What is our primary use case?
We have three or four use cases.
The first is enterprise vulnerability management through continuous scanning. Twice a week, every week, we fully authenticate every host in the environment to perform authenticated scans. The caveat there is our mobile workstations, like our Macs or our Windows laptops. We've deployed agents on them and we do those scans daily.
The second use case is baseline adherence. We have tailored, customized, secure baselines for about 40 technologies in the environment and we attest to them once a week: everything from common server versions, to a dozen or more database technologies, to middleware, etc.
Thirdly, we use Tenable.io as our PCI ASV. That's our scanning platform to satisfy some of our PCI controls.
Finally, we also use Tenable.io to perform truly continuous - in the sense that it never stops - unauthenticated scanning at the perimeter.
We use Tenable to monitor many dozens of technologies. For the most part, any database technology you can think of: multiple versions of Windows Server, Windows 10 on the workstation, High Sierra and Mojave for macOS, a bunch of different networking technologies. The list goes on.
How has it helped my organization?
A major advantage, that falls under the "supportability" umbrella, is that with the previous technologies, they didn't have a great way to create highly customized or tailored baselines. With Tenable all the baselines we have are tailored to what we want to see in the environment, and that's what we attest to. It's a little different now, but when we were doing an RFP, the other players would allow you to do CIS, but they wouldn't really allow you customize them or create your own custom checks, and that's something we do extensively.
The nice thing about Tenable's Predictive Prioritization features is that, while our SOPs haven't been updated yet, with Predictive Prioritization it effectively allows us to scale out our tailored risk calculations in the environment.
With Tenable's ability to do highly customized and tailored baselines, it has allowed us to much more accurately measure our adherence to a tailored baseline, versus something like base CIS. With that greater visibility, it allows us to better manage our actual platforms. Every week, at least for our major platforms, we're partnering with them to continuously drive adherence to our tailored baselines. Previously, we were unable to do that effectively.
The level of visibility Tenable provides us, compared to our previous solutions is night and day. For traditional, network-based vulnerability scanning, Tenable is at the top. It's that simple.
What is most valuable?
The first of the valuable features is how easy it is to access all of the information that's gathered from the assessments. That was one of the differentiators when we did an RFP a year-and-a-half ago or so. With a lot of other technologies, like Rapid7, if you're using Nexpose you effectively have to be a DBA to get some of the lower-level results from the scans. And Qualys wasn't very intuitive. (We actually had both Nexpose and Qualys in-house, historically. We had really good experience with all the leading platforms). How easy it is to get the data is a big feature.
The next big one is supportability. In a large enterprise, we have many types of technologies. The technology we previously had didn't even support authentication to a lot of those technologies.
In terms of vulnerability prioritization through Tenable's Predictive Prioritization, internally we have something called a residual risk calculation. Whether through manual vulnerability research or through scanning, vulnerabilities go through this residual risk calculation. We already had a pretty big data set of what the base CVSS scores look like, compared to what they should be for our environment. We use that data set to compare against the Predictive Prioritization to really pressure-test whether or not Predictive Prioritization was accurate for our environment. This far, it's wildly similar. It seems to be very accurate. We shared a bunch of data with Tenable to give them some affirmation as to what we were seeing across our enterprise.
Regarding their Vulnerability Priority Rating, so far so good. I love what they've done with their integration, looking toward the future. It's a great step forward. I don't think it's in its final form, it's not its final iteration, but it's definitely a good step forward.
What needs improvement?
One thing that is missing from the Predictive Prioritization is some extra context. I've given this feedback to their engineering leadership. What's missing is integrating with certain data sources like the CMDB. If you knew a given asset was supporting a Tier-1 application, you would naturally rate the vulnerability on that asset higher than you would that same vulnerability on an asset that's in a protected enclave.
There are other areas with room for improvement. When it comes to traditional network-based vulnerability assessment Tenable is, hands-down, the best solution. I'm highly confident in that statement. When it comes to some of the other areas they have ventured into, like dynamic application scanning, I think they are lagging behind the curve. They have a lackluster solution, to the point where I think they need to determine, as a company, whether or not that's a space they even want to play in. And if they want to play in that space, they need a significant investment in it.
In the container space, they are not really viewed as a market leader yet. I think they've got a way to go in container vulnerability management. There are a bunch of other solutions out there, like Anchor, that a lot of folks use. That's definitely an area of opportunity.
Also, you see a bunch of other technologies that lay on top of platforms such as Tenable for risk prioritization. Tenable is dabbling in that with their Predictive Prioritization, dabbling in ranking solutions. That needs to be a continued focus. I think there is a lot of opportunity there, and it has gone down a good path, but that needs to be a continued focus.
The difficulty with that is that it's limited. When you look at an enterprise vulnerability management program, Tenable's solutions aren't going to cover every aspect. If you think about the SDLC, aside from some of their container scanning, they don't really have much embedded in the SDLC. You're going to have a bunch of different types of scanning that all need to come together to effectively rank your priorities, or the solutions that need to be implemented. Tenable is really just looking at one piece, which is primarily your operating system, databases, and middleware. They're not really looking at any of the applications.
For how long have I used the solution?
Personally, I've been using Tenable for many years. In our enterprise environment, we deployed Tenable.io and Tenable Security Center just over 12 months ago.
What do I think about the stability of the solution?
The stability has been excellent, almost perfect. A couple of caveats:
If you have to do a lot of trending dashboards, Security Center will come to a screeching halt. We had to be methodical about when we schedule our trending dashboards.
Also, the way you design or create your repositories in Security Center needs to be well thought out, because there's a direct correlation between the size of the repository and how much memory you have on that given server. In other words, you can't create one repository and put 150,000 assets of data in it. It simply won't work. We found that out the hard way. We didn't know that going into it.
We redesigned our repositories. We have a repository just for our agents, we have a repository for each of our subsidiaries, we have a repository for our compliance scanning, etc. We have something like 25 or 28 repositories.
But the stability is, for the most part, rock solid.
What do I think about the scalability of the solution?
We've had zero issues so far with scalability. We're now an international company and we've had no issues.
There is the common stuff that isn't related to Tenable. If you have, say, a really small pipe to a remote office, naturally you're going to have lesser performance. Or if you're scanning across the WAN you're going to have higher latency. Aside from those obvious network issues, we've had no issues whatsoever with Tenable's scalability.
How are customer service and technical support?
Tenable's technical support is the best I've ever had for any product. We have paid for something called Elite Support. It's their premium support where you have an analyst or engineer assigned to your account. For us it has been really beneficial. Given our large environment, we have edge cases. Having somebody who already knows our environment, our infrastructure, and the analysts on my team, allows us to move at a much higher velocity.
Also, whenever we have a request for enhancement or a feature request, our Tenable contact manages them through Tenable's lifecycle. A guy named Eric is our lead support contact, and he has been, hands-down, the best support contact I've ever had.
If you previously used a different solution, which one did you use and why did you switch?
We used Qualys as an ASV, and Nexpose for all our internal scanning.
How was the initial setup?
The initial setup was very straightforward. We actually had our MVP employed in four months. We defined MVP as feature-parity with our previous solution, which included enterprise coverage, full credentials, and baselines. Doing that in four months in a highly complex enterprise environment was actually a really big win. It took us quite a bit longer with other technologies.
When it came to an implementation strategy, first of all the implementation had to be quick because we had to have an enterprise deployment before our licensing with the other technologies expired. Timing was a key driver. The strategy was simple. We backed into the strategy. We knew what our high-level goals were: We wanted enterprise coverage with credentials, and we wanted baselines. That's where the strategy came from. We broke it down by milestones. We're an Agile shop so we had some sort of release every two or three weeks and we had good folks driving the project; good delivery management.
What about the implementation team?
It was all internal. We did have some time with Professional Services to validate architecture, validate the size of the infrastructure prior to deploying it, to ensure that we wouldn't have any performance issues. We had a lot of validation work on the front side, but other than that, it was all deployed through internal resources.
What was our ROI?
In the security space, ROI is a horribly difficult question to address.
It's helping us better manage our configuration adherence, our baseline adherence, as well as vulnerabilities, so there is an ROI but it hasn't been quantified. It's a qualitative ROI. I couldn't give you a quantitative response.
What's my experience with pricing, setup cost, and licensing?
We did a three-year deal where the cost is amortized over the three years. The Elite Support was an additional cost to the standard licensing fees.
In terms of other potential costs, if you use Security Center, most of the time it is on-premise, so you're going to have some sort of infrastructure to build out and there's going to be a cost associated with that. Depending upon the size of your enterprise, it could range from a couple of thousand to $100,000. If you're using Tenable.io, it's all out in the cloud so you don't have any infrastructure cost.
Which other solutions did I evaluate?
Rapid7 and Qualys were the final players in our RFP, in addition to Tenable.
What other advice do I have?
My advice isn't vendor-specific, it's much more agnostic. Whoever is looking for a new solution for vulnerability management or configuration management, needs to ensure that they take their time. Develop a strong RFP process that's objective and quantitative and removes bias. Then, perform a well-thought-out PoC and let the data speak for itself. For me, it's extremely important that when you're planning on spending millions of dollars, or making a large purchase, that you remove any emotion or bias. You take the relationships out of the picture, and you let the best product win, given a certain use case.
In terms of Tenable focusing our resources on vulnerabilities which are most likely to be exploited, I can't say yes or no. One of the functions our team has is to focus on vulnerability research and emerging threats, and that was before there was ever a plugin created for Tenable. The team is actually really proactive in identifying vulnerabilities through manual research. That's where a lot of the critical stuff comes from. We'll find something critical before the scanning vendors even have a check for it.
The output of Tenable is used by dozens of folks, primarily engineers. Tenable itself, as a platform, is used by 15 or 20 folks. Most of them are vulnerability analysts and some of them are platform engineers. There are a dozen or so executive leaders who reference Tenable's data, as well. We built some 50 dashboards, tailored to a given audience, so that they can see near real-time results. For example, our CIO has an enterprise goal of reducing X percent of vulnerabilities in our enterprise, so we've built out specific dashboards reflecting all of that work. Maintenance of the product requires one person, and it's not a full-time position. For deployment, I had two people, who are security analysts. I actually did not need software engineers to do it.
We're using Tenable very extensively. Some of the feedback I got from Tenable this week is that we're actually one of their more mature clients. And we are expanding our usage. Our company was procured in early December last year, and we'll be expanding not only the scope of what we currently use but also increasing some of the functionality.
For traditional, network-based vulnerability management, I would rate Tenable a nine out of ten. For dynamic application scanning, it's a two out of ten. Overall, I'd put Tenable at a seven out of ten, which is still definitely higher than any of the other technologies that operate in the market. I think this segment of the market is a bit confused. There are too many companies looking to be a silver-bullet and own it all, and their strategy is a bit confused.
Disclosure: I am a real user, and this review is based on my own experience and opinions.