Exploit Prediction Scoring System (SPSS) - Jerry Gamblin

of Applause Just a quick one thank you so much for selecting my talk for the one lightning talk I I appreciate it um so we're going to talk about the epss which is the exploit prediction scoring system about me um my name is Jerry Gamblin I'm the director of security research at Cisco I was with Kenna until we were acquired 14 months ago um so what is the epss the PSS is an open- Source version of what we built at Kenna and and sold to Cisco that we're able to give back to the community it takes the same data points that we're using in the main Kenna model in a smaller way and gives it to the

community for free to let you guys uh move to a risk-based vulnerability management uh assessment so it helps you understand hey is this being exploited on the Internet is this cve likely to be exploited should I look at it and we'll dig into that but as we talked about yesterday uh there were 183,000 cve now over 16,000 this year alone so anything that you can do to help chip down on the number of cves that your organization has to take care of uh will greatly help you um so the data behind CVSs is pretty simple it's the miter list where cve are born have you said through my talk yesterday you now know that miter is an

MIT front for the Deep government of the US um text based images tags so we go through and we mine the the data in the cve and get tags out so that we know a count of how many days it's been published uh we have a report out that you can look at it's the PD report it shows that all cves are normally exploited between Z and 90 days or believe it or not between 120 and 180 days right there's a there's a little bump there where nothing's going to happen and then you have your second round of where hackers might go back and try to pick those up um we also have some Partners in the

open source Community uh sniper jails uh Intrigue and then we use the CVSs vectors to do that so so everybody asked me why is this such an important thing well we know for a fact that no matter where you're sitting at in here how many stock analysts you have how many Network administrators you have that no matter what size your company are you're only patching 20% of the vulnerabilities on your network every month if your industry best we we've not seen anybody do better than 20% um lows scoring companies do between five and eight the average is about 15 this year and we run this report every year um it's in our P2P report you can

go and pull the numbers so you know that I'm not just making it up but but we talked to a ton of people about this we we sell to some of the biggest companies in the world and they're all like yeah we're only doing about 20% of the open vulnerabilities on our Network a month and we need to know what ones we need to patch so the problem is between 3 to 6% of cves are only ever exploited right the rest of it is just noise do we have any I haven't seen an rtld talk here I was hoping mark would have hit some of the radio stuff in his robot talk but but he didn't but signal to

noise is is always a big deal and you're talking about a 97% noise to Signal ratio when you're talking about your average cve count that that that's terrible right most people can't do can't handle that so here's the epss we're going to go through the measuring performance if you've done 7 plus on CVSs which the government thinks is great um you're only covering I think it's about 3% of all the vulnerabilities you need to see yeah yeah so the efficiency is your everything that's in the blue that's not overlap by the red is wasted effort by your sock team how many of your sock and patching team have that much time to to be wasting efficiency to not

be making progress on securing your

network so here's where we're trying to get to right CVSs 3 version 3 only is a 5% efficiency if you're saying that you're going to patch everything that's seven and above you're working at about 5% version one of epss which was out last year which was our first public release doubled that a little bit plus a little bit got you to about 13% efficiency just using the open source data um version two we were super proud of got you to 42.5% efficiency um the model that we charge companies for is at 85% right now so the model that Kenna sells and Cisco sells is a more mature model but we're giving away half of our model for free

basically at this point and we'd love for you guys to go and dig into the model um it's hosted on first .org which is a european-based organization uh there are open calls every week that you can hop on and help us figure out where we're where we should move this model to how we can make it more useful to people what products can go in and and use this model but what it does is every day we got and we score every cve and tell you if we think it's going to be impactful on your network or not and you can bring that into your sim to your scoring or any other uh piece of software that you

use to man manage your day-to-day

operations all right so that is my S minute talk with three minutes for questions the I'm sure the next person will come up here and do a talk just like this right yeah let's let's yeah but if you go get yourself a coffee yeah sure uh okay that's awesome uh and yeah we need to have a conversation after this purely business level uh any questions and anybody spells CVSs yeah God you no questions are at that side now right here we go um so when like I so this is for cves basically but correct if I was doing a pent test how would I score it if it was epss would it be like is there a similar

kind of grading system there or is it just for vulnerabilities found in it's really just the vulnerabilities but we we talked to people about this and there is a model that you can use and the model is all in the is in the paper and a lot of it comes down to to like those first couple slides says what the vendor is is it being exploited is there anything in met exploit right I have a sort of followup that is not related at all um you mentioned or can only hit 10 to 20% how many new per month are being identified uh on average this month there are 68 new vulnerabilities a day so whatever 68 it's like yeah they're

not really making much Headway yeah yeah there there's zero Headway being made and to be honest a lot of that it would be a lot worse if it wasn't for Windows 10 Windows Windows 10 is actually a great driver for organizations because of Auto patching it pulls their numbers way down we ran the model without window without Windows 10 and it falls down to the best ORS patch about 7% of the stuff on their Network that's terrifying is it any more really while I'm up there put the hand up yes thanks Jerry that was really interesting from patching side I love the idea of being more efficient the numbers you got at 5% are somewhat

terrifying with this sort of model if we try to use it do you have any experience for coming up against sort of the usual policies or um sort of outside compliance Frameworks that say you must patch all the things all the time yeah and and uh I've I've helped big companies I've sat down with their with their hiters and I'm said they're not doing this now and they're saying but that's what we want them to do I'm like would you rather them just keep lying to you or would you rather them say hey we're moving to this where we're at least going to patch what we know as vulnerable first and then try to get to

the rest I've never in my lifetime told anyone not to patch everything if if I go into a business meeting if if my sales team calls me in and and the sock guys is like we patch 100% of everything thing I'm like amazing let me go buy you dinner because you are doing what everyone else wants to do it it's really it's really about being honest with yourself and being able to show numbers like 20% is industry leading to your board and have them not freak out because they believe that you're patching 100% of everything on your Network all the time any more questions awesome that was terrifying and amazing at all at the same time uh

right but please go to first.org slss this is an open source project um anybody who has any interest in vulnerability management our computer SC or like machine learning we'd love for you to join the Sig the special ins group that helps building the next model and to help use it in any product or process that you guys want okay Round of Applause for Jerry