How Sanmina Uses to Prioritize Vulnerabilities and Improve Its Security Posture

Team Tenable

Sanmina’s information security team needed an effective way for hundreds of IT colleagues worldwide to access vulnerability data — while also keeping senior management informed. Here’s how the organization is using and the Vulnerability Priority Rating.

Sanmina designs, manufactures and repairs complex and innovative optical, electronic and mechanical products for original equipment manufacturers (OEMs) across a range of industries, including communications networks, computing and storage, medical, defense and aerospace, industrial and semiconductor, automotive and clean technology sectors.

The organization has approximately 45,000 employees worldwide. Matt Ramberg, Sanmina’s VP of Information Security, and his three-member team are responsible for securing an expanding mix of assets across some 70 locations worldwide. 

“My top challenge [is] managing a global footprint of nearly 50,000 assets with a small team, all centrally located in the U.S.,” said Ramberg  in an interview with Tenable during the Edge 2019 user conference in May.

While traditional IT assets make up the bulk of Sanmina’s portfolio, Ramberg said the organization is moving toward Industry 4.0 and his team is preparing to accommodate operational technology (OT) such as industrial control systems (ICS), supervisory control and data acquisition (SCADA) software and heating, ventilation and air conditioning (HVAC) systems.

Sanmina uses (formerly SecurityCenter) with the Vulnerability Priority Rating (VPR) to regularly scan those 50,000 assets and provide vulnerability prioritization data to the company’s field IT teams, which are responsible for remediation. 

“We used to, actually, with our previous tool, generate reports manually and send them to each IT department,” said Ramberg, noting that hundreds of people were receiving the reports. 

“With we've been able to separate the data into distinct facilities across the organization,” said Ramberg. “It allows each individual team to log in and see their vulnerabilities that need to be remediated. It allows them to prioritize. Tenable will prioritize that data accordingly so they can prioritize and remediate the critical systems, the key systems that need to be tackled first and then react to the other items as necessary.”

VPR, a capability introduced this year in and, is the output of Tenable’s new Predictive Prioritization offering. Introduced in February 2019, Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a VPR for each vulnerability. 

“In our previous set up, we didn't have the ability to prioritize vulnerabilities, so these facilities and these IT personnel were just inundated with sheer volumes of data,” said Ramberg. “Now, we can direct them on prioritization — using features such as ‘is the vulnerability exploitable or not?’ — which Tenable provides.” Ramberg noted the IT teams also use for specific examples of what needs to be done to patch each vulnerability. 

The tool helped the organization achieve a more complete view of its attack surface than was previously possible. “You don't know what you don't know, and exposed that to us so we knew what to tackle and what we needed to focus on,” said Ramberg. “It's allowed us to identify critical issues that we didn’t know existed until the Tenable scan occurred. We were able to focus our efforts and go tackle those issues before they became widespread throughout the organization.”

How helps with reporting to the C-suite, the board and customers

Ramberg said he also turns to when he’s asked to provide metrics to to Sanmina’s CIO and to the board. 

“Prior to, everything was ad hoc,” said Ramberg. “I didn't have a concise platform to tell me our vulnerabilities and how we're doing within our specific divisions throughout the organization. With, I now have that data at my fingertips in a single dashboard. Senior management's now able to see the impact of our Cyber Exposure [practice].” 

Meeting the cybersecurity expectations of its customers was a key driver for Sanmina. The organization is often asked to complete cybersecurity questionnaires for existing or prospective clients, noted Ramberg. “When we mention that we use Tenable as our solution for vulnerability management, everybody knows Tenable. It's a very highly respected company. And the questions generally go smoothly…once they know that's in place.”

Asked if he had any advice for peers who may be considering a similar deployment, Ramberg said: “Tenable is a leader in this field. We do a lot of research before we purchase any solutions [and] Tenable came out as the clear choice. It provides actionable results from vulnerability scans and allows the individual facilities to prioritize and remediate as they deem fit based on the vulnerabilities that are discovered in their particular facilities.”

Watch now

Tenable interviews Mark Ramberg, VP of Information Security with Sanmina, at our Edge 2019 user conference:

Learn More:

  • Visit our Predictive Prioritization webpage here.
  • Learn more about here.

Read more >

Published on Oct 3, 2019

People also viewed

Business Cost Analyst - Cloud Infrastructure

San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Engineering Engineering
Your Role:Tenable is seeking a Business Cost Analyst of Cloud Infrastructure with strong MS Excel experience to assess, analyze and compile current costs and potentially determine initiatives to reduce and improve our cloud infrastructure cost for...

Professional Services Engagement Manager

Singapore Singapore Singapore North Bridge Road, Parkview Square, Singapore, 188788 Professional Services Professional Services
Your Role:The Professional Services Engagement Manager assists in the professional services business development and oversees the delivery of projects. The Professional Services Engagement Manager’s roles include tactical project management oversi...

UX Designer

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Engineering Engineering
Your Role:Tenable is looking for an extraordinary Senior UX Designer to join our team. Our group is chartered with creating the next generation of security products while at the same time pioneering unprecedented user experience in the digital sec...

Commercial Territory Manager - West

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Sales Sales
Your Role:The Commercial Territory Manager will meet and exceed quarterly sales quota by developing new opportunities within specific geographical territory.  Researching and identifying potential accounts; outbound cold calling to soliciting new ...

Senior Software Engineer (Java & Kotlin)

San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Engineering Engineering
Your Role:Tenable is looking for a Senior Software Engineer to join the Lumin product development team. As a Sr. Software Engineer you will drive projects end-to-end, collaborate on product requirements with Product Managers, architect and impleme...

Public Sector Channel Manager - Distribution

Reston Virginia United States Reston, Virginia, United States Channel Sales Sales
Your Role:The Public Sector Channel Manager-Distribution is responsible for establishing and managing relationships with the Distribution Partner(s).  The CM-Disty will act as a sales liaison between distributor and Tenable Channel Manager personn...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.