What Users Ask For¶
Overview
Any solution should be informed by what the user wants, and the rationale behind the solution implementation. This allows understanding and validation of the solution against the requirements and rationale.
In this section, we look at users' requirements as expressed as User Scenarios and User Stories
Note
The first step of this Guide was asking users that represent stakeholders/roles to provide their requirements as (User Scenarios and User Stories, and to introduce the Design Thinking process. Extracts are provided below from User Scenarios and User Stories.
- We have not yet iterated on these requirements per Design Thinking to get to the underlying problem definition. It is common for users to express an implementation of what they want - similar to what they know, rather than the underlying reasons why they want it.
EPSS Ratings Similar to CVSS¶
Coming from CVSS, users naturally want/expect similar ratings ala Critical, High, Medium, Low severities.
Related User Scenarios and User Stories
Quote
This is put into easy-to-understand severity levels that additionally factor in the confidence of the likelihood score and are aligned with the existing Critical, High, Medium, Low severities I am used to from CVSS.
Quote
As a Tool Provider I want to provide my customers with not just an EPSS Score, but a standard Severity level that is familiar to me and officially provided by the same organization that provides the scores. Critical, High, Medium, Low are values I understand and can be mapped to existing policies and processes easily - especially for communication to less security-fluent stakeholders.
Feedback¶
CVSS already includes support for Exploitation in CVSS Exploit Maturity.
- See section CVSS Exploit Maturity for more details, including
- the limitations of using CVSS Exploit Maturity for risk-based prioritization
- an example project that calculates CVSS Exploit Maturity and includes EPSS scores and thresholds
This guide gives alternatives.
In the content below, it will be shown that
- EPSS allows for effective risk-based prioritization
- The difference in level of effort to remediate issues between EPSS score of ~10% to ~90% is relatively small.
EPSS as the Single Score for Exploitation¶
A similar common request is to
Quote
"set the EPSS score to 1 if there are already published exploits"
Feedback¶
Per Using EPSS with Known Exploitation, EPSS is pre-threat intel and should be used in conjunction with evidence that a vulnerability is being exploited. EPSS is by design not "the Single Score for Exploitation"
Per CVSS:
Quote
it is recommended to use multiple sources of threat intelligence as many are not comprehensive.
Technically a Single Score exists that includes Exploitation and Severity:
- CVSS already includes support for Exploitation in CVSS Exploit Maturity.
- See section CVSS Exploit Maturity for more details, including
- the limitations of using CVSS Exploit Maturity for risk-based prioritization
- an example project that calculates CVSS Exploit Maturity and includes EPSS scores and thresholds
This guide gives alternatives.
Confidence Level of EPSS Scores¶
Related User Scenarios and User Stories
Confidence Level of EPSS Scores
Quote
As a Tool Provider I want to provide my customers with not just an EPSS Score, but the Confidence level of that assessment. The estimation of score accuracy has a direct impact on my ability to de-prioritize lower EPSS scores. Low Confidence should ideally be communicated, and ideally influence Severity levels.
Feedback¶
Throughout this guide, it's been shown that in some cases EPSS scores will be persistently low even when there is evidence of exploitation e.g.
This evidence of exploitation exists outside the EPSS model and EPSS should be used in conjunction with evidence of exploitation.
In other words, the EPSS model can't give a confidence level on overall exploitation.
Quote
If there is evidence that a vulnerability is being exploited, then that information should supersede anything EPSS has to say, because again, EPSS is pre-threat intel. If there is an absence of exploitation evidence, then EPSS can be used to estimate the probability it will be exploited.
EPSS to Guide My Effort in My Environment¶
Related User Scenarios and User Stories
Feedback¶
These points will be covered in the EPSS Thresholds section.