Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Tenable Helps Sentara Healthcare with Vulnerability Prioritization

Learn why Tenable.sc and Tenable.io, both with Predictive Prioritization, are Sentara Healthcare’s choices for vulnerability management. 

Sentara Healthcare, the largest health system in the state of Virginia, is a complex technology environment with a mix of IT and operational technology assets and a user base that includes clinicians, administrators, third-party vendors and patients. And the environment is changing rapidly, as healthcare organizations like Sentara realize the value of digital transformation. 

“The model is changing,” said Sentara CISO Dan Bowden in an interview during Tenable’s Edge 2019 user conference in Atlanta in May. “We see a future where at least half of our encounters with our patients will be of a digital nature. Meaning now, the threat surface and Cyber Exposure surface just changed drastically.”

And the organization’s exposure is not limited to the computing devices and applications used throughout the organization — it also includes the supervisory control and data access (SCADA) systems supporting the organization’s operational technology (OT) infrastructure, which includes HVAC, refrigeration and entry systems. “If someone shuts down our HVAC systems due to some kind of a cyber attack, that could affect [the quality of] patient care and cause a lot of disruption to how we do business,” said Bowden.

Given the high volume of potential vulnerabilities the organization faces on a daily basis, knowing which to patch first is a key challenge. “Being able to prioritize what we work on in terms of vulnerabilities and threats is crucial,” says Bowden. “There's this constant churn of awareness and stress over deciding ‘well, what do we patch first?’ ” 

Putting Predictive Prioritization to Work

The organization uses Tenable.sc on premises and Tenable.io in the cloud for vulnerability management and has been putting the Predictive Prioritization capabilities to use in identifying which bugs to address first.

Predictive Prioritization, introduced in February 2019, combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a Vulnerability Priority Rating (VPR) for each vulnerability. 

“Predictive Prioritization can help you understand, ok, of all those ‘critical’ vulnerabilities, maybe 80 percent have never been exploited and there's no discussion about those out on the Dark Web or through threat intel sources,” said Bowden. 

Having more context about the real-world threat potential of each vulnerability improves the level of communication between Bowden’s security team and their IT colleagues who are responsible for patching. “We can't dump [a] list of 10,000 [vulnerabilities] on the IT team and expect them to engage with us,” said Bowden. “If I give them a list of a couple hundred? […] They'll engage. They'll help us. The application teams will help us. The benefit of Predictive Prioritization is, it sets the context of a discussion, where people actually want to be part of that story of how risk got managed and vulnerabilities were addressed.”

The benchmarking data available from Predictive Prioritization and the VPR score also gives Bowden the data points he needs to communicate with C-level executives, the board and business-side colleagues about the potential impact of cybersecurity threats. “A benchmark is worth a thousand words,” said Bowden. “It gives some clarity to the discussion [...] the security team [...] can feel comfortable that they gave good data, that it was understood because [they] spoke it in the language that the leaders of the organization understand and they help own the message, and I think, then, [they] also help own the accountability for the security program.”

Even in an organization like Sentara, where Bowden said the leadership is highly supportive of cybersecurity efforts, the context and clarity provided by Tenable’s tools helps ease communication between infosec and business stakeholders. “if I just show them ‘hey, we've got all these thousands of critical vulnerabilities and all of it's important,’ they don't know my job at a detailed enough level to know how to help me, even though they want to,” he explained. “In the climate today, there's so much focus from society about companies doing better managing risk, every leadership team and every board in every organization wants to be part of the story of fixing the problem. If you can give them good data about exposure, which things do we really need to do, they understand the data, they can relate to the data. They want to be part of the story to help you solve the problem and manage risk better.”

Watch Now

Tenable interviews Dan Bowden, CISO of Sentara Healthcare, at our Edge 2019 user conference:

Learn More

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training