What is our primary use case?
I'm the one who scans and performs assessments on clinical and medical equipment in our environment. I manage the clinical endpoint devices: MRI systems, bedside monitoring, Alaris pumps, fusion pumps, CTUs, EEGs, EKGs, wireless defibrillators, and a lot of IP cameras that are part of operation room labs. My colleague handles all the regular enterprise IT, database servers, etc. From a scanning standpoint, I do everything from discovery scanning to full-credential auditing and anything and everything in between. That's just for the medical space in a 24/7 production medical environment.
We're also using a bit of the Passive Vulnerability Scanner and, eventually, I want to get to using the agents, but we haven't gotten to that stage yet.
How has it helped my organization?
My department is not enterprise-managed. We don't use like tools like SCCM to push out patches. Everything is manual updating. I need to be able to track and audit against our devices and know what exactly what Microsoft hotfixes I need to see. I need to identify what specific patches are missing on devices. Or, for example, there was a Microsoft CVE alert that was put out a couple of weeks ago for RDP, Remote Desktop Protocol. I'm using the scanner now to try to identify what devices we actually need to look at to address risk on. Including IP cameras for our different labs, I manage over 40,000 devices. So I really need to know what exactly I need to focus on for a given vulnerability, such as the Microsoft one, as they come about. Tenable really helps with the identification piece, in a way that traditional IT policies and procedures and tools cannot.
It saves me time. When I get into actually identifying impacted assets in my environment - and having to deal with fewer false positives - it could save me up to eight to ten hours a week, for things like the RDP issue we're dealing with now; for the things that really come out as priorities.
Security Center helps to limit our organization's cyber exposure. In our environment there is a lot of stuff we can't deal with in terms of endpoints, but it has definitely helped in identifying the devices we have out there which haven't had Microsoft updates applied in years, potentially. It's really helped identify those, the low-hanging fruit. But then, you get into the devices that are relatively up to date but their vendor application has been the same for however many years. In the least, we're able to identify and understand which devices those are and what the risks are, even if we can't immediately address it.
In terms of reducing the number of critical and high vulnerabilities we need to patch, it has helped me to identify them, and I address them accordingly. As I said, there is stuff we can't address, but at least it helps us identify them, and we are able to address some of them. It's helped us identify vulnerabilities and put in compensating controls and mitigating controls. It has definitely reduced the risk exposure we've had.
Also, rather than rely on high-level communication from vendors about whether or not their products may be impacted, I can use scans to actually identify what is impacted or in scope for a given vulnerability. It used to be, a couple of years ago, if I had to identify systems, I had to know at a high level if some of these devices could be impacted. It would create a lot of false positives. Since we've been using the scanner, I've been able to narrow that down quite a bit. I still get false positives, but I certainly get a lot fewer than I used to. It helps me have a more managed focus with any scope I'm looking at.
What is most valuable?
What is useful to me is being able to fulfill very customized scanning policies. In the clinical environment, because of vendor control, we can't perform credential-vulnerability scanning. And network scans, which I've done before, can cause a lot of impact. Being able to create very customized policies to be able to routinely scan and audit our clinical networks, while simultaneously not causing impact, is important to us. That requires a lot of flexibility in how we create the policies, so flexibility in policy-creation is a big feature.
For me, another useful feature of the tool is the dashboard and reporting. That is a big piece for me. The reporting covers most of my needs.
In terms of integrations, so far, from what we've seen and for what we're trying to accomplish, it's been pretty flexible.
The Vulnerability Priority Rating is useful. I run scans on all of our medical equipment and we have stuff that's still Windows 2000. Equipment is so expensive to upgrade and replace. I find a lot of it shows up red for vulnerabilities that we really can't do anything about. The predictive stuff helps prioritize some of those risks. At a high level, it helps narrow that scope. There is still a lot of manual work on my end because, as I mentioned, I really have to know what equipment I'm looking at exactly from a medical standpoint. But it does help narrow the scope.
What needs improvement?
In terms of the reporting, it's good for IT tools, but it doesn't give me contextual insight into what device, what kind of medical equipment it is. And in my world, that's a big deal. That's a con, given what my needs are. We can't integrate it with our biomed database to correlate data. So I can know what vulnerabilities are on it by IP address, but it doesn't tell me what device it is. Is it an MRI or a workstation? Is it the workstation which is running MRI's or is it the one that's just pulling patient images? Things like that are things that I need to know, and usually the tool can't do that in and of itself. With that said, we do have some work toward some other integrations to try to improve some of that.
Also, I don't know of a process right now to do what I'll call mass risk-acceptance. I have thousands of devices which allow high and critical vulnerabilities and there's really not much I can do about it. But if we put a firewall in front of it, the risk of the whole device is accepted. I need to be able to accept all those risks in the tool. It's really not easy to do within my workflow at this time. There are ways to get around it, but they're not conducive to what I do in my work.
If I want to have a very low-managed scan policy, it's a lot of work to create something which is very basic. If I use a tool like Nmap, all I have to do is download it, install it, type in the command, and it's good to go. In Security Center, I have to go through a lot of work to create a policy that's very basic.
Finally, the way we're using it now, for routine scans, it's only good for as long as a device is active on the network. That's one of my biggest concerns at this time: What about the stuff I don't have access to on the network when it runs the scans?
What do I think about the stability of the solution?
We have quirks every now again. Sometimes, when I click into the analysis dashboard, I get errors. For example, it will say it can't pull up a specific query. I just let the problem persist. I can work around it and, eventually, it just seems to fix itself.
Beyond that, it's been pretty stable. We have a lot of firepower behind it and in my experience, it has always been up. There aren't that many operational issues with it.
What do I think about the scalability of the solution?
When you throw in the Passive Vulnerability Scanner, just being able to spit out more hardware if we need it, it seems like it scales well, at least with respect to our environment. When we first had it, we only had a handful of servers powering it and scans took forever. I don't know how many servers we have on the back end powering it now, but it's a lot faster. We've added to it to give it more juice. That's been pretty easy and straightforward as well.
How are customer service and technical support?
I don't generally talk to tech support. That's handled by my colleague or someone else in the security team. But I talked to them when I was at my previous organization where we used Security Center. From what I vaguely remember they were helpful.
Which solution did I use previously and why did I switch?
We used Rapid7 Nexpose. In our view, Security Center is a more thorough tool. It has more plugins to scan against a lot of vulnerabilities, and it is a bit more granular. Overall, it's been a better tool to use.
How was the initial setup?
As for the initial setup, that would be a tech question. The only thing I've set up is the Passive Vulnerability Scanner. That was pretty straightforward. When I got to the point of setting it up with Security Center, it took my colleague and me under an hour. That was just our first one. It's pretty straightforward once you know how to do it.
We have an enterprise issue, so for us to be able to capture all that is needed from the clinical side, we would have to have deployed it at every site. It's because there is a lot of Layer 2 traffic. Since we have Security Center centralized, traffic will route out. Since we have networks at the sites that don't route out, we can't scan that traffic remotely. The idea is to have one at each site but, because of the standards in our organization at this time, we can't do that.
What was our ROI?
It's less a question of ROI and more a question of cost avoidance, meaning avoiding the potential cost from having a vulnerable device that can be breached. Security is a sunk cost in any organization. You never truly know its value until you have an incident.
What's my experience with pricing, setup cost, and licensing?
The pricing is more than Rapid7 Nexpose. PVS and the agents, etc., are all part of that agreement. So it's pretty comprehensive, but I don't know how much it is.
Which other solutions did I evaluate?
In my own work, I've used some open-source solutions like Nmap. I've messed around with Retina, another open-source solution. Most of the stuff I've used has been freeware, open-source tools. In terms of a commercial competitor, the one I've used most is Nexpose, Rapid7's tool.
One thing I liked about Rapid7 Nexpose, that Security Center does not have, is that when we scheduled scans in Rapid7 Nexpose, there was a graphical calendar that showed when scans are taking place. Security Center doesn't have that. It's a small thing, but it helps to visualize what's happening.
What other advice do I have?
In my type of medical environment, when you get into an operational technology environment, PVS or something that's a passive scanner is more the way to go than something that actively goes out and scans and tries to interrogate endpoints, because that can cause impact. When dealing with the healthcare space or, say, the electrical grid, the consequences can be very widespread or can cause significant impact. Something like PVS is a great idea to look into.
If you're scanning operational technology, definitely use connectionless-oriented discovery policies. For example, perform UDP scans instead of TCP scans. From my experience, TCP scans have definitely brought down systems.
When it comes to insight, it helps but, the way we're using it now, scans only pick up what's active on the network, while the scan is occurring. For my environment, I perform most of my scans overnight, so I'm missing a lot of stuff that is used during the day in the clinical environment. That includes point-of-care devices, ultrasonography, and some other stuff. I don't scan the networks during the day, for the most part, so I do miss a lot of that stuff. PVS, the passive scanner, would pick up on a lot of that. When talking about actually detecting intrusion, I think it would be more powerful if we're able to get it deployed everywhere.
Two people in our organization actively use it for a lot of scanning. Some of the other security guys use it, but for the most part, it's just my colleague and I who use it. I have my scheduled, routine scans that run automatically and there are the scans I schedule for overnight. I run discovery scans daily. I run my vulnerability audit scans every other month. I'm doing the RDP scans now. I log into it daily and I run scans in it several times a week manually, outside of the scheduled scans. I use it heavily.
Right now there is just one person who manages the solution. I handle some of the PVS stuff but it's my colleague who is running the show.
Overall, I would give Security Center a nine out of ten. Of all the tools I've used, when it comes to managing the vulnerabilities and risks of a whole enterprise environment, I don't think I've used a better tool than Security Center. The reason I say nine and not a ten, is because I like to have a lot of control. When I use a Nmap, I'm able to write my own scripts. Security Center has a lot of that built-in, but I feel like there's very deep and more granular control once you know how to use some of the open-source tools out there.