, let’s say CVSS, CISA’s KEV, and others, where does this stand? 

Asaf: Excellent. Yeah, so I mean, so CVSS is the traditional one. It’s what the industry has been using for many years. And, and I think we’ll still continue to use, but I think it’s important to understand the differences.

The main takeaway, by the way, is that they are really complimentary. It’s not this one or the other. They serve different purposes. CVSS is another scoring methodology for a vulnerability that actually focuses on the severity of the vulnerability and really looks at the innate characteristics of the vulnerability.

Things like: what level of depth the potential attacker need to possess in order to carry and what is the level of access? Do you need physical access or can you do it remotely? And obviously, let’s just take those two examples. If you require really an expert who needs physical access to use the vulnerability, then that would usually mean the severity is less.

Compared to something that is remotely open and even, you know, a script kit can do where CVSS potentially comes short is that it doesn’t really look at the dynamic nature of vulnerabilities. And what happens in the field, this is exactly where EPSS comes in handy, it actually tries to analyze not how severe the vulnerability is, but how likely it is to be exploited based on all the exploitability knowledge that is in the field.

Advocates of EPSS claim that the main advantage it has over CVSS is, is just by how focused it is. Basically, you can, you know, look at CVSS scores that are above 7, considered pretty high. And you will still end up with a very long list of vulnerabilities that you need to go through just to realize that only a small subset of them are actually the ones that you need to address.

Whereas in EPSS methodology, the overlap of EPSS scoring that is very high compared to the CVE that you really care about is much better. So based on that, you could argue that If you’re using EPSS, or if you’re using EPSS, let’s say, even on top of CVSS, you might be able to work more quickly to get through the CVEs that matter.

So these are the main differences. Again, I think the main takeaway is that both are relevant, but kind of look at different things. The last one you mentioned, the catalog, the non-exploitability vulnerability catalog of CISA. Well, this one is a little different. This is, this is not about scoring.

This is an actual catalog of real exploits in the wild. So obviously I would say this should supersede everything else. Like if you already know that a certain CVE is already exploited and it’s the catalog, that probably the first thing that you should look at. Yeah, right. And, even if the EPSS didn’t capture it yet and put it as five, there’s an actual fact that something is there.

So, KEV is probably one thing you should start looking at but KEV is not available to a large number of CVEs, so for that large number, the scoring is really useful to take you through your management strategy. 


Yeah, what I’m just thinking is, that we would like to think of product security teams as these huge, bullpens with teams of people looking into vulnerabilities and understanding what’s happening, but in reality, they’re much smaller teams than represent the current threats that are out there.

Instead, we’re talking about triaging and automation and it’s amazing how, or in general here at Cybellum, that’s what we talk about, but it’s really important that even when you have a high-level CVE, with a high rank or high number, it still doesn’t necessarily mean that that’s what you should be doing first.

So it’s so important to have something that defines the likelihood because even if something is a low score with a high likelihood, it’s okay. How do we understand the risk and how do we work that into our processes to make sure that the people who are looking into these vulnerabilities are focused? They’re not overwhelmed with things that aren’t necessarily relevant.

Okay, cool. So the next question I have for you then, which ties in nicely is, what’s something that product security teams should be considering regarding EPSS? 

Asaf: First of all, I think it’s very important to look at these as tools, right?

They are not there to replace your risk management strategy. Different organizations may have different risk tolerance, depending on what’s at risk, depending on what the regulation tells them to do and EPSS should be looked at as just another tool that gives another dimension for analysts to carry through their strategy.

And kind of connecting to your point before I think traditionally there’s been a lot of burden on the security teams to really understand the full extent of the vulnerability. Whereas we have to consider that for most of these organizations, security is not the main business, right? Security is what they need to do to support their main business.

One nice thing about the EPSS is that it actually harnesses a lot of the industry knowledge and the industry expertise to give you dynamic information and real time information to support, your analysis. You should consider though, and it is important, that at the end of the day, EPSS is based on a predictive model.

And as any predictive model, it could have false positives, it could have false negatives. So that is why it’s really important not just to fully automate everything according to the EPSS data and threshold, but really use it as a tool that supports your strategy. That allows you, I would say quickly to cut through the noise and get or even prioritize just the order by which you address the vulnerabilities.

But it’s really by using that with additional tools and based on your strategy that you would really. Do the best practices of vulnerability management in your organization. 

Rafi: Yeah. And, and I was thinking of, while you were speaking about the communication between sectors of what’s going on and how CISA, had the RVWP program, which meant that people had to disclose [cybersecurity events], it was focused more on critical infrastructure and industrial, but they have to disclose what was going on, not for the sake of telling shareholders or anything, but warning others in the sector. Hey, we were just hit by this. This is what’s going on. And so I agree.

It’s so important to have that real-time understanding of, you know, how challenging is this, right? Like, like what? Not only was the impact was the likelihood. 

All right. So here’s the juicy one. How does Cybellum address EPSS? So we talk about it. As this nice tool and it’s a, it’s another metric on top of many others, but when it comes to, you know, I know the thing you personally passionate about when it comes to how Cytabellum treats this what is, what’s unique?

Asaf: So we’re very excited about EPSS. And we always strive to bring as much data, as much actual and relevant data as we can around vulnerabilities. So we obviously bring data from the canonical NVD database, but we already enrich it with the other things like, you know, GitHub advisories, the catalog that we talked about before and actually already starting from the next version, the EPSS scoring is already available alongside the CVSS score in the database of vulnerability.

But we’re not planning to stop there. We’re actually looking at other ways by which the EPSS scoring can assist the analysts and the security teams in their management of vulnerabilities. Some things that we’re planning ahead are just the ability to provide better visualization of the scoring because as I said before, the scoring is dynamic.

You might want to look at a certain vulnerability and just see how it kind of changed over time. That could support your analysis and another place where we see the EPSS becoming relevant is, is just in the way that you calculate risk and the way you support the prioritization of vulnerabilities.

We already have the vulnerability co-pilot feature that allows you to filter. A lot of vulnerability is based on set of criteria. EPSS is, you know, one additional, very powerful criterion there. So we plan to embed it there as well. And again, I mean, at the day, we really see it as another powerful tool alongside other tools that should help product teams in the risk assessment and vulnerability management.

Rafi: And for those who aren’t familiar with the Vulnerability Management Co-pilot or the VM Co-pilot, it’s probably one, it’s one of the most beloved tools, if I dare use that word because it really just takes an incredible amount of vulnerabilities that aren’t even necessarily relevant to it, to a component or device or system.

And it just gets it out of the way. And so it doesn’t mean that it’s okay to just ignore everything. But it’s an amazing tool. And so to have EPSS worked in there, I could just see it saving so much time and resources and really just focusing teams in a way that that everyone’s really working towards in this maturity.

So it’s a great leap. 

Asaf, thank you so much for the concise and to-the-point answers. I love it. I really appreciate it. We’ll talk again soon. Sure. Thank you.