What is our primary use case?
It is used for vulnerability management. We used Nessus to scan our machines to see how they were vulnerable, for patches or security. The CVE numbers is what we looked at, the security vulnerability, and tried to figure out what we were vulnerable to.
We monitored Windows Servers, Windows workstations, Linux servers, firewalls, switches, VMware equipment, and Cisco UCS hardware through the application.
How has it helped my organization?
We were a lot less vulnerable after implementing the changes that the application recommended.
The solution helped limit our company's cyber exposure by pointing out every single vulnerability we had and showing us how to fix them. By following the application's directions, we were less vulnerable to attackers. By implementing what the application told us to implement, we were able to fix the holes in our network and prevent any attackers from coming in.
What is most valuable?
The most valuable feature is how it scanned and detected through its database to let us know exactly what fixes we needed to put in place for the vulnerabilities. It detects and it also gives you the way to fix it.
The product's VPR did a great job in prioritizing and giving the highs versus the mediums; it did a great job providing the different ratings and priorities.
What needs improvement?
The Nessus predictive prioritization feature is very nice, the way it displays. The interface could look better, but it has everything it needs. It could do a better grouping of the workstations and run a better schedule. But it was sufficient in what it provided.
There is room, overall, for improvement in the way it groups the workstations and the way it detects, when the vulnerability is scanned. Even when we would run a new scan, if it was an already existing vulnerability, it wouldn't put a new date on it.
For how long have I used the solution?
I used Nessus for about three years.
What do I think about the stability of the solution?
It was very stable. We didn't have any outages or downtime during its use.
What do I think about the scalability of the solution?
The scalability was very good. We were able to deploy it into multiple remote sites using the scanners. You can deploy separate scanner VMs into remote locations where you don't have access. They have Tenable.io in the cloud, which allows you to do all that.
I used it in a very large environment. Just in my sector, we had about 5,000 workstations along with about 150 servers. So it was a pretty sizable environment. The company was using it for a much bigger purpose. It had between about 50,000 and 100,000 workstations and about 10,000 servers.
In my environment we had about seven users logging into it. The company as a whole had about 150 users. They were security engineers, security administrators, system administrators, and system engineers. For maintenance of Nessus, there was only a team of about 15 people.
How are customer service and technical support?
I rarely had to call technical support. There was one time when we were troubleshooting a VMware scan. They got on and were helpful, but they weren't able to provide a solution quickly enough. I would give them a three out of five.
How was the initial setup?
I found the setup to be simple. The interface was very intuitive. It was simple yet functional.
What was our ROI?
Without Nessus, we would have had a lot more vulnerabilities which would have opened the doors to potential attacks. And attacks would have cost the company a lot more money.
What other advice do I have?
Know that it's only a detection tool and that it has limitations as a detection tool, but the deployment can be pretty scalable.
The solution didn't reduce the number of critical and high vulnerabilities we needed to patch first. It tells you what the critical vulnerabilities are that you need to patch, but it didn't reduce anything. It doesn't patch it for you.
I would give Nessus a seven out of ten, as it doesn't automatically resolve the vulnerabilities. There are tools out there that give you an option: "Hey, do you want me to patch that vulnerability?" You just hit "yes" and it automatically does it. Nessus doesn't do that. And, as I said, the grouping could be a little bit better.