How Emerson Uses Tenable.io to Find and Fix Vulnerabilities

Emerson’s solutions are used in manufacturing, industrial, commercial and residential environments. Learn how Tenable.io became a staple for the application and product security testing team.

The technologies and services provided by Emerson improve human comfort, safeguard food, protect the environment, enable sustainable food waste disposal and support efficient construction and maintenance of buildings and municipal infrastructure. The company, headquartered in St. Louis, MO, has two core businesses — Emerson Automation Solutions and Emerson Commercial & Residential Solutions — serving customers in industrial, commercial and residential markets. 

Making sure the hardware and software being developed is secure falls to Jon Brown, Emerson’s Manager of Application and Product Security Testing. Brown conducts penetration testing on the company’s offerings, working with the engineers to do threat modeling and think through what could go wrong with any given product. 

“Once the threat modeling is done, we sit down with them and talk about some of the controls that they can put in place to ensure that it is secure,” said Brown in an interview with Tenable during the Edge 2019 User Conference in May. “And then we ensure that the controls that they say that they're going to put in place, they do put in place.”

When the software requirements are met, Brown and his team “pull the hardware apart, and we try to see what we can do,” he said. “We monitor the communications, we scan to see what we can see on that device, if there are open ports, open services, and ensure that it's locked up as tight as it can be.”

How VPR Eases Communication Among Stakeholders 

One of the biggest challenges Brown faces is helping engineers see the security concerns he and his team are uncovering. “Vulnerability management is tough because you are showing them that their baby's ugly,” said Brown. “You're walking up to them and you're saying, ‘Hey man, like this doesn't look all that great.’ You need to be able to do it in a way that's a little dispassionate. If you have a tool that can...show the results in a way that can be digested and that can be obtained easily and is trusted then, all of sudden, that communication becomes a lot easier.”

Emerson turned to Tenable.io to help ease those difficult conversations. “Tenable.io is a staple of what we're doing in our penetration testing service to understand and get that initial attack surface and be able to leverage those results and make them real.” 

The Vulnerability Priority Rating (VPR), introduced in Tenable.io and Tenable.sc earlier this year, is giving Brown even more data to support his pen test findings when it comes time to present the results to the engineering team. “Tenable does a great job of showing you what's wrong,” he said. “But [engineers] always ask, ‘Prove it to me...Show me that these results actually matter.’ ” 

VPR is the output of Tenable’s new Predictive Prioritization offering. Introduced in February 2019, Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a VPR for each vulnerability. 

With VPR, Brown and his team are able to say “Here's that top three percent of what we really should focus in on, and that’s extremely valuable.”

Communicating with peers is only part of the story. Emerson also uses Tenable.io to provide context for cybersecurity conversations throughout the organization, including in the executive suite. “It's important for them to see trending...and it's important for them to see results,” said Brown. “They need to be able to understand where [you’re] at and where you're going and why you are going there.”

The VPR score goes beyond traditional criticality ratings to offer context about a vulnerability’s real-world exploitability and potential business impact on the organization’s specific environment.  “CVSS gives us that kind of baseline, but what is the business impact, what is the actual impact, what's the exploitability?,” said Brown. “[We’re] able to take those results up to the leadership and say, ‘Here are the issues that we're going to work on...this month, this quarter. And this is what that result looks like.’”

Being able to tell senior management “ ‘we had a thousand open [tickets] on this issue and this month we closed 900 of them’...shows real value and that shows actionable results,” added Brown. As a manufacturer, Emerson also has an obligation to reassure its own customers about the Cyber Exposure scores of its hardware and applications. “The companies that we do business with are starting to look at Emerson and say, ‘Why is your score X, we want it to be Y.’ And we're starting to look at companies [we do business with] and say, ‘Why is your score X, and we need it to be Z.’ It’s something that a lot of people are starting to take seriously, and I think that's a good thing. Ultimately, it raises the bar a little bit for everybody.”

Learn More:

Watch the interview with Emerson’s Jon Brown here:

• See presentations from Tenable's Edge 2019 User Conference here.
• Visit our Tenable.io page here: https://www.tenable.com/products/tenable-io