What is our primary use case?
We are a reseller and Tenable SC is one of the products that we implement for our clients.
The primary use case is to check for compliance against a specific framework, like NIST, CIS, or something similar. Tenable will check compliance on the assets against that specific framework and give that visibility to the technical staff, top management, and the risk management team. In turn, this will enable them to evaluate the risk that they are facing for non-compliance issues.
The second use case is helping the technical staff that handles updates and upgrades to the operating system. It means that they have the most urgent upgrades that they need to cover the high-risk vulnerabilities that can be found and exploited.
Beyond this, Tenable SC assists with malware detection and similar functionality.
What is most valuable?
The most valuable features are the dashboards and reporting. They have multiple dashboards and reports for different types of details that can be used for different levels of reporting. This means that by using a high-level report, the top rank in the company can understand what the risk is, as well as how it is violating policy. Similarly, technical people can use a more detailed report to understand what they have to cover and what the criticality of it is.
This product has the best results in terms of the lowest number of false-positives and false-negatives.
There are multiple types of engines that cover almost any necessity that the company can have for vulnerability and compliance.
What needs improvement?
Parallel scanning would be a nice improvement because it would speed up the detection process. It is not possible to search for vulnerabilities and do compliance checking at the same time. Rather, they are done one after the other.
The integration is very good, although it still needs to improve. For example, it would be useful to have better integration with other tools in the space of identity management (IAM). As it is now, integration with new tools has to be developed specifically, so it's not easy.
We would like to see better collection capability for external data that will help to improve detection and discovery.
For how long have I used the solution?
I have been working with Tenable SC for six years.
What do I think about the stability of the solution?
In the past six years, we have had no disruption in terms of functionality. We have seen problems arise because of development and deployment strategy, but it is a very stable product. We have not had any problems with our implementations.
What do I think about the scalability of the solution?
This platform is very scalable, both horizontally and vertically.
Our customers for Tenable SC vary in size. A smaller one might have 500 or 1,000 assets with two or three users, whereas a larger organization might have 100,000 assets with 30 users.
How are customer service and technical support?
The support from Tenable is very agile. We use them regularly when we have problems.
There are three levels of support, all of which are very adept and available. It is very easy to get in touch with support.
Which solution did I use previously and why did I switch?
We used to work with Rapid7 Metasploit.
How was the initial setup?
The initial setup is always a little bit complex because most of the time, the people don't really know about their infrastructure. So, the most complex part is becoming familiar with the infrastructure and knowing what to search for. Tenable is very helpful in this regard because it has tools for discovery that help people to understand their infrastructure.
There is always a danger if the product is not well-configured but afterward, it is easy to use. When correctly implemented, this is a very effective and accurate product.
The length of time required for deployment varies based on several factors. The first is the level of integration, the second is the complexity of the assets that need to be covered, and the third is the maturity of the infrastructure. It can take weeks to deploy in an environment with a very mature infrastructure. If it is a larger organization that is graphically dispersed then it can even take months, depending on the capability of the company to cover all of the necessities for scanning.
The company has to address the necessities of the vulnerability management capabilities because it puts stress on traffic, stress on hosts, and it needs to be well-designed. Taking these precautions is necessary so that there is no damage to the infrastructure.
In the case of a smaller company, with perhaps 1,000 assets, it can take a week to install it and get everything working.
What about the implementation team?
Maintenance for Tenable is a necessity, as it is a product that grows and changes because there are new detections every day. Sometimes, a detection is verified, whereas in other cases, support is needed to perform the verification.
What's my experience with pricing, setup cost, and licensing?
The licensing fees are based on the number of assets. The price can start at €10,000 ($13,000 USD) for between 500 and 1,000 assets, and the price can climb into the millions as more assets are added.
There are two types of licenses available, which are the subscription, and the perpetual with maintenance. The subscription is the same price every year, with very small variations over the years. In the case of a perpetual license, there is a high initial cost compared to the subscription, but the maintenance is much lower.
Which other solutions did I evaluate?
I have researched other products on the market and by comparison, I would rate Tenable SC a ten out of ten. It still has some features lacking, but it is better than the other solutions that are on the market.
What other advice do I have?
My advice for anybody who is implementing this product is to search for a certified partner to help with the process. It's not difficult, but it's very important to have a partner who knows the product well. The first steps in the implementation have to be the correct ones. If not, the product will not achieve the objectives that the company usually needs. It would be wrong for someone that doesn't know the product very well to begin implementing it by themselves.
This is the best product that we have found for risk management.
I would rate this solution a nine out of ten.
Which deployment model are you using for this solution?