April 2023

EPSS Support

Seemplicity now supports filtering for vulnerabilities based on EPSS percentile.

What is EPSS

EPSS is a vulnerability scoring system based on the likelihood that a vulnerability will be exploited. Using machine learning, the model assigns a probability score between 0 and 1 (0% and 100%) to all CVEs, and the higher the score, the greater the chances that the vulnerability will be exploited.

EPSS vs CVSS

CVSS has been around for a while and is used to measure the severity of a vulnerability. However, it does not take into account whether or not the vulnerability can be exploited. For example, if there is no PoC, the vulnerability might be critical, but not realistically exploitable.

In contrast, EPSS assesses how viable a vulnerability is, with the severity only playing a partial role in the calculation. However, the severity alone is not enough to determine that a vulnerability will score in the 99 percentile.

Implementing EPSS in Seemplicity

Seemplicity collects all of the EPSS scores once a week from first.org. Each Finding is assigned the EPSS of the relevant CVE - if there's more than one CVE for a given Finding, it is given the highest EPSS score out of the CVEs.

To search for Findings based on the EPSS percentile, you can create a Filter using the EPSS Percentile field.

Using the above Filter, you would then have the top 0.5% of Findings in your environment.

Within the Findings, you can see more information about the relevant CVEs, the EPSS Percentile, and EPSS Score. For example, in the following Finding for a Flash Player vulnerability, you can see that there are numerous CVEs and the Finding is in the top 0.1%.

Recommendations

While EPSS can be used effectively in your ongoing vulnerability management, Seemplicity recommends that you use it in tandem with other Seemplicity filters, as well as your external threat intel feeds.