Enhancing vulnerability prioritization with asset context and EPSS – Now in Public Preview.

Vulnerability prioritization is a critical component of an effective vulnerability risk management (VRM) program.
This involves identifying and ranking security vulnerabilities in an organization’s systems based on their potential impact and exploitability.
Because there are so many potential vulnerabilities, it is impossible to address them all at once. Effective prioritization can help you maximize your security efforts by addressing the most critical vulnerabilities first.
This approach is critical to defending against cyberattacks because it helps allocate resources effectively, reduce the attack surface, and protect sensitive data more efficiently.

We are excited to add three important elements to the Microsoft Defender Vulnerability Management prioritization process, aimed at improving accuracy and efficiency. These elements include:

This article will dive deeper into each of these improvements, how they contribute to a more robust vulnerability prioritization process, and how you can use them.

Important Device

~ inside Microsoft Security Exposure Management (Preview) You can define and manage resources as critical assets.

Identifying critical assets helps ensure that your organization’s most important assets are protected from data breach and operational disruption risks. Identifying critical assets contributes to availability and business continuity. Exposure Management provides a built-in catalog of predefined critical asset classifications, the ability to create custom definitions, and the ability to manually tag devices as critical to your organization. Learn more about critical asset management in this in-depth blog post.

You can now prioritize security recommendations and remediation steps in Preview to focus on critical assets first.
As you can see in Figure 1, a new column has been added to the Security Recommendations page that displays the sum of critical assets for each recommendation.

Figure 1. New column on the Recommendations page showing the number of critical devices associated with each recommendation (all criticality levels).

Additionally, as shown in Figure 2, you can view device criticality in the list of exposed devices (found throughout the Microsoft Defender portal).

Figure 2. Exposed devices according to their importance level in the recommended objects.

As you can see in Figure 3, the Critical Devices filter allows you to display only recommendations related to critical assets.

Figure 3. Ability to filter and display only recommendations related to critical assets.

The sum of the critical assets for each recommendation (regardless of importance level) can now be consumed by: Recommended API.

This is the first element we are integrating into Exposure Management, and we plan to extend this capability to include more context from the enterprise graph to drive prioritization. This will enable a more comprehensive understanding and management of security risks, ensuring that critical areas are prioritized.

Internet connection device

When threat actors search for and exploit persistently exposed devices on the web, Microsoft Defender for Endpoint automatically identifies and flags onboarded and exposed Internet-connected devices in the Microsoft Defender Portal. This critical information provides greater visibility into your organization’s external attack surface and provides insight into the potential exploitation of your assets. Devices that are identified as successfully connecting over TCP or reaching a host over UDP are flagged as Internet-connected in the Portal. Learn more about devices that are marked as Internet connected.

Internet-facing device tags are now integrated into the Defender Vulnerability Management environment. This allows you to filter and view only vulnerabilities or security recommendations that affect Internet-facing devices. Tags are displayed below: Tags A column for all relevant devices in the list of exposed devices found across the Microsoft Defender portal, as shown in Figure 4.

Figure 4. Internet connectivity tags of CVE entities and associated devices.

Attack Prediction Scoring System (EPSS)

The Exploit Prediction Scoring System (EPSS) is a data-driven effort to estimate the likelihood (probability) that a software vulnerability will be exploited in the wild. EPSS uses the latest threat intelligence from CVEs and real-world exploit data. The EPSS model generates a probability score between 0 and 1 (0-100%) for each CVE. The higher the score, the more likely the vulnerability is to be exploited. Learn more about EPSS.

In the Microsoft Defender portal, you can check the EPSS score for each vulnerability, as shown in Figure 5.

Figure 5. Screenshot showing EPSS scores.

When EPSS is greater than 0.9, bug tips are highlighted to reflect the urgency of mitigation, as shown in Figure 6.

Figure 6. The bug tip for this CVE on the vulnerability page is highlighted as EPSS > 0.9.

EPSS is designed to enrich your knowledge of vulnerabilities, understand their exploitability probabilities, and prioritize them accordingly. The EPSS score can also be used through: Vulnerability API.

If the EPSS score is less than 0.001, it is considered 0.

Try out new features

Integrating asset context and EPSS into Defender Vulnerability Management represents a significant advancement in vulnerability prioritization capabilities. These new capabilities (critical asset identification, internet-facing device tagging, EPSS scoring) provide a more accurate and efficient approach to managing security risks.

These tools can help you better protect your organization’s most valuable assets, reduce your attack surface, and stay ahead of potential threats. Explore these new capabilities and see how they can help you prioritize and strengthen your security posture.

For more information, see the following articles: