Sanmina’s information security team needed an effective way for hundreds of IT colleagues worldwide to access vulnerability data — while also keeping senior management informed. Here’s how the organization is using Tenable.sc and the Vulnerability Priority Rating.
Sanmina designs, manufactures and repairs complex and innovative optical, electronic and mechanical products for original equipment manufacturers (OEMs) across a range of industries, including communications networks, computing and storage, medical, defense and aerospace, industrial and semiconductor, automotive and clean technology sectors.
The organization has approximately 45,000 employees worldwide. Matt Ramberg, Sanmina’s VP of Information Security, and his three-member team are responsible for securing an expanding mix of assets across some 70 locations worldwide.
“My top challenge [is] managing a global footprint of nearly 50,000 assets with a small team, all centrally located in the U.S.,” said Ramberg in an interview with Tenable during the Edge 2019 user conference in May.
While traditional IT assets make up the bulk of Sanmina’s portfolio, Ramberg said the organization is moving toward Industry 4.0 and his team is preparing to accommodate operational technology (OT) such as industrial control systems (ICS), supervisory control and data acquisition (SCADA) software and heating, ventilation and air conditioning (HVAC) systems.
Sanmina uses Tenable.sc (formerly SecurityCenter) with the Vulnerability Priority Rating (VPR) to regularly scan those 50,000 assets and provide vulnerability prioritization data to the company’s field IT teams, which are responsible for remediation.
“We used to, actually, with our previous tool, generate reports manually and send them to each IT department,” said Ramberg, noting that hundreds of people were receiving the reports.
“With Tenable.sc we've been able to separate the data into distinct facilities across the organization,” said Ramberg. “It allows each individual team to log in and see their vulnerabilities that need to be remediated. It allows them to prioritize. Tenable will prioritize that data accordingly so they can prioritize and remediate the critical systems, the key systems that need to be tackled first and then react to the other items as necessary.”
VPR, a capability introduced this year in Tenable.sc and Tenable.io, is the output of Tenable’s new Predictive Prioritization offering. Introduced in February 2019, Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a VPR for each vulnerability.
“In our previous set up, we didn't have the ability to prioritize vulnerabilities, so these facilities and these IT personnel were just inundated with sheer volumes of data,” said Ramberg. “Now, we can direct them on prioritization — using features such as ‘is the vulnerability exploitable or not?’ — which Tenable provides.” Ramberg noted the IT teams also use Tenable.sc for specific examples of what needs to be done to patch each vulnerability.
The tool helped the organization achieve a more complete view of its attack surface than was previously possible. “You don't know what you don't know, and Tenable.sc exposed that to us so we knew what to tackle and what we needed to focus on,” said Ramberg. “It's allowed us to identify critical issues that we didn’t know existed until the Tenable scan occurred. We were able to focus our efforts and go tackle those issues before they became widespread throughout the organization.”
How Tenable.sc helps with reporting to the C-suite, the board and customers
Ramberg said he also turns to Tenable.sc when he’s asked to provide metrics to to Sanmina’s CIO and to the board.
“Prior to Tenable.sc, everything was ad hoc,” said Ramberg. “I didn't have a concise platform to tell me our vulnerabilities and how we're doing within our specific divisions throughout the organization. With Tenable.sc, I now have that data at my fingertips in a single dashboard. Senior management's now able to see the impact of our Cyber Exposure [practice].”
Meeting the cybersecurity expectations of its customers was a key driver for Sanmina. The organization is often asked to complete cybersecurity questionnaires for existing or prospective clients, noted Ramberg. “When we mention that we use Tenable as our solution for vulnerability management, everybody knows Tenable. It's a very highly respected company. And the questions generally go smoothly…once they know that's in place.”
Asked if he had any advice for peers who may be considering a similar deployment, Ramberg said: “Tenable is a leader in this field. We do a lot of research before we purchase any solutions [and] Tenable came out as the clear choice. It provides actionable results from vulnerability scans and allows the individual facilities to prioritize and remediate as they deem fit based on the vulnerabilities that are discovered in their particular facilities.”
Tenable interviews Mark Ramberg, VP of Information Security with Sanmina, at our Edge 2019 user conference: