Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

How Emerson Uses Tenable.io to Find and Fix Vulnerabilities

Emerson’s solutions are used in manufacturing, industrial, commercial and residential environments. Learn how Tenable.io became a staple for the application and product security testing team.

The technologies and services provided by Emerson improve human comfort, safeguard food, protect the environment, enable sustainable food waste disposal and support efficient construction and maintenance of buildings and municipal infrastructure. The company, headquartered in St. Louis, MO, has two core businesses — Emerson Automation Solutions and Emerson Commercial & Residential Solutions — serving customers in industrial, commercial and residential markets. 

Making sure the hardware and software being developed is secure falls to Jon Brown, Emerson’s Manager of Application and Product Security Testing. Brown conducts penetration testing on the company’s offerings, working with the engineers to do threat modeling and think through what could go wrong with any given product. 

“Once the threat modeling is done, we sit down with them and talk about some of the controls that they can put in place to ensure that it is secure,” said Brown in an interview with Tenable during the Edge 2019 User Conference in May. “And then we ensure that the controls that they say that they're going to put in place, they do put in place.”

When the software requirements are met, Brown and his team “pull the hardware apart, and we try to see what we can do,” he said. “We monitor the communications, we scan to see what we can see on that device, if there are open ports, open services, and ensure that it's locked up as tight as it can be.”

How VPR Eases Communication Among Stakeholders 

One of the biggest challenges Brown faces is helping engineers see the security concerns he and his team are uncovering. “Vulnerability management is tough because you are showing them that their baby's ugly,” said Brown. “You're walking up to them and you're saying, ‘Hey man, like this doesn't look all that great.’ You need to be able to do it in a way that's a little dispassionate. If you have a tool that can...show the results in a way that can be digested and that can be obtained easily and is trusted then, all of sudden, that communication becomes a lot easier.”

Emerson turned to Tenable.io to help ease those difficult conversations. “Tenable.io is a staple of what we're doing in our penetration testing service to understand and get that initial attack surface and be able to leverage those results and make them real.” 

The Vulnerability Priority Rating (VPR), introduced in Tenable.io and Tenable.sc earlier this year, is giving Brown even more data to support his pen test findings when it comes time to present the results to the engineering team. “Tenable does a great job of showing you what's wrong,” he said. “But [engineers] always ask, ‘Prove it to me...Show me that these results actually matter.’ ” 

VPR is the output of Tenable’s new Predictive Prioritization offering. Introduced in February 2019, Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a VPR for each vulnerability. 

With VPR, Brown and his team are able to say “Here's that top three percent of what we really should focus in on, and that’s extremely valuable.”

Communicating with peers is only part of the story. Emerson also uses Tenable.io to provide context for cybersecurity conversations throughout the organization, including in the executive suite. “It's important for them to see trending...and it's important for them to see results,” said Brown. “They need to be able to understand where [you’re] at and where you're going and why you are going there.”

The VPR score goes beyond traditional criticality ratings to offer context about a vulnerability’s real-world exploitability and potential business impact on the organization’s specific environment.  “CVSS gives us that kind of baseline, but what is the business impact, what is the actual impact, what's the exploitability?,” said Brown. “[We’re] able to take those results up to the leadership and say, ‘Here are the issues that we're going to work on...this month, this quarter. And this is what that result looks like.’”

Being able to tell senior management “ ‘we had a thousand open [tickets] on this issue and this month we closed 900 of them’...shows real value and that shows actionable results,” added Brown. As a manufacturer, Emerson also has an obligation to reassure its own customers about the Cyber Exposure scores of its hardware and applications. “The companies that we do business with are starting to look at Emerson and say, ‘Why is your score X, we want it to be Y.’ And we're starting to look at companies [we do business with] and say, ‘Why is your score X, and we need it to be Z.’ It’s something that a lot of people are starting to take seriously, and I think that's a good thing. Ultimately, it raises the bar a little bit for everybody.”

Learn More:

Watch the interview with Emerson’s Jon Brown here:

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.