What is our primary use case?
I use it for performing vulnerability scans for both my environment and for clients. I provide fractional CISO consulting services. As such, I will perform a vulnerability scan on an environment before I say "yes."
Everybody has to have a vulnerability scan. You should do them periodically which, to me, is monthly. It's just good practice to perform that scan monthly and whenever there's a major change, to make sure that you don't have any open environment.
I monitor web servers, database servers, app servers, desktops; everything you'd find on a network, besides switches and routers. I don't have that, but I monitor any Windows- and Linux-based nodes.
How has it helped my organization?
I went to a client's site and I ran the report. They had a number of fives, fours, and threes. With that information, we were able to remediate the fives, fours, and threes down to a couple of threes.
It also helps to prioritize based on risk. If it provides a notification that you have an older operating system out there, for example, obviously you would have that as a higher risk and wish to remediate that above any and all other risks. It details what that the risk is and what you should do about it.
The solution helps to limit cyber exposure. By running it on a monthly basis, you tighten the window of opportunity for any nefarious individual to get into your environment. Industry standards say that you have to do it quarterly or yearly and I do it monthly, so I think I'm in a better position to secure the environment.
The solution reduces the number of critical and high vulnerabilities which need to be patched first. In terms of a percentage reduction, it's more of a detective control, along with the preventative control. I can't give you a percentage. It reduces the risks by providing the information that you can react to, quicker than finding out that you've been breached.
What is most valuable?
Nessus is good at finding out what nodes you have in place. It will then provide you a report, by node, of what the vulnerabilities are. It does it quickly and stealthfully.
It also has an executive report where you don't have to provide the client all the detail for them to sift though. But if they wish to dig through the detail they can.
The predictive prioritization features are spot-on. I enjoy how it actually gives me a prioritization that I can address and it associates it with a known vulnerability. I like that.
What needs improvement?
One area with room for improvement is instead of there just being a PDF format for output, I'd like the option of an Excel spreadsheet, whereby I could better track remediation efforts and provide reporting off of that. Or, if they change the product itself for you to add comments of remediation efforts and allow you to sort on that and report on it, that would be helpful. Most of us would rather not have that information out in the cloud. We'd rather have it in-house. It would be better if you could provide it in an Excel spreadsheet for us to work with.
For how long have I used the solution?
I've been using it for four years.
What do I think about the stability of the solution?
It's very stable. It hasn't aggravated my environment, so I'm happy with that. It's up and running. It runs all the time.
What do I think about the scalability of the solution?
Scaling is easy because it goes out and examines the network and identifies all the nodes that are out there. You don't have to worry about scalability, per se. It's just another node that it adds to the list, so it's easy.
It's being used for under 500 nodes. I would like to increase it if possible, but I have no plans to do so.
Which solution did I use previously and why did I switch?
Before Nessus, I used Qualys. I switched because the reporting in Nessus is better. The reporting in Nessus is more executive-friendly. When giving information to clients, I don't need to repackage it. It is fine the way it is.
The level of visibility Nessus provides, compared to a solution like Qualys, from an executive standpoint, is better. From a technical standpoint, it does not provide you that documentation capability that I would like. Having said that, from my standpoint, for my client base, the executive reporting is better.
How was the initial setup?
The initial setup was straightforward. It was easy-peasy. I just said, "Run," and it set it up. After that, it was a matter of putting in my company's information and setting up a scan. It wasn't hard at all. It was very intuitive, very easy.
It took about half-an-hour.
All I had to do was download the software, install it, and run it. That was it.
What other advice do I have?
If you're going to employ this product, it's the better one for smaller to medium businesses because of the executive documentation. I would not try to sell it as a technical tool for a technical group. As a consultant it would be best for you to run it and manage it for clients. With that, you're a one-stop shop for them. I would remind clients that most auditing requirements state that you need a third-party individual to do an assessment of your environment. As a consultant you would do that for them. Keep it in-house. I wouldn't sell it.
The priority rating is an industry-standard rating, so it's not like it pulls it out of a hat. It's a known rating, so that's good.