Vulnerability prioritization is a critical component of an effective Vulnerability Risk Management (VRM) program.
It involves identifying and ranking security weaknesses in an organization's systems based on their potential impact and exploitability.
Given the vast number of potential vulnerabilities, it is impossible to address all of them at once. Effective prioritization ensures that the most critical vulnerabilities are addressed first, maximizing security efforts.
This approach is crucial for defending against cyberattacks, as it helps allocate resources effectively, reduce the attack surface, and protect sensitive data more efficiently.
We are excited to announce the addition of three crucial factors to our prioritization process in Microsoft Defender Vulnerability Management, aimed at improving accuracy and efficiency. These factors include:
- Information about critical assets (defined in Microsoft Security Exposure Management)
- Information about internet-facing device
- Exploit Prediction Scoring System (EPSS) score
In this article, you can learn more about each of these enhancements, how they contribute to a more robust vulnerability prioritization process, and how you can use them.
Critical devices
In Microsoft Security Exposure Management (preview), you can define and manage resources as critical assets.
Identifying critical assets helps ensure that the most important assets in your organization are protected against risk of data breaches and operational disruptions. Critical asset identification contributes to availability and business continuity. Exposure Management provides an out-of-the-box catalog of predefined critical asset classifications and ability to create your custom definitions, in addition to the capability to manually tag devices as critical to your organization. Learn more about critical asset management in this deep dive blog.
Now in preview, you can prioritize security recommendations, and remediation steps to focus on critical assets first.
A new column displaying the sum of critical assets for each recommendation has been added to the security recommendations page, as shown in figure 1.
Figure 1. New column in the recommendations page that displays the number of critical devices that are correlated to each recommendation (all criticality levels).
Additionally, in the exposed device lists (found throughout the Microsoft Defender portal), you can view device criticality, as shown in figure 2.
Figure 2. Exposed devices with their criticality level in the recommendation object.
You can also use the critical devices filter to display only recommendations that involve critical assets, as shown in figure 3.
Figure 3. Capability to filter and display only recommendations that involves critical assets.
The sum of critical assets (in any criticality level) for each recommendation is now consumable through the recommendations API.
This is the first factor we are incorporating from Exposure Management, and we plan to expand this feature to include more context from the enterprise graph for prioritization enhancements. This will enable a more comprehensive understanding and management of security risks, ensuring that critical areas are addressed with the highest priority.
Internet facing devices
As threat actors continuously scan the web for exposed devices to exploit, Microsoft Defender for Endpoint automatically identifies and flags onboarded, exposed, internet-facing devices in the Microsoft Defender portal. This critical information enhances visibility into your organization's external attack surface and provides insights into asset exploitability. Devices that are successfully connected via TCP or are identified as host reachable through UDP are flagged as internet-facing in the portal. Learn more about devices flagged as internet-facing.
The internet-facing device tag is now integrated into Defender Vulnerability Management experiences. This allows you to filter and see only weaknesses or security recommendations that impact internet-facing devices. The tag is displayed in the tags column, as shown in figure 4, for all relevant devices in the exposed device lists found throughout the Microsoft Defender portal.
Figure 4. Internet-facing tag on the CVE object and on the relevant device.
Exploit Prediction Scoring System (EPSS)
The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. EPSS uses current threat information from CVE and real-world exploit data. The EPSS model produces for each CVE a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited. Learn more about EPSS.
In the Microsoft Defender portal, you can see the EPSS score for each weakness, as shown in figure 5.
Figure 5. Screenshot showing EPSS score.
When the EPSS is greater than 0.9, the bug tip is highlighted to reflect the urgency of mitigation, as shown in figure 6.
Figure 6. On the weaknesses page: the bug tip is highlighted for this CVE as EPSS > 0.9.
EPSS is designed to help you enrich your knowledge of weaknesses, understand exploit probability, and enable you to prioritize accordingly. The EPSS score is also consumable through the Vulnerability API.
Note that if the EPSS score is smaller than 0.001, it’s considered to be 0.
Try the new capabilities
Incorporating asset context and EPSS into Defender Vulnerability Management marks a significant advancement in our vulnerability prioritization capabilities. These new features—critical asset identification, internet-facing device tagging, and EPSS scoring—provide a more accurate and efficient approach to managing security risks.
By leveraging these tools, you can better protect your organization’s most valuable assets, reduce their attack surface, and stay ahead of potential threats. We invite you to explore these new capabilities and see how they can help with prioritization and enhance your security posture.
For more information, see the following articles:
- What’s new in Microsoft Defender Vulnerability Management
- What is Microsoft Security Exposure Management?
- Device inventory
- Overview of management and APIs
