Here are a few quick thoughts on prioritization everyone should know.
A respected peer was discussing the use of EPSS to add detail into the decision-making process for what’s relevant and should be a focus.
What does this mean? Why do you care?
Here’s a practical application for prioritizing if you have a CVSS associated with a finding. The CVSS provides the base score. Let's assume a quick scoring adjustment review, and great – it doesn’t look too bad. However, you see the associated vulnerability on the KEV and in the EPSS data (used by AWS, Wiz, and many others to add color to their findings) with a high percentage.
Stop. Consider. Maybe that particular finding should be prioritized higher. Take the information in as input. It's a data point. It's not the authority - your organization is the authority - but consider the additional information as something to consider.
Here are some links. Remember this table. This information will be helpful at some point.
Scoring
System |
Link |
Scoring
Range |
Purpose |
NVD - Vulnerability Metrics (NIST) |
0.0 - 10.0 (CVSS) |
Provides severity ratings for vulnerabilities based on the
Common Vulnerability Scoring System (CVSS) to guide remediation efforts. |
|
Known Exploited Vulnerabilities Catalog (CISA) |
Binary (Exploited/Not Exploited) |
A list of vulnerabilities that are known to be actively
exploited in the wild, maintained to help prioritize patching. |
|
Exploit Prediction Scoring System (EPSS) |
0 - 1 (0% to 100% likelihood) |
Predicts the likelihood of a vulnerability being exploited
in the next 30 days, helping organizations prioritize remediation. |