Cybersecurity is crucial, and organisations across the world are working day in and day out to deal with cyber threats. Vulnerabilities in software and other computing system play a major role in making an attack possible. While companies manage to discover a lot of vulnerabilities before a cyberattack takes place, there is still a challenge — which vulnerability should they patch in the first place? Because one wrong move or wrong decision would make the scenario worse of organisations.
Predicting Vulnerability Severity
With so much of cybercrime happening, it is imperative for organisations to understand the severity of each vulnerability or threat. To fill this void in the industry, open-source models and machine learning have emerged as a much-needed solution. San Francisco-based cybersecurity company Kenna Security, a machine learning-powered open-source tool would help organisations and their cybersecurity team to decide which vulnerability needs more attention.
Simply put, the Exploit Prediction Scoring System (EPSS) predicts the likeliness of vulnerability or threat that could be exploited in the very first 12 months.
Why EPSS?
It is not like organisations don’t prioritise vulnerability assessment; however, it has been said that the framework currently they use or the scoring system they use — Common Vulnerability Scoring System (CVSS) — has some drawbacks and the need for a new system is imperative.
If in case you don’t know what CVSS is, it is a framework that provides a numerical score which is basically the severity of the vulnerability. Talking about how this score is evaluated, the framework takes into consideration the principal characteristics of a vulnerability such as an attack vector, attack complexity, required privileges, user interaction, confidentiality, integrity etc. So, currently, based on the score of the vulnerability, a company decides the severity and prioritise their patching sequence.
Despite being a go-to framework for years, there are reports that suggest that CVSS has some drawbacks. While some experts say that it should only be used my specific industry, others say that the score is calculated sometimes leads to biases.
The Role Of Machine Learning In Predicting Vulnerability Severity
Kenna Security’s Exploit Prediction Scoring System is created in collaboration with data scientists from the Rand Corporation and Virginia Tech. According to a report, the machine learning model that has been incorporated with this system is trained with data that has been collected from more than 25,000 vulnerabilities. That is not all, the data also includes billions of security events and all of these were collected over five years.
According to one of the developers of the system, the EPSS is efficient that it has already reduced the time that is required to predict and patch, by 40 days which is definitely amazing.
Talking about the proof that machine learning would actually work with this system, the EPSS was tested BlueKeep (CVE-2019-0708) and the results that it produces were spot on. Looking at the main agenda of EPSS, the system should be able to predict the vulnerabilities that are likely to be exploited with 12 months from discovery, and when tested on BlueKeep, it suggested that there are 95% chances that it would be exploited within a year. BlueKeep which was discovered in May this year got exploited in November. Even Microsoft has confirmed that it has been exploited and has asked the users to patch it ASAP.
Furthermore, the best thing about this machine learning model in the EPSS is the fact it is open source. The major reason behind this is to make this tool reach a wider audience and ML experts to make it better to deal with upcoming threats.
Outlook
Machine learning over the years have been used in several domains and this sought after tech has done wonders. Now here in the cybersecurity field, the tech seems to be delivering the same amount of efficiency. However, as everything in this technology space is considered to be a double-edged sword, could this open-source nature of the model be also used in an adversarial way? There have always been talks about incorporating open source with cybersecurity and it’s all about time whether we witness the adversarial uses.
