Understanding risk in a complex digital environment is Jewelry Television’s biggest Cyber Exposure challenge. Learn how the company is using Tenable.sc and the Vulnerability Priority Rating to improve visibility and control.
Jewelry Television (JTV) is one of the largest jewelry retailers in the United States, supporting over 1,400 jobs on its 16-acre Knoxville, TN, campus. The company’s omni-digital strategy includes live TV programming — 24 hours a day, seven days a week to 84 million U.S. households — as well as an industry-leading, mobile-optimized e-commerce platform and a robust and engaging social media presence.
A software development shop and a large technical operations team support the company’s business. “We do it all in house,” said Kyle Bubp, Senior Security Engineer at JTV, in an interview with Tenable during the Edge 2019 user conference in Atlanta in May.
The JTV environment includes multiple operating systems — Windows, MacOS, Linux and Solaris, among others — as well as a number of cloud hosting providers, all running on a segmented, firewall-protected network. “The biggest challenge that I'm looking to solve right now is just the understanding of risk in the environment,” said Bubp, who’s using Tenable.sc (formerly SecurityCenter) for internal scanning. (Editor's Note: This blog explores how JTV uses Tenable.sc; the organization also uses Tenable.io for external scanning.)
With Tenable.sc, “we're scanning every subnet, we're doing authenticated scans [and] we're getting back very valuable data,” said Bubp. Tenable.io is primarily used to perform Payment Card Industry (PCI) Approved Scanning Vendor (ASV) scans of the company’s Amazon Web Service (AWS) and Azure cloud instances, he explained.
Visibility is Key
“With any security program, visibility is key,” said Bubp. “[Tenable.sc] gives me all the visibility I could ever want and need from one platform. I don't have to manage six different tools to get the visibility I need.”
And the visibility isn’t limited to Bubp; he’s able to give Tenable.sc logins to software engineers and admins so they can see and scan their assets in real time. “It gives them an easy way to look at the security posture of the assets that they own and then mitigate any vulnerabilities that are on those assets.”
The result? A more streamlined process, according to Bubp. “Now that the admins can log in to Tenable.sc and see the data that I'm seeing, I don't have to throw a PDF report over the fence and say, ‘Please fix this.’ They can log in, they run their own scans, they're very proactive, they fix what needs to be fixed. I don't have to keep asking, ‘Hey, can you please fix this vulnerability?’ ”
The improved visibility helps improve efficiency. “We are much more aware of where our risk resides,” enabling everyone involved to manage their time as effectively as possible, according to Bubp. “There's only so much time in a day,” he said. “Our admins, our software engineers, they have things that they need to be focused on to support the business. When I do throw work onto their pile, I want to make sure it’s work that needs to be done and not just a ‘nice to have.’ ”
Putting Tenable’s Vulnerability Priority Rating to Work
JTV recently began using Tenable’s new Vulnerability Priority Rating (VPR) — included with both Tenable.sc and Tenable.io — to further refine the risk assessment and remediation processes. VPR, a new capability introduced this year in Tenable.sc and Tenable.io, is the output of Tenable’s new Predictive Prioritization offering. Introduced in February 2019, Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a VPR for each vulnerability.
Bubp uses the VPR score to give the admins and software engineers context around each vulnerability. “Sometimes people get hung up on, ‘Well, this thing says critical, so it must be critical.’ But a lot of times, it's not critical,” said Bubp. “You have to really look at your environment and first look at ‘why is the vulnerability scanner telling me this thing's critical?’ Is it just because it's an outdated, unsupported version? Or are there actual exploitable vulnerabilities for it? If it's the former and not the latter, well, maybe it's not critical. Maybe you can recast that risk and then put [in place] what company compensating controls you have.”
The additional context is also helpful when communicating with C-level executives in the organization. “The way that Tenable displays the data, you can get as technical as you want,” said Bubp. “A C-level executive isn't going to want to get down into the output of the plug-in itself, but the admins will. But I don't have to provide three to four different reports depending on who's consuming the data. I can point them to one central location and, depending on how deep they want to go, it's kind of the sky's the limit.”
Access to Tenable.sc is linked to the company’s active directory, making it easy for stakeholders to log in and see the data they need. “And then, any questions they have, you know, I just talk to them about it,” said Bubp. “That additional visibility is key for any security program.”
Bubp added: “Out of all the vulnerability management tools I've used, I always come back to Tenable, because they're the most accurate [and] the data is easy to consume. I don't have to spend time training other people to read the dashboards, 'cause it's just so easy to consume the data.”
While Bubp said he could point to a reduction in the hours spent on vulnerability management since the team began using VPR, the real story is in how those newfound extra hours are being used instead. “There's been an increase in man-hours focused on mitigating risk,” said Bubp. “They're spending a lot more time fixing these vulnerabilities that they didn't have visibility into before.”
For Bubp, vulnerability scanning is a foundational first step in any cybersecurity program. “I don't think you can start building a security program without something like Tenable,” he said. “I believe vulnerability scanning is key to building a strong security program.”
Watch the interview here: