I really think that if we change our own approach and thinking about what we have available to us, that is what will unlock our ability to truly excel in security. It’s a perspectives exercise. What would it look like if abundance were the reality and not resource constraint?
— Greg York, VP, Information Security, Tribune Media, at SecureWorld Chicago
Why change?
First, I think I should preface this post with this particular question. It was posed to me at work a few weeks back and it has brewing in my mind since. You see, I’ve been in Cyber Security since 2017. Not a long time at all. However, I’ve managed to grow my career into something I’m proud of. I’ve learned a lot, gained skills, and have progressed my career well, in my opinion.
Recently, my manager sent an article about ransomware to me. This article, which I don’t have the link to at the moment, mentioned several CVE’s that ransomware groups were using to attack organizations. My manager then posed the question to me of “Should this change how we view risk?” This question made me sit back in my chair and really think. Why should we change what is working? What should change, if anything?
Eventually, I came to the conclusion that I did not think that CVSS scoring was enough. For a good walkthrough on what CVSS scores are, you can head over here to an article written by Alexander Jones from Cobalt.io. Sure, the CVSS takes into account where a vulnerability is on the network, the level of interaction it needs from a user, and even if it is exploitable. However, there’s something missing. How likely is the vulnerability to be exploited? Based on the current threat landscape, such as the article I was given, how likely would specific exploitable vulnerabilities be used in an attack?
This really piqued my interest and so I began to meet with colleagues and discuss my thoughts. How can we reshape how we view risk? Is there anything we can improve upon? Are we missing anything?
Exploit Prediction Scoring System (EPSS)
After some discussion with colleagues, I was informed of the Exploit Prediction Scoring System. While I won’t attempt to cite the entire article here, this idea builds upon the CVSS score as noted by Jacobs et al (2021) “for predicting the probability that a vulnerability will be exploited within the 12 months following public disclosure.” This scoring system is open source and provides all the information needed to implement in your own organization. The full article can be read here. Go give it a read, it is quite interesting!
Now, after reading about this scoring system, I have to admit that I was excited. Here is something that seems to be answering some of the questions that I had been pondering. How do we improve upon what we have already? How do we reshape how we rate risks in the environment?
If it’s not broken…
I know, I know. I’m over here advocating for changing something that works. What’s the old saying? “If it’s not broken, don’t fix it.” Well, true, but are we sure it’s not broken? Besides, what if something works better? I do want to preface that I know we probably won’t ever have a perfect solution to ranking risk. However, I do feel that we can find room to improve on anything. So, why not improve on what has worked so far?
I don’t advocate that you run out and use the EPSS immediately. I just wanted to bring this conversation to light and to give an option that I found during my time thinking about it. Are there other options? Likely so. I’d love to hear of any that you know of!
I hope that these thoughts have been helpful to you. Even if all they do is get you thinking about risk differently, then I’ve done what I have set out to do. Best of luck to you on your journey!
References:
Jacobs, J., Romanosky, S., Edwards, B., Adjerid, I., & Roytman, M. (2021). Exploit Prediction Scoring System (EPSS). Digital Threats: Research and Practice, 2(3), 1–17. https://doi.org/10.1145/3436242