Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

How Emerson Uses Tenable.io to Find and Fix Vulnerabilities

Emerson’s solutions are used in manufacturing, industrial, commercial and residential environments. Learn how Tenable.io became a staple for the application and product security testing team.

The technologies and services provided by Emerson improve human comfort, safeguard food, protect the environment, enable sustainable food waste disposal and support efficient construction and maintenance of buildings and municipal infrastructure. The company, headquartered in St. Louis, MO, has two core businesses — Emerson Automation Solutions and Emerson Commercial & Residential Solutions — serving customers in industrial, commercial and residential markets. 

Making sure the hardware and software being developed is secure falls to Jon Brown, Emerson’s Manager of Application and Product Security Testing. Brown conducts penetration testing on the company’s offerings, working with the engineers to do threat modeling and think through what could go wrong with any given product. 

“Once the threat modeling is done, we sit down with them and talk about some of the controls that they can put in place to ensure that it is secure,” said Brown in an interview with Tenable during the Edge 2019 User Conference in May. “And then we ensure that the controls that they say that they're going to put in place, they do put in place.”

When the software requirements are met, Brown and his team “pull the hardware apart, and we try to see what we can do,” he said. “We monitor the communications, we scan to see what we can see on that device, if there are open ports, open services, and ensure that it's locked up as tight as it can be.”

How VPR Eases Communication Among Stakeholders 

One of the biggest challenges Brown faces is helping engineers see the security concerns he and his team are uncovering. “Vulnerability management is tough because you are showing them that their baby's ugly,” said Brown. “You're walking up to them and you're saying, ‘Hey man, like this doesn't look all that great.’ You need to be able to do it in a way that's a little dispassionate. If you have a tool that can...show the results in a way that can be digested and that can be obtained easily and is trusted then, all of sudden, that communication becomes a lot easier.”

Emerson turned to Tenable.io to help ease those difficult conversations. “Tenable.io is a staple of what we're doing in our penetration testing service to understand and get that initial attack surface and be able to leverage those results and make them real.” 

The Vulnerability Priority Rating (VPR), introduced in Tenable.io and Tenable.sc earlier this year, is giving Brown even more data to support his pen test findings when it comes time to present the results to the engineering team. “Tenable does a great job of showing you what's wrong,” he said. “But [engineers] always ask, ‘Prove it to me...Show me that these results actually matter.’ ” 

VPR is the output of Tenable’s new Predictive Prioritization offering. Introduced in February 2019, Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a VPR for each vulnerability. 

With VPR, Brown and his team are able to say “Here's that top three percent of what we really should focus in on, and that’s extremely valuable.”

Communicating with peers is only part of the story. Emerson also uses Tenable.io to provide context for cybersecurity conversations throughout the organization, including in the executive suite. “It's important for them to see trending...and it's important for them to see results,” said Brown. “They need to be able to understand where [you’re] at and where you're going and why you are going there.”

The VPR score goes beyond traditional criticality ratings to offer context about a vulnerability’s real-world exploitability and potential business impact on the organization’s specific environment.  “CVSS gives us that kind of baseline, but what is the business impact, what is the actual impact, what's the exploitability?,” said Brown. “[We’re] able to take those results up to the leadership and say, ‘Here are the issues that we're going to work on...this month, this quarter. And this is what that result looks like.’”

Being able to tell senior management “ ‘we had a thousand open [tickets] on this issue and this month we closed 900 of them’...shows real value and that shows actionable results,” added Brown. As a manufacturer, Emerson also has an obligation to reassure its own customers about the Cyber Exposure scores of its hardware and applications. “The companies that we do business with are starting to look at Emerson and say, ‘Why is your score X, we want it to be Y.’ And we're starting to look at companies [we do business with] and say, ‘Why is your score X, and we need it to be Z.’ It’s something that a lot of people are starting to take seriously, and I think that's a good thing. Ultimately, it raises the bar a little bit for everybody.”

Learn More:

Watch the interview with Emerson’s Jon Brown here:

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training