A Deep Dive into the Revolutionary World of EPSS and Security Discussion
Dec 04, 2023Season 1Episode 20
Josh Bruyning
Are you ready to unravel the mysteries of cybersecurity and exploit prediction? We're joined by our esteemed guest, Jay Jacobs. Today's episode promises to be a thrilling ride into the world of data insecurity as we welcome the innovator behind the groundbreaking EPSS (exploit prediction scoring system). This ingenious machine learning model, launched in 2021, predicts the likelihood of a vulnerability being exploited. Not only does it help us zero in on potential threats, but it also offers us the luxury of knowing which ones can be put on the back-burner for patching. With daily updates and a scoring system that ranges from 0 to 1, we'll discuss how this system has become indispensable in the realm of cybersecurity.
Are you ready to unravel the mysteries of cybersecurity and exploit prediction? We're joined by our esteemed guest, Jay Jacobs. Today's episode promises to be a thrilling ride into the world of data insecurity as we welcome the innovator behind the groundbreaking EPSS (exploit prediction scoring system). This ingenious machine learning model, launched in 2021, predicts the likelihood of a vulnerability being exploited. Not only does it help us zero in on potential threats, but it also offers us the luxury of knowing which ones can be put on the back-burner for patching. With daily updates and a scoring system that ranges from 0 to 1, we'll discuss how this system has become indispensable in the realm of cybersecurity.
This exploit prediction scoring system, EPSS exploit prediction scoring system, and this is the first time I've ever heard about this, so let us know what is the exploit prediction scoring system EPSS?
Speaker 2:
Yeah, let me go back to your first thing. So you're talking about data insecurity, and that is a huge and wonderful topic to get into, and essentially, data is just a form of feedback, right, it is observing and recording something that happened and or labeling or something, and that is huge in cybersecurity because we struggle with this feedback mechanism, right, trying to understand what is a great decision, what's a good decision, what should we do? In this case, Getting data and getting that feedback is essential, and so carrying that over into EPSS. So EPSS is the exploit prediction scoring system, and I remember, probably 15 years ago, looking at CVSS and looking at what they were doing for vulnerabilities and I thought that's it, like they get some people and they talk about what they think is important and then they give it some weights and then there's some magic math and then you get a score and I thought, wow, we have all of this information, there's all of these things going on. We have so many devices to catch things being exploited. Why don't we look at those and try to create that feedback loop? And that is exactly what EPSS started to do.
Speaker 2:
So, through my day job at Sanctea, we were getting. We have a bunch of data partnerships with different companies to do research on their data, and one of those companies was Fortinet, and Fortinet has an enormous network of devices out there blocking and reporting on exploit attempts. And so we grabbed that data. And we're also partnering with a company called Kena Security who's now part of Cisco, and they're doing vulnerability management.
Speaker 2:
So we had all this data on vulnerabilities and we had all this data on exploits and we just brought it together and we said, all right, we know that these things have been exploited. What about these vulnerabilities, or make them more or less likely to do that? And so we built a machine learning model and it's updated daily. So like if something happens in the landscape let's say, an exploit module gets published to the internet, like a lot of well-intentioned people will put things out there with exploits or they're trying to get a slice of fame so they put it on a GitHub or something like that. When that happens, we know that there's actually an increase in the chance of something using that and exploiting it in the wild. And so we update. We've got well over I think we're at 1500 different variables that we're looking at for vulnerabilities, trying to predict when something or how likely something is to be exploited.
Speaker 1:
That's insane, and we find that people are moving more towards, especially CISOs. They wanna match what's going on in the real world with what's going on in their dashboards and in their ecosystem. So what's the reception like? I mean, is this something that's brand new? Is it out in the wild? Are people using it?
Speaker 2:
Absolutely yeah, and it's free. You can go grab these scores right now. It's at firstorg slash, EPSS, and the scores are out there. You've got an API. You can download data on a daily basis, but the reception so like it's been really, really good and we launched it. I think we started publishing the first scores in 2021, the initial research was 2019. We've gone through three iterations since then, so we're on a third version and we're just getting better and better as we iterate.
Speaker 2:
And the big thing you'd think that it was like we can tell people really what to focus on. That's not the real benefit. The real benefit is that we can actually identify things that you probably don't have to focus on, and that's been a huge thing for people, because what we found through some of our research with Kenna is that most companies are fixing between 10 and 15% of the open vulnerabilities in their environment a month. So any given month, they're only able to fix 10 to 15%. That was about the median. Some are higher, some are lower, of course, but that's about the average, and so what that means is that you need prioritization. You need to know what you should focus on versus what you can safely delay and work into a longer patch cycle, and so that's really the value that we're bringing. We're telling people things that they could safely more safely delay and being a lot more accurate than the prioritization that they are doing.
Speaker 1:
Excellent. So it's not just what should you be doing, but what to not waste your time on. You should have. Okay, great, what is the scoring system like? Is it sort of a you know one to 10? Like what's a good score?
Speaker 2:
So it's between zero and one and it is a probability like an actual trained, you know calibrated probability.
Speaker 2:
And so what you can do, if you have one machine with 10 vulnerabilities, you could say what is the probability that any one of these will be exploited, and you can just, as you know, if you understand probability, mathematics takes a little learning curve there, but you can do that combination, which is very, very hard, as you know. If you have like two highs and a medium and a low, how do you combine that? You know when you have that ordinal value, so the probability, you can combine it and it is just between zero or one, or we'll display it, as you know, zero to 100%, yes, and nothing ever gets to zero, nothing is ever at 100%, and that's just the way the model's working. Yeah, and we have a whole. We've got several papers that we've published on the research we put behind this and we'll talk about the calibration. So when we say 50% chance of exploitation in the next 30 days, we put that time window on it, that about 50% of those will actually be exploited in the next 30 days.
Speaker 1:
Can you produce a bell curve with that data? I guess that you guys have a lot of you know there's a distribution in the score.
Speaker 2:
Yeah, but it's not a bell curve. It's. You know, bell curve is symmetric and nice and pretty. This is really heavily weighted on the low end. So I think like the top 15% was like 2% probability and above. So, like 85% of the data is below 2% chance of exploitation, and that goes back to allowing people to say what should I not focus on right away? You know there's a whole bunch of things that you don't have to focus on right away.
Speaker 1:
Okay, yeah, so just don't focus on those outliers. It's probably a really long tail and all these things. So this is a really the practical application is here. Here is if you're in, you're scrolling through the news and you see all these buzzwords and you're seeing all these look, the media has been hijacked and you know cybersecurity folks don't know what's important anymore. You know, I mean, if you're really in the trenches, you know, but this seems really useful in being able to say, okay, well, yeah, we heard that this person got breached because XYZ, maybe they're not in my industry, Maybe this doesn't really matter to me, and so your system would be able to say, yeah, this thing is an outlier. It gets a lot of buzz, People talk about it a whole lot, but guess what? It doesn't really happen that often. What about if it? If it's an outlier, it only happens. You know it's very rare, but do you have a way of capturing the impact of that vulnerability?
Speaker 2:
No, and that's a great question, because we very explicitly did not look at impact. And so if you, if you want to take like a risk based approach, there's two other things to consider other than the score. So the score is basically how likely is someone to try and exploit this? The other thing is what sort of competent and controls do I have? So if you know if the vulnerability is like 15 layers deep in your network or if it's externally facing you know, on the on your perimeter, those are two totally different scenarios from your perspective.
Speaker 2:
The other thing is the impact. Right, we have no idea what it is. But if you can look at a system and say, hey, this is really really important stuff, we want to be careful with the vulnerabilities on here, versus hey, this is just, you know, basically a brochure that could go away, we could reboot it, we could rebuild it, whatever, we don't care. All of those are going to impact the overall decision. So EPSS is just producing that threat, if you will. And then you need to understand the environment and the impact which, of course, we have no idea from a centralized location how everybody, how different vulnerabilities are going to have an impact on the environment.
Speaker 1:
Excellent. Well, I'm going to stay on top of this and I hope that you come back and drop in another time to tell us what's going on in the EPSS space exploit prediction scoring man. Well, I just learned something today. So if this is interesting to you, if you're listening to this or watching watching this, if this is interesting to you, drop us a note, leave us a comment. And, jay, I don't know if you like people reaching out to you, but if somebody wants to reach out to you, how can they find you?
Speaker 2:
Boy I. I don't know anymore. You know it used to be Twitter. I'm on LinkedIn, jay Jacobs on LinkedIn at at Santhea, and that's probably the best way to reach out to LinkedIn. I put occasional few posts data driven posts out there, so all right, jay.
Speaker 1:
Well, thank you for being so gracious with your time. Thanks for dropping in and thank you for listening to this. We still got to find a name. Maybe we'll take some suggestions, but right now you know, we'll call this security market watch drop ins. So thanks again. Thanks, jess, all right. Bye, all right. Bye, all right.