Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Helps Sentara Healthcare with Vulnerability Prioritization

Learn why Tenable.sc and Tenable.io, both with Predictive Prioritization, are Sentara Healthcare’s choices for vulnerability management. 

Sentara Healthcare, the largest health system in the state of Virginia, is a complex technology environment with a mix of IT and operational technology assets and a user base that includes clinicians, administrators, third-party vendors and patients. And the environment is changing rapidly, as healthcare organizations like Sentara realize the value of digital transformation. 

“The model is changing,” said Sentara CISO Dan Bowden in an interview during Tenable’s Edge 2019 user conference in Atlanta in May. “We see a future where at least half of our encounters with our patients will be of a digital nature. Meaning now, the threat surface and Cyber Exposure surface just changed drastically.”

And the organization’s exposure is not limited to the computing devices and applications used throughout the organization — it also includes the supervisory control and data access (SCADA) systems supporting the organization’s operational technology (OT) infrastructure, which includes HVAC, refrigeration and entry systems. “If someone shuts down our HVAC systems due to some kind of a cyber attack, that could affect [the quality of] patient care and cause a lot of disruption to how we do business,” said Bowden.

Given the high volume of potential vulnerabilities the organization faces on a daily basis, knowing which to patch first is a key challenge. “Being able to prioritize what we work on in terms of vulnerabilities and threats is crucial,” says Bowden. “There's this constant churn of awareness and stress over deciding ‘well, what do we patch first?’ ” 

Putting Predictive Prioritization to Work

The organization uses Tenable.sc on premises and Tenable.io in the cloud for vulnerability management and has been putting the new Predictive Prioritization capabilities to use in identifying which bugs to address first.

Predictive Prioritization, introduced in February 2019, combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a Vulnerability Priority Rating (VPR) for each vulnerability. 

“Predictive Prioritization can help you understand, ok, of all those ‘critical’ vulnerabilities, maybe 80 percent have never been exploited and there's no discussion about those out on the Dark Web or through threat intel sources,” said Bowden. 

Having more context about the real-world threat potential of each vulnerability improves the level of communication between Bowden’s security team and their IT colleagues who are responsible for patching. “We can't dump [a] list of 10,000 [vulnerabilities] on the IT team and expect them to engage with us,” said Bowden. “If I give them a list of a couple hundred? […] They'll engage. They'll help us. The application teams will help us. The benefit of Predictive Prioritization is, it sets the context of a discussion, where people actually want to be part of that story of how risk got managed and vulnerabilities were addressed.”

The benchmarking data available from Predictive Prioritization and the VPR score also gives Bowden the data points he needs to communicate with C-level executives, the board and business-side colleagues about the potential impact of cybersecurity threats. “A benchmark is worth a thousand words,” said Bowden. “It gives some clarity to the discussion [...] the security team [...] can feel comfortable that they gave good data, that it was understood because [they] spoke it in the language that the leaders of the organization understand and they help own the message, and I think, then, [they] also help own the accountability for the security program.”

Even in an organization like Sentara, where Bowden said the leadership is highly supportive of cybersecurity efforts, the context and clarity provided by Tenable’s tools helps ease communication between infosec and business stakeholders. “if I just show them ‘hey, we've got all these thousands of critical vulnerabilities and all of it's important,’ they don't know my job at a detailed enough level to know how to help me, even though they want to,” he explained. “In the climate today, there's so much focus from society about companies doing better managing risk, every leadership team and every board in every organization wants to be part of the story of fixing the problem. If you can give them good data about exposure, which things do we really need to do, they understand the data, they can relate to the data. They want to be part of the story to help you solve the problem and manage risk better.”

Watch Now

Tenable interviews Dan Bowden, CISO of Sentara Healthcare, at our Edge 2019 user conference:

Learn More

  • Watch Dan Bowden discuss Sentara Healthcare's Cyber Exposure and Predictive Prioritization story in a keynote presentation at Tenable's Edge 2019 user conference here.
  • Visit our Predictive Prioritization webpage here

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.