How Emerson Uses Tenable.io to Find and Fix Vulnerabilities

Team Tenable

Emerson’s solutions are used in manufacturing, industrial, commercial and residential environments. Learn how Tenable.io became a staple for the application and product security testing team.

The technologies and services provided by Emerson improve human comfort, safeguard food, protect the environment, enable sustainable food waste disposal and support efficient construction and maintenance of buildings and municipal infrastructure. The company, headquartered in St. Louis, MO, has two core businesses — Emerson Automation Solutions and Emerson Commercial & Residential Solutions — serving customers in industrial, commercial and residential markets. 

Making sure the hardware and software being developed is secure falls to Jon Brown, Emerson’s Manager of Application and Product Security Testing. Brown conducts penetration testing on the company’s offerings, working with the engineers to do threat modeling and think through what could go wrong with any given product. 

“Once the threat modeling is done, we sit down with them and talk about some of the controls that they can put in place to ensure that it is secure,” said Brown in an interview with Tenable during the Edge 2019 User Conference in May. “And then we ensure that the controls that they say that they're going to put in place, they do put in place.”

When the software requirements are met, Brown and his team “pull the hardware apart, and we try to see what we can do,” he said. “We monitor the communications, we scan to see what we can see on that device, if there are open ports, open services, and ensure that it's locked up as tight as it can be.”

How VPR Eases Communication Among Stakeholders 

One of the biggest challenges Brown faces is helping engineers see the security concerns he and his team are uncovering. “Vulnerability management is tough because you are showing them that their baby's ugly,” said Brown. “You're walking up to them and you're saying, ‘Hey man, like this doesn't look all that great.’ You need to be able to do it in a way that's a little dispassionate. If you have a tool that can...show the results in a way that can be digested and that can be obtained easily and is trusted then, all of sudden, that communication becomes a lot easier.”

Emerson turned to Tenable.io to help ease those difficult conversations. “Tenable.io is a staple of what we're doing in our penetration testing service to understand and get that initial attack surface and be able to leverage those results and make them real.” 

The Vulnerability Priority Rating (VPR), introduced in Tenable.io and Tenable.sc earlier this year, is giving Brown even more data to support his pen test findings when it comes time to present the results to the engineering team. “Tenable does a great job of showing you what's wrong,” he said. “But [engineers] always ask, ‘Prove it to me...Show me that these results actually matter.’ ” 

VPR is the output of Tenable’s new Predictive Prioritization offering. Introduced in February 2019, Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a VPR for each vulnerability. 

With VPR, Brown and his team are able to say “Here's that top three percent of what we really should focus in on, and that’s extremely valuable.”

Communicating with peers is only part of the story. Emerson also uses Tenable.io to provide context for cybersecurity conversations throughout the organization, including in the executive suite. “It's important for them to see trending...and it's important for them to see results,” said Brown. “They need to be able to understand where [you’re] at and where you're going and why you are going there.”

The VPR score goes beyond traditional criticality ratings to offer context about a vulnerability’s real-world exploitability and potential business impact on the organization’s specific environment.  “CVSS gives us that kind of baseline, but what is the business impact, what is the actual impact, what's the exploitability?,” said Brown. “[We’re] able to take those results up to the leadership and say, ‘Here are the issues that we're going to work on...this month, this quarter. And this is what that result looks like.’”

Being able to tell senior management “ ‘we had a thousand open [tickets] on this issue and this month we closed 900 of them’...shows real value and that shows actionable results,” added Brown. As a manufacturer, Emerson also has an obligation to reassure its own customers about the Cyber Exposure scores of its hardware and applications. “The companies that we do business with are starting to look at Emerson and say, ‘Why is your score X, we want it to be Y.’ And we're starting to look at companies [we do business with] and say, ‘Why is your score X, and we need it to be Z.’ It’s something that a lot of people are starting to take seriously, and I think that's a good thing. Ultimately, it raises the bar a little bit for everybody.”

Learn More:

Watch the interview with Emerson’s Jon Brown here:

Read more >

Published on Aug 21, 2019

People also viewed

Senior Financial Analyst - Corporate Development

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Finance Finance
Your Role:Become a core member of Tenable’s internal corporate development team and assist with business, financial and valuation modeling for mergers, acquisitions and other strategic investments and initiatives.  Assist with evaluating elements ...

Cloud Security Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Information Technology Internships
Your Role: The Cloud Security Intern will help Tenable secure their use of cloud systems across the company.  The intern will develop, implement and monitor security solutions for the cloud that assess risk, keeps Tenable data safe and bake in sec...

Salesforce Administrator

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Business Platforms Business Platforms
Your Role:Tenable Network Security is looking for a Salesforce.com Administrator to join our internal business platforms team. The qualified candidate will engage in the administration of Tenable’s  Salesforce.com instance, play a key role in the ...

Technical Support Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Technical Support Internships
Your Role: The Technical Support Intern provides consistent, world-class security, network, and product support for specific Tenable products. In serving as the primary liaison between the company and customer, the Technical Support Intern resolve...

Research Intern - Plugin Automation

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Research Internships
Your Role: Tenable Research is looking for a Software Engineer Intern for the Plugin Automation team.  The position will involve developing frameworks for automated content creation, and processes for validating and publishing the content that is ...

Sales Development Manager

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Lead Generation Sales
Your Role:Tenable is looking for an experienced SDR Manager that will report to the Senior Director of Worldwide Sales Development and is responsible for ensuring the success of the Americas Tenable Sales Development team’s goals, as well as contr...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.