EPSS data now in Navi!
A friend and colleague, Evan Grace, made the awesome suggestion to add EPSS data to Navi. I wasn’t intimately familiar with EPSS and its Ethos; I only knew it as a “Scoring” system for CVEs.
What is EPSS?
I couldn’t summarize what EPSS is better than their website, so here is the definition:
The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. Our goal is to assist network defenders to better prioritize vulnerability remediation efforts.
The EPSS website has a plethora of information on how they generate the scores and arrive at their conclusions. In addition, there is analysis showing the effectiveness to this approach(Graph above). This risk based and real-life approach is extremely impactful on reducing risk. In fact Tenable launched VPR years ago to solve this problem for their customer base.
What is VPR?
To be consistent, here is Tenable’s definition of its VPR scoring:
Vulnerability priority rating (VPR), the output of Tenable Predictive Prioritization, helps organizations improve their remediation efficiency and effectiveness by rating vulnerabilities based on severity level — Critical, High, Medium and Low — determined by two components: technical impact and threat.
Technical impact measures the impact on confidentiality, integrity and availability following exploitation of a vulnerability. It is equivalent to the CVSSv3 impact subscore. The threat component reflects both recent and potential future threat activity against a vulnerability. Some examples of threat sources that influence VPR are public proof-of-concept (PoC) research, reports of exploitation on social media, emergence of exploit code in exploit kits and frameworks, references to exploitation on the dark web and hacker forums and detection of malware hashes in the wild. Such threat intelligence is key in prioritizing those vulnerabilities that pose the most risk to an organization.
Source: https://www.tenable.com/blog/what-is-vpr-and-how-is-it-different-from-cvss
Why put it in Navi?
A core part of my personal ethos is to help others achieve their goals. In the words of Simon Sinek, This is my “Why”. It’s one of the reasons I built Navi, continue to support it and write on Medium.
Many Navi users love data and the ability to manipulate that data, which continues to drive innovation in the tool. Adding EPSS data provides more options for users to make more informed remediation decisions.
Putting the CVSS2, CVSS3, VPR and EPSS data beside each other is helpful in prioritizing and may provide the corporate air-cover needed when pushing high value patches on the crown jewels.
Navi compare
The command “navi compare {asset uuid}” will parse each Tenable plugin and pull out the CVE and the relevant scores. The below output and a CSV containing the relevant fields.
Note: CVSS scores are pulled from the plugin not from NIST
If your organization is CVE focused and not Patch focused, this type of reporting can be helpful.
Navi find cve
The “navi find cve {cve id}” command will not only help identify what assets have a particular CVE but will also show the EPPS data along side it. Take a look at the output from my lab:
Plugin Details
Tenable mirrors their plugins after the patches that are provided by the vendor. This means there is a high potential of multiple CVEs per plugin. You can see the EPSS average, Max and Total by using the “plugin” command as shown below:
As you can see, Plugin 134902 has a VPR score of 6.7(as of writing this) and a Max EPSS percentage of .00151; which is derived from the three CVEs that are found in this plugin.
How do I get EPSS in Navi?
You need to have navi version 7.3.19 to take advantage of the features described above. Once you have upgraded or installed the latest version you can run the below command, replacing the date information with the one you desire:
navi update epss --day 11 --month 09 --year 2023
The command will reach out to the EPSS CSV URL to download the latest data mapping and store it into a new table called EPSS. You can verify you have the right data by using the “navi find query” command. The command queries the database using SQL statements.
navi find query "select * from epss;"If you are new to Navi, check out the “Getting Started with Navi” article and dive into navi. If you are a regular user of Navi, please provide any suggestions to help make it better!
Thank you Evan for the push!
