Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

How Jewelry Television Uses Tenable.sc to Understand and Reduce Cyber Risk

Understanding risk in a complex digital environment is Jewelry Television’s biggest Cyber Exposure challenge. Learn how the company is using Tenable.sc and the Vulnerability Priority Rating to improve visibility and control.

Jewelry Television (JTV) is one of the largest jewelry retailers in the United States, supporting over 1,400 jobs on its 16-acre Knoxville, TN, campus. The company’s omni-digital strategy includes  live TV programming — 24 hours a day, seven days a week to 84 million U.S. households — as well as an industry-leading, mobile-optimized e-commerce platform and a robust and engaging social media presence.

A software development shop and a large technical operations team support the company’s business. “We do it all in house,” said Kyle Bubp, Senior Security Engineer at JTV, in an interview with Tenable during the Edge 2019 user conference in Atlanta in May. 

The JTV environment includes multiple operating systems — Windows, MacOS, Linux and Solaris, among others — as well as a number of cloud hosting providers, all running on a segmented, firewall-protected network. “The biggest challenge that I'm looking to solve right now is just the understanding of risk in the environment,” said Bubp, who’s using Tenable.sc (formerly SecurityCenter) for internal scanning. (Editor's Note: This blog explores how JTV uses Tenable.sc; the organization also uses Tenable.io for external scanning.)

With Tenable.sc, “we're scanning every subnet, we're doing authenticated scans [and] we're getting back very valuable data,” said Bubp. Tenable.io is primarily used to perform Payment Card Industry (PCI) Approved Scanning Vendor (ASV) scans of the company’s Amazon Web Service (AWS) and Azure cloud instances, he explained.

Visibility is Key

“With any security program, visibility is key,” said Bubp. “[Tenable.sc] gives me all the visibility I could ever want and need from one platform. I don't have to manage six different tools to get the visibility I need.”

And the visibility isn’t limited to Bubp; he’s able to give Tenable.sc logins to software engineers and admins so they can see and scan their assets in real time. “It gives them an easy way to look at the security posture of the assets that they own and then mitigate any vulnerabilities that are on those assets.”

The result? A more streamlined process, according to Bubp. “Now that the admins can log in to Tenable.sc and see the data that I'm seeing, I don't have to throw a PDF report over the fence and say, ‘Please fix this.’ They can log in, they run their own scans, they're very proactive, they fix what needs to be fixed. I don't have to keep asking, ‘Hey, can you please fix this vulnerability?’ ”

The improved visibility helps improve efficiency. “We are much more aware of where our risk resides,” enabling everyone involved to manage their time as effectively as possible, according to Bubp. “There's only so much time in a day,” he said. “Our admins, our software engineers, they have things that they need to be focused on to support the business. When I do throw work onto their pile, I want to make sure it’s work that needs to be done and not just a ‘nice to have.’ ”

Putting Tenable’s Vulnerability Priority Rating to Work

JTV recently began using Tenable’s new Vulnerability Priority Rating (VPR) — included with both Tenable.sc and Tenable.io — to further refine the risk assessment and remediation processes. VPR, a new capability introduced this year in Tenable.sc and Tenable.io, is the output of Tenable’s new Predictive Prioritization offering. Introduced in February 2019, Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a VPR for each vulnerability. 

Bubp uses the VPR score to give the admins and software engineers context around each vulnerability. “Sometimes people get hung up on, ‘Well, this thing says critical, so it must be critical.’ But a lot of times, it's not critical,” said Bubp. “You have to really look at your environment and first look at ‘why is the vulnerability scanner telling me this thing's critical?’ Is it just because it's an outdated, unsupported version? Or are there actual exploitable vulnerabilities for it? If it's the former and not the latter, well, maybe it's not critical. Maybe you can recast that risk and then put [in place] what company compensating controls you have.”

The additional context is also helpful when communicating with C-level executives in the organization. “The way that Tenable displays the data, you can get as technical as you want,” said Bubp. “A C-level executive isn't going to want to get down into the output of the plug-in itself, but the admins will. But I don't have to provide three to four different reports depending on who's consuming the data. I can point them to one central location and, depending on how deep they want to go, it's kind of the sky's the limit.” 

Access to Tenable.sc is linked to the company’s active directory, making it easy for stakeholders to log in and see the data they need. “And then, any questions they have, you know, I just talk to them about it,” said Bubp. “That additional visibility is key for any security program.”

Bubp added: “Out of all the vulnerability management tools I've used, I always come back to Tenable, because they're the most accurate [and] the data is easy to consume. I don't have to spend time training other people to read the dashboards, 'cause it's just so easy to consume the data.”

While Bubp said he could point to a reduction in the hours spent on vulnerability management since the team began using VPR, the real story is in how those newfound extra hours are being used instead. “There's been an increase in man-hours focused on mitigating risk,” said Bubp. “They're spending a lot more time fixing these vulnerabilities that they didn't have visibility into before.”

For Bubp, vulnerability scanning is a foundational first step in any cybersecurity program. “I don't think you can start building a security program without something like Tenable,” he said. “I believe vulnerability scanning is key to building a strong security program.”

Learn More:

Watch the interview here:

  • See more customer stories here
  • Learn about Cyber Exposure here

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.