Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

How Sanmina Uses Tenable.sc to Prioritize Vulnerabilities and Improve Its Security Posture

Sanmina’s information security team needed an effective way for hundreds of IT colleagues worldwide to access vulnerability data — while also keeping senior management informed. Here’s how the organization is using Tenable.sc and the Vulnerability Priority Rating.

Sanmina designs, manufactures and repairs complex and innovative optical, electronic and mechanical products for original equipment manufacturers (OEMs) across a range of industries, including communications networks, computing and storage, medical, defense and aerospace, industrial and semiconductor, automotive and clean technology sectors.

The organization has approximately 45,000 employees worldwide. Matt Ramberg, Sanmina’s VP of Information Security, and his three-member team are responsible for securing an expanding mix of assets across some 70 locations worldwide. 

“My top challenge [is] managing a global footprint of nearly 50,000 assets with a small team, all centrally located in the U.S.,” said Ramberg  in an interview with Tenable during the Edge 2019 user conference in May.

While traditional IT assets make up the bulk of Sanmina’s portfolio, Ramberg said the organization is moving toward Industry 4.0 and his team is preparing to accommodate operational technology (OT) such as industrial control systems (ICS), supervisory control and data acquisition (SCADA) software and heating, ventilation and air conditioning (HVAC) systems.

Sanmina uses Tenable.sc (formerly SecurityCenter) with the Vulnerability Priority Rating (VPR) to regularly scan those 50,000 assets and provide vulnerability prioritization data to the company’s field IT teams, which are responsible for remediation. 

“We used to, actually, with our previous tool, generate reports manually and send them to each IT department,” said Ramberg, noting that hundreds of people were receiving the reports. 

“With Tenable.sc we've been able to separate the data into distinct facilities across the organization,” said Ramberg. “It allows each individual team to log in and see their vulnerabilities that need to be remediated. It allows them to prioritize. Tenable will prioritize that data accordingly so they can prioritize and remediate the critical systems, the key systems that need to be tackled first and then react to the other items as necessary.”

VPR, a capability introduced this year in Tenable.sc and Tenable.io, is the output of Tenable’s new Predictive Prioritization offering. Introduced in February 2019, Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a VPR for each vulnerability. 

“In our previous set up, we didn't have the ability to prioritize vulnerabilities, so these facilities and these IT personnel were just inundated with sheer volumes of data,” said Ramberg. “Now, we can direct them on prioritization — using features such as ‘is the vulnerability exploitable or not?’ — which Tenable provides.” Ramberg noted the IT teams also use Tenable.sc for specific examples of what needs to be done to patch each vulnerability. 

The tool helped the organization achieve a more complete view of its attack surface than was previously possible. “You don't know what you don't know, and Tenable.sc exposed that to us so we knew what to tackle and what we needed to focus on,” said Ramberg. “It's allowed us to identify critical issues that we didn’t know existed until the Tenable scan occurred. We were able to focus our efforts and go tackle those issues before they became widespread throughout the organization.”

How Tenable.sc helps with reporting to the C-suite, the board and customers

Ramberg said he also turns to Tenable.sc when he’s asked to provide metrics to to Sanmina’s CIO and to the board. 

“Prior to Tenable.sc, everything was ad hoc,” said Ramberg. “I didn't have a concise platform to tell me our vulnerabilities and how we're doing within our specific divisions throughout the organization. With Tenable.sc, I now have that data at my fingertips in a single dashboard. Senior management's now able to see the impact of our Cyber Exposure [practice].” 

Meeting the cybersecurity expectations of its customers was a key driver for Sanmina. The organization is often asked to complete cybersecurity questionnaires for existing or prospective clients, noted Ramberg. “When we mention that we use Tenable as our solution for vulnerability management, everybody knows Tenable. It's a very highly respected company. And the questions generally go smoothly…once they know that's in place.”

Asked if he had any advice for peers who may be considering a similar deployment, Ramberg said: “Tenable is a leader in this field. We do a lot of research before we purchase any solutions [and] Tenable came out as the clear choice. It provides actionable results from vulnerability scans and allows the individual facilities to prioritize and remediate as they deem fit based on the vulnerabilities that are discovered in their particular facilities.”

Watch now

Tenable interviews Mark Ramberg, VP of Information Security with Sanmina, at our Edge 2019 user conference:

Learn More:

  • Visit our Predictive Prioritization webpage here.
  • Learn more about Tenable.sc here.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Learn More about Indegy