Research from earlier this year revealed a worrying uptick in cyberattack volume in the past 24 months, with over a third (36%) of organisations admitting to experiencing three or more data breaches in this time frame. With attack volume increasing, one thing is called into question time and time again: vulnerability prioritisation. The Inaugural Study of EPSS Data and Performance report studies exactly this.
The report outlines vulnerability exploitation in the wild since 2017. Developed by the Cyentia Institute, the report is a data-driven collaborative effort for estimating the likelihood that a published vulnerability will be exploited in the wild. Its goal is to assist defenders to better prioritise vulnerability remediation efforts, putting focus on assessing risk. EPSS, which data is regularly contributed to by the community, uses current threat information targeting CVEs along with real-world exploit data. The EPSS model produces a daily updated prediction of the probability that a vulnerability will be exploited in the next 30 days.
The EPSS research found that there were 237,687 published CVEs as of May 31st 2024, with 13,807 being observed with exploitation activity. In the last 12 months, 30,000 CVEs have been published, with the annual rate varying around the average of 16%. Ultimately, the rising amount of vulnerabilities threatens to overwhelm vulnerability management teams if remediation cannot be prioritised.
Of these near-250k published CVEs, the number of known-exploited vulnerabilities is steadily approaching 15,000. This means that about 6% of all published CVEs have been exploited in the wild – and that rate is holding steady. Such figures show that tracking and predicting known exploits is critical for efficient remediation.
The EPSS aims to distil data from multiple different sources ..
Support the originator by clicking the read the rest link below.
