What is our primary use case?
Vulnerability assessment and compliance auditing are our primary use cases. That includes baseline configuration scanning. We use it to protect everything in the enterprise environment: servers, workstations, pretty much all operating systems, networking gear. We are doing cloud and we are doing some IOT. We are not using their web application scanning tool.
How has it helped my organization?
The ability to view the plug-ins, the way that the plug-in library works, is really good. It's not an individual list of 80 million different CVEs. We can actually just say, "Hey, here's a plug-in," and it really helps us to boil things down. Instead of having a million CVEs, here's the specific plug-ins that are actually tying the CVE families together. That helps our platform owners, if there is an issue, to see what it is and understand better how to fix it.
Also, the fact that they display the very specific plug-in output in their details area helps our platform owners know, if there's an issue, specifically what was checked and what versions it was on at the time of the test. That's just huge. It increases the trust in the information from the tool. It cuts down on accusations of false-positives and it helps people do their job better.
It helps us to understand our cyber-exposure. At the end of the day, if you don't know what you have, then you cannot defend against it. Understanding what services, what technologies, and all those components will also give us an idea about how to predict what kinds of attacks are the things that we need to guard against in the future.
It also helps us focus resources on the vulnerabilities that are most likely to be exploited. Looking at what actually has an exploit available along with consideration of other things such as network proximity times and information about the threat - either VPR or CVSS - pulling all that together does allow us to identify pretty quickly what are the high-priority targets that we should work on.
What is most valuable?
One of the most valuable features is their distributed scan model for allotting engines to work together as a pool and handle multiple scans at once, across multiple environments. Automatic scanning distribution is a distinguishing feature of their toolset.
Also, the ability to trend data back as far back as we have disk space for, is helpful.
Finally, the ability to write custom audit files is a really helpful and useful feature. That's something that not a lot of assessment companies have gotten right. There's room for improvement, but literally being able to take the text file, open it up, and adjust the changes, write your own regex and write your own checks, is huge.
What needs improvement?
It's good at creating information, it's good creating dashboards, it's good at creating reports, but if you want to take that reporting metadata and put it into another tool, that is a little bit lacking. It does great for things for the API. For instance, if we say, "What vulnerabilities do we have?" or "How many things have we scanned?" those things are great. But if we want to know more trending stuff over time, it can create a chart, but that's in a format which is really difficult to get into another program. Integration into other reporting platforms, or providing more specific scanning program metadata, would be an opportunity.
It does have a fully-bolstered API which is available online that you can look at, but it is more aimed at getting more vulnerability information out instead of reporting information out.
For how long have I used the solution?
We've been using it for about two years.
What do I think about the stability of the solution?
We've had more problems with the underlying stuff that is running the operating system, as opposed to actually running Tenable. Tenable SecurityCenter has been pretty stable. We've only had one or two smaller technical issues. There have been other issues, but they've not been Tenable's fault.
What do I think about the scalability of the solution?
It does have an upper limit. You can go on their website and see what their upper IP limit is.
We have seen that more and more teams want to get access to the data and get access to their vulnerability information, and it really has helped us grow our program.
How are customer service and technical support?
Their tier-one, initial tech support is pretty bad. Their premium support is excellent. Whether premium support comes at an extra fee depends on how your negotiations go.
Which solution did I use previously and why did I switch?
We migrated from Nexpose. We switched because Nexpose is not a scalable product for an enterprise. Also, in most instances, SecurityCenter is less false-positive prone and the detection seems to be better in most instances.
How was the initial setup?
The initial setup was very straightforward. In fact, for some of our teams, we've actually done - "capture the flag" is a bad word for it - but effectively that type of an activity, and they pretty much go from naked box to Tenable scanning instances within a couple of hours. It's very easy to set up.
I can safely say that it can be deployed with one person. And it doesn't require a lot of maintenance. It depends on how much you use it for, but it's mostly just set-it-and-forget-it. Then there is just the mechanical stuff of patching the box and applying system updates, but it actually does a pretty good job most of the time.
What was our ROI?
We've seen return on investment through visibility, scan stability, ensuring that we're able to assess our environment. Also, ensuring that we are able to have good confidence in the data, and that we're able to do out-of-the-box reporting and various other dashboards that really help us drive our program and help sell our case.
Which other solutions did I evaluate?
We evaluated Qualys. It depends on whether you want to do on-prem or in the cloud. Qualys really is a black box. You literally put this thing on your network, you can't touch it, and if you want to do something like troubleshoot, it is just not very friendly from an "if things go wrong" perspective.
What other advice do I have?
Make sure that your sizing is done correctly, in terms of the hardware size. When you do buy Tenable, a lot of times you'll use Professional Services to help you implement the tool. Whatever advice Tenable has, listen to it very specifically and also talk to them specifically about what your goals are. Instead of talking tactics, talk about goals. What's going to happen is that they may say "Hey, we're going to do things slightly differently than how you used to do it," but in a lot of instances, they're going to be right.
In terms of features that we're looking forward to, VPR is one that we're going to start using more. And they also recently had a SAML integration for single sign-on. That was a new feature in 5.9.
Overall, Tenable is easily a nine out of ten. It's not a ten because there is no perfect tool out there, and Tenable SecurityCenter does have its limitations.