Connect with us

Hi, what are you looking for?



How to Predict Your Patching Priorities

Implementing a smart and timely approach to patching remains one of the primary ways for organizations to protect their networks from attackers.

While a robust suite of security technology undoubtedly plays a starring role in every organization’s risk management strategy, implementing a smart and timely approach to patching remains one of the primary ways for organizations to protect their networks from attackers. Patching vulnerabilities addresses known security weaknesses, preventing potential exploits that malicious actors could use to gain unauthorized access to corporate data or disrupt operations.

However, given how often patching updates are released by software and application developers, it’s easy to get overwhelmed. Teams often grapple with which updates to implement, when to do so, and in what order they should be applied.

But what if you could reliably forecast your patch schedule? While there’s no silver bullet, it’s possible to use some of the latest threat insights to help guide your strategy and keep your organization better protected.

Patching is key

Even with a patch management strategy in place, many businesses still find it difficult to patch vulnerabilities as soon as they are discovered, and hackers are quick to capitalize on this situation. It’s crucial to have a solid plan in place when deciding which vulnerabilities to patch first and to secure systems.

In the meantime, practitioners can take advantage of safeguards like virtual patching—adding a security layer that analyzes incoming traffic for malicious activity—while waiting for the actual patches to be applied. Though every platform should be taken into account when making a list of priorities, that only goes so far in identifying which open vulnerabilities are most likely to be attacked soon. The good news is that there are other tools you can use to prioritize patching efforts.

Understanding the “red zone”

Many variables, such as organizations’ vulnerability management practices and advancements in attacker tooling, affect the relationship between the Common Vulnerabilities and Exposures (CVEs) that are present on endpoints and the CVEs actually targeted by attackers.

Advertisement. Scroll to continue reading.

To help security practitioners better prioritize their patching efforts, the FortiGuard Labs team introduced the concept of the “red zone” in a previous threat landscape report. The red zone is a moment-in-time assessment of the CVE data observed on endpoints compared with the CVEs actively under attack. We introduced the red zone to help security practitioners understand how likely (or unlikely) it is that threat actors will exploit a specific vulnerability.

For example, in our latest threat landscape report, we performed this analysis and determined that just 8.3% of more than 14,000 known CVEs fell into the “red zone” in the first half of 2023. While that figure still represents a fair amount of vulnerabilities that security practitioners need to address, understanding the red zone can help teams determine the patching efforts that should be their highest priority.

Using EPSS to prioritize your efforts

Using the Exploitation Prediction Scoring System (EPSS) can go a long way toward anticipating what vulnerabilities will require your attention. The EPSS is an open, data-driven project for determining how likely it is that an attacker will use a software vulnerability in the wild. With the use of an existing CVSS score, the project aims to help network defenders better prioritize vulnerability mitigation operations.

EPSS uses current threat information from the CVE database, along with data from real-world exploits to make predictions. The probability score generated by EPSS ranges from 0 to 1 (0% to 100%). The likelihood that a vulnerability will be exploited in the next 30 days increases as the score gets higher.

For example, on May 31, 2023, it was disclosed that the MOVEit Transfer web application contained a zero-day SQL injection vulnerability that might allow an unauthenticated actor to modify or remove data from the database engine. Security professionals flagged this vulnerability as one to watch. Following the publication of the CVE, EPSS forecasted a very high likelihood of exploitation within the following 30 days.

Not surprisingly, cybercriminals didn’t wait long to take action. Just five days after the vulnerability was discovered, our FortiGuard Labs sensors detected attacker efforts to exploit the MOVEit vulnerability. In this instance, EPSS offered third-party confirmation of the predictions our analysts made and assisted us in staying ahead of and communicating about the evolving threat.

Though vulnerability management teams use EPSS to help prioritize their remediation efforts, they can also use it to aid intelligence efforts to monitor the development of vulnerabilities from their original disclosure to the start of exploitation in the wild. Incorporate EPSS data into your vulnerability management strategy to serve as an early warning system.

Get your patching priorities straight

Patching is a critical task on every security professional’s already lengthy to-do list. In order to simplify the process while keeping the organization safe, teams should take advantage of tools like red zone analysis and the EPSS. These offerings provide a valuable picture of where organizations should focus their efforts when it comes to protecting their attack surface and prioritizing patching efforts, saving practitioners time and energy (and many trips down CVE rabbit holes).

Written By

Derek Manky is chief security strategist and global vice president of threat intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. He provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.