EPSS into Risk Register

integrating FIRST.org's EPSS into a cybersecurity asset risk matrix

The script I’ve written

The script I wrote illustrates this concept as a theoretical exercise. It is not a suitable method to use this in a real environment.

Github Link

The Foundational Role of Asset Inventory Management

Asset Inventory Management is the cornerstone of effective cybersecurity. Without a comprehensive asset inventory, organisations are blind to potential risks, making it nearly impossible to protect against threats or prioritise security efforts effectively. It also sets the stage for a targeted and efficient cybersecurity strategy, ensuring resources are allocated where needed most.

Leveraging EPSS Scores Within a Cybersecurity Asset Risk Matrix

EPSS provides a data-driven approach to predict the likelihood of a vulnerability being exploited. By incorporating these scores, security teams can prioritise vulnerabilities based on empirical evidence of risk rather than theoretical severity alone. EPSS leverages machine learning to identify patterns and relationships between the vulnerability information and the exploitation activity that has been collected over time

Challenges of Incomplete Inventories

Incomplete inventories significantly undermine the effectiveness of cybersecurity measures. This gap in visibility means that critical vulnerabilities remain unaddressed, compliance requirements are not fully met, and the organisation’s risk posture is inaccurately assessed. The challenge lies in identifying all assets and maintaining this inventory as new assets are acquired and old ones are decommissioned.

Starting with the Basics and Moving Towards Sophisticated Tools Like EPSS

Adopting a progressive approach to cybersecurity, starting with essential asset management and gradually incorporating sophisticated tools like EPSS, allows organisations to build a robust security posture. This progression ensures that foundational practices are in place, creating a solid base upon which more advanced methodologies can be effectively implemented.

Cybersecurity Asset Risk Matrix:

A Cybersecurity Asset Risk Matrix is a tool used to categorize and prioritize the risks associated with each asset within an organization. It typically involves two dimensions: the likelihood of a security incident occurring and the potential impact of that incident. By plotting assets in this matrix, organizations can visually identify which assets require immediate attention and which can be monitored less urgently.

The Workings of EPSS and How the Score is Calculated

The Exploit Prediction Scoring System (EPSS) utilises machine learning models to analyse various attributes of vulnerabilities and their surrounding ecosystem to predict the likelihood of exploitation. Factors such as the vulnerability’s characteristics, the ease of exploitation, and evidence of active exploitation are considered. The output is a score between 0 and 1, indicating the probability that a vulnerability will be exploited. This score helps organisations prioritise vulnerabilities based on empirical data rather than speculative assessment.

The nvdlib API Python Library

The nvdlib API Python library is designed to interact with the National Vulnerability Database (NVD). It allows developers and security professionals to query and retrieve data about reported vulnerabilities programmatically. This library simplifies accessing detailed information on vulnerabilities, including their descriptions, severity scores, and metadata, facilitating automated vulnerability management and research.

Utilizing Open Source Projects Like Project Discovery

Project Discovery represents a suite of open-source tools aimed at automating the discovery of assets and vulnerabilities. It enables security teams to efficiently identify and catalogue assets across their digital footprint, uncovering vulnerabilities at scale.

The Benefits Project Discovery Has Brought to Security Engineers

Project Discovery has significantly benefited security engineers by streamlining the asset discovery and vulnerability identification processes. Its tools automate what were once manual and time-consuming tasks, allowing security professionals to focus on analysis and remediation. The project’s contributions have led to more efficient security operations, faster vulnerability detection, and a more resilient security posture for organisations leveraging its capabilities.

The Added Benefit of Community-Driven Nuclei Templates

Nuclei templates are, in part, community-driven and provide the latest methods to identify vulnerabilities. These templates allow for rapidly sharing new vulnerability signatures across the community, ensuring that security teams can quickly adapt to emerging threats. The collaborative nature of these templates accelerates the detection and remediation process.

Example of the idea

Impact Criteria

Impact Scores Mission Operational Objectives Financial Objectives Obligations
Definition     The high dollar limit for each impact score.  
1. Acceptable We would achieve our mission. We would meet our objectives.   No harm would come to others.
2. Unacceptable We must reinvest or correct the situation to achieve our mission. We must reinvest or correct the situation to achieve our objectives.   The harm that would come to others would be correctable.
3. Catastrophic We would not be able to achieve our mission. We would not be able to meet our objectives.   The harm that would come to others would not be correctable.

Asset Risk Register Matrix

Asset Technology CVE EPSS Score Description
remote.example.com Palo Alto Networks GlobalProtect CVE-2012-6606 0.000610000 Palo Alto Networks GlobalProtect before 1.1.7, and NetConnect does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof portal servers and obtain sensitive information via a crafted certificate.
portal.example.com Palo Alto Networks GlobalProtect CVE-2012-6606 0.000610000 Palo Alto Networks GlobalProtect before 1.1.7, and NetConnect does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof portal servers and obtain sensitive information via a crafted certificate.

References