Full Report
In this newsletter, Thor breaks down why you should stop relying solely on CVSS and start using EPSS and GCVE to focus your patching efforts on the threats that actually matter.
Analysis Summary
# Best Practices: Precision Vulnerability Management
## Overview
These practices address the inefficiency of "panic patching" based solely on CVSS scores. By integrating probability-based metrics (EPSS) and decentralized threat intelligence (GCVE), organizations can move from measuring theoretical severity to addressing actual exploitation risk, ensuring finite resources are focused on active threats.
## Key Recommendations
### Immediate Actions
1. **Stop CVSS-Only Prioritization:** Do not treat CVSS as a risk score. Use it only for technical impact assessment.
2. **Add EPSS to Triage:** Overlay the Exploit Prediction Scoring System (EPSS) onto your current patch list.
3. **Identify "Drop Everything" Vulnerabilities:** Immediately prioritize CVEs that feature both high CVSS (Severity) and high EPSS (Probability).
4. **Adopt CISA KEV:** Check your environment against the CISA Known Exploited Vulnerabilities (KEV) catalog as a baseline for emergency patching.
### Short-term Improvements (1-3 months)
1. **Integrate GCVE Data:** Incorporate Global CVE (GCVE) feeds into your enrichment pipeline to reduce reliance on centralized, slower databases like the NVD.
2. **Redefine SLOs:** Establish Service Level Objectives (SLOs) based on risk profiles (e.g., 24 hours for high CVSS/high EPSS, 30 days for high CVSS/low EPSS).
3. **Implement Synthetic Testing:** Use tools like EvidenceForge to generate realistic log data to validate that your detection logic actually flags exploitation attempts.
### Long-term Strategy (3+ months)
1. **Automated Enrichment Pipelines:** Build automated workflows that ingest CVSS, EPSS, KEV, and GCVE data to dynamically re-sort the patch backlog daily.
2. **Decentralized Intelligence Scaling:** Shift vulnerability intelligence gathering from a single source to a multi-source model to gain visibility into non-U.S. centric threats.
3. **Continuous Validation:** Transition from periodic scanning to a continuous validation model using synthetic attack scenarios to stress-test SIEM and SOC readiness.
## Implementation Guidance
### For Small Organizations
- Focus on the **CISA KEV catalog** for mandatory patches.
- Use free web-based **EPSS lookup tools** to check high-severity vulnerabilities before authorizing emergency weekend work.
### For Medium Organizations
- Integrate EPSS scores into your existing Vulnerability Management (VM) scanner (e.g., Tenable, Qualys).
- Use **EvidenceForge** to train a small internal SOC team on realistic attack sequences without needing a full Red Team engagement.
### For Large Enterprises
- Automate the ingestion of **GCVE** for faster enrichment of new CVEs.
- Custom-build a "Risk Matrix" that weights EPSS (likelihood) and CVSS (impact) against asset criticality to determine patching order across global business units.
## Configuration Examples
### The Triage Logic Matrix
Configuring your vulnerability dashboard to sort by these quadrants:
| Quadrant | Metric | Action |
| :--- | :--- | :--- |
| **Critical** | High CVSS (9.0+) + High EPSS (>0.5) | **SPrint/Immediate** |
| **High** | Medium CVSS + High EPSS | **Patch next 48 hours** |
| **Medium** | High CVSS + Low EPSS | **Normal patch cycle** |
| **Low** | Low CVSS + Low EPSS | **De-prioritize** |
## Compliance Alignment
- **NIST SP 800-40 (Vulnerability Management):** Comports with guidance to prioritize based on risk and operational context.
- **CIS Controls (Control 7):** Enhances Continuous Vulnerability Management by improving the quality of the "risk-based" approach.
- **ISO/IEC 27001:** Supports the risk treatment process by providing data-driven likelihood metrics.
## Common Pitfalls to Avoid
- **Chasing the "9.8":** Patching a CVSS 9.8 that has no known exploit while ignoring a CVSS 7.2 that is currently being weaponized in the wild.
- **Reliance on NVD Speed:** Assuming the National Vulnerability Database (NVD) is current; the backlog means enrichment often lags behind exploitation.
- **Synthetic Log Noise:** Using basic log generators that lack "causal consistency," leading to false positives in detection logic.
## Resources
- **EPSS (Exploit Prediction Scoring System):** hxxps[://]www[.]first[.]org/epss/
- **GCVE (Global CVE):** hxxps[://]gcve[.]eu/
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **EvidenceForge (Synthetic Logs):** hxxps[://]github[.]com/Cisco-Talos/EvidenceForge
- **Talos Vulnrichment:** hxxps[://]github[.]com/cisagov/vulnrichment