Exploit Prediction Scoring System (EPSS)
| Autor: | Benjamin Edwards, Michael Roytman, Jay Jacobs, Sasha Romanosky, Idris Adjerid |
|---|---|
| Rok vydání: | 2019 |
| Předmět: |
Prioritization
FOS: Computer and information sciences Computer Science - Cryptography and Security Scoring system Exploit Computer Networks and Communications Computer science 0211 other engineering and technologies Vulnerability 02 engineering and technology Software 020204 information systems 0202 electrical engineering electronic engineering information engineering Public disclosure 021110 strategic defence & security studies business.industry Information security Vulnerability management Computer Science Applications Risk analysis (engineering) Hardware and Architecture business Safety Research Cryptography and Security (cs.CR) Information Systems |
| DOI: | 10.48550/arxiv.1908.04856 |
| Popis: | Despite the massive investments in information security technologies and research over the past decades, the information security industry is still immature. In particular, the prioritization of remediation efforts within vulnerability management programs predominantly relies on a mixture of subjective expert opinion, severity scores, and incomplete data. Compounding the need for prioritization is the increase in the number of vulnerabilities the average enterprise has to remediate. This paper produces the first open, data-driven framework for assessing vulnerability threat, that is, the probability that a vulnerability will be exploited in the wild within the first twelve months after public disclosure. This scoring system has been designed to be simple enough to be implemented by practitioners without specialized tools or software, yet provides accurate estimates of exploitation. Moreover, the implementation is flexible enough that it can be updated as more, and better, data becomes available. We call this system the Exploit Prediction Scoring System, EPSS. Comment: 25 pages, 8 figures, 7 tables, Presented at Blackhat 2019 |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|