From Art to Craft: A Practical Approach to Setting EPSS Thresholds

Are you using an EPSS threshold to steer your patch management strategy?

Exec sum / teaser

EPSS is an excellent exposer of the pandemic of vulnerabilities that we are all currently experiencing. It's in fact so good that, given the current situation, setting an EPSS threshold for patching can easily fire back at you and ruin your patch management strategy if you are not mindful.

This, in essence, is what a new ??law?? I like to call the slithering law is telling us.

You won't see this if you follow the usual, statistics-inherited rationale (i.e., if the EPSS threshold is set according to customary parameters like Recall and Precision).

The EPSS threshold should be set using criteria which are easy to understand within your corporation.

Which ones? And how?

Without further ado, let's accustom ourselves with snakes overrunning our patch management dashboards!

The S-curve

To take a fresh perspective on EPSS thresholds, we'll drop the statistics heritage and switch to an operational, down-to-earth approach: we'll look at the distribution of EPSS thresholds as a function of our actual capability to fix vulnerabilities.

Let's define capability as a cursor ranging from 0.0 (we can't afford to patch any vulnerability) to 1.0 (we can patch them ALL, even the ones not affecting our ecosystem - what a luxury!)

The graph below shows how the EPSS threshold responds to all possible capabilities if we pick a snapshot (here, taken on 2024-3-13) of all CVEs tracked since one year (from 2023-03-13 to 2024-03-13).

This adds up to about 42000 CVEs... Quite a decent sample, don't you think?

This function is not linear, it is shaped like a S-curve (light blue). We fit it to a logistic function (in dark blue) without difficulty: this fitting allows us to make an approximate estimate of the steepness of the curve in the critical region where the EPSS threshold is about 0.5

We find that the steepness in this region is precipitous because we chose to represent the capability "c" on a log scale, to adapt to the non-linearity of EPSS scores distribution.

You can visualize this curve yourself and adjust it as you please from my Kaggle notebook: https://www.kaggle.com/code/labyrinthinesecurity/capability-driven-epss-threshold

A slithering motion...

Take a close look at the lower and upper elbows of this S-curve: you see that they happen approximately at EPSS thresholds 0.9 and 0.1 respectively.

Obviously, most companies set their EPSS threshold between 0.1 (patch almost everything) and 0.9 (patch only the exploited vulns, or about to be exploited) it means that

the vast majority of EPSS thresholds belong to the critical region of the S-curve.

If, for some reason, you make the slightest change (positive or negative) to your patching capability, you will witness your EPSS threshold quickly move between the elbows, in a snake-like fashion.

=====> This very sensitive motion is EPSS slithering law!

Is it a good thing?

Yes, it is! if you are informed of this behavior, you can turn it to your company's advantage. If not, chances are you may be in for a surprise in one year time, when you review the performance of your patching strategy with the top management...

Factors affecting your patching capability

Because the EPSS threshold is so sensitive to capability changes, it's utterly important that you identify all the factors that may influence your capability.

Once you have gained a good understanding of these factors, you will be able to set a maximum bound for the threshold you want to honor — Not now, mind you! A YEAR from now.

Here are what I believe to be the most important factors:

• Budget cuts
• Friction between implementation teams
• Delays in identifying impacted systems
• Pareto effect (systems that remain stubbornly unpatched after 6 months of constant chasing...)
• And, last but not least... The 30% year-on-year increase of vulnerabilities! I take this figure from Jerry Gamblin ‘s always insightful and up to date stats. This will inevitably dilute your capability over time, sooner than one thinks: keep in mind that this figure keeps increasing.

That's it for today. I wish you all the best for your next performance review. :)

Takeaways

1. To be of any use, the EPSS threshold must sit in the 0.1 - 0.9 range
2. Coincidentally(?), this range corresponds to the critical region of an S-curve: it is extremely susceptible to changes in execution capacity.
3. The EPSS threshold moves in a fast, snake-like fashion between the elbows of the critical region. It obeys a ??slithering law??.
4. In all corporations, execution capacity is impacted by many factors, including the dramatic ever-increasing YoY rate of vulnerability disclosures.
5. For these reasons, the EPSS threshold must not be set given today's context: it must reflect next year's trends, especially the trend of vulnerabilities disclosure.

Time to anticipate all these factors!