Tenable Helps Sentara Healthcare with Vulnerability Prioritization

Team Tenable

Learn why Tenable.sc and Tenable.io, both with Predictive Prioritization, are Sentara Healthcare’s choices for vulnerability management. 

Sentara Healthcare, the largest health system in the state of Virginia, is a complex technology environment with a mix of IT and operational technology assets and a user base that includes clinicians, administrators, third-party vendors and patients. And the environment is changing rapidly, as healthcare organizations like Sentara realize the value of digital transformation. 

“The model is changing,” said Sentara CISO Dan Bowden in an interview during Tenable’s Edge 2019 user conference in Atlanta in May. “We see a future where at least half of our encounters with our patients will be of a digital nature. Meaning now, the threat surface and Cyber Exposure surface just changed drastically.”

And the organization’s exposure is not limited to the computing devices and applications used throughout the organization — it also includes the supervisory control and data access (SCADA) systems supporting the organization’s operational technology (OT) infrastructure, which includes HVAC, refrigeration and entry systems. “If someone shuts down our HVAC systems due to some kind of a cyber attack, that could affect [the quality of] patient care and cause a lot of disruption to how we do business,” said Bowden.

Given the high volume of potential vulnerabilities the organization faces on a daily basis, knowing which to patch first is a key challenge. “Being able to prioritize what we work on in terms of vulnerabilities and threats is crucial,” says Bowden. “There's this constant churn of awareness and stress over deciding ‘well, what do we patch first?’ ” 

Putting Predictive Prioritization to Work

The organization uses Tenable.sc on premises and Tenable.io in the cloud for vulnerability management and has been putting the new Predictive Prioritization capabilities to use in identifying which bugs to address first.

Predictive Prioritization, introduced in February 2019, combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a Vulnerability Priority Rating (VPR) for each vulnerability. 

“Predictive Prioritization can help you understand, ok, of all those ‘critical’ vulnerabilities, maybe 80 percent have never been exploited and there's no discussion about those out on the Dark Web or through threat intel sources,” said Bowden. 

Having more context about the real-world threat potential of each vulnerability improves the level of communication between Bowden’s security team and their IT colleagues who are responsible for patching. “We can't dump [a] list of 10,000 [vulnerabilities] on the IT team and expect them to engage with us,” said Bowden. “If I give them a list of a couple hundred? […] They'll engage. They'll help us. The application teams will help us. The benefit of Predictive Prioritization is, it sets the context of a discussion, where people actually want to be part of that story of how risk got managed and vulnerabilities were addressed.”

The benchmarking data available from Predictive Prioritization and the VPR score also gives Bowden the data points he needs to communicate with C-level executives, the board and business-side colleagues about the potential impact of cybersecurity threats. “A benchmark is worth a thousand words,” said Bowden. “It gives some clarity to the discussion [...] the security team [...] can feel comfortable that they gave good data, that it was understood because [they] spoke it in the language that the leaders of the organization understand and they help own the message, and I think, then, [they] also help own the accountability for the security program.”

Even in an organization like Sentara, where Bowden said the leadership is highly supportive of cybersecurity efforts, the context and clarity provided by Tenable’s tools helps ease communication between infosec and business stakeholders. “if I just show them ‘hey, we've got all these thousands of critical vulnerabilities and all of it's important,’ they don't know my job at a detailed enough level to know how to help me, even though they want to,” he explained. “In the climate today, there's so much focus from society about companies doing better managing risk, every leadership team and every board in every organization wants to be part of the story of fixing the problem. If you can give them good data about exposure, which things do we really need to do, they understand the data, they can relate to the data. They want to be part of the story to help you solve the problem and manage risk better.”

Watch Now

Tenable interviews Dan Bowden, CISO of Sentara Healthcare, at our Edge 2019 user conference:

Learn More

  • Watch Dan Bowden discuss Sentara Healthcare's Cyber Exposure and Predictive Prioritization story in a keynote presentation at Tenable's Edge 2019 user conference here.
  • Visit our Predictive Prioritization webpage here

Read more >

Published on Jul 17, 2019

People also viewed

Senior Financial Analyst - Corporate Development

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Finance Finance
Your Role:Become a core member of Tenable’s internal corporate development team and assist with business, financial and valuation modeling for mergers, acquisitions and other strategic investments and initiatives.  Assist with evaluating elements ...

Cloud Security Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Information Technology Internships
Your Role: The Cloud Security Intern will help Tenable secure their use of cloud systems across the company.  The intern will develop, implement and monitor security solutions for the cloud that assess risk, keeps Tenable data safe and bake in sec...

Salesforce Administrator

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Business Platforms Business Platforms
Your Role:Tenable Network Security is looking for a Salesforce.com Administrator to join our internal business platforms team. The qualified candidate will engage in the administration of Tenable’s  Salesforce.com instance, play a key role in the ...

Technical Support Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Technical Support Internships
Your Role: The Technical Support Intern provides consistent, world-class security, network, and product support for specific Tenable products. In serving as the primary liaison between the company and customer, the Technical Support Intern resolve...

Research Intern - Plugin Automation

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Research Internships
Your Role: Tenable Research is looking for a Software Engineer Intern for the Plugin Automation team.  The position will involve developing frameworks for automated content creation, and processes for validating and publishing the content that is ...

Sales Development Manager

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Lead Generation Sales
Your Role:Tenable is looking for an experienced SDR Manager that will report to the Senior Director of Worldwide Sales Development and is responsible for ensuring the success of the Americas Tenable Sales Development team’s goals, as well as contr...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.