What is our primary use case?
We use it for scanning across our network. We leverage the Nessus scanners to scan the environments we have. That includes the external view, scanning across our DMZ, PCI, and internal environments. We have our Windows and Linux clients and servers. We have IP enabled on almost everything, including the printers, cameras, and elevator banks. It does some analysis on anything that's plugged into the network, with varying degrees of efficiency based on what the device is.
We do full IP-import scans periodically. When we do the actual scans themselves they're usually more narrowed and focused, because if you did every port and every IP every time it would take forever.
How has it helped my organization?
SecurityCenter enables us to find all the vulnerabilities, export that data, prioritize it, and address the highest-risk vulnerabilities. That is definitely the main goal of the tool and it wouldn't be possible without the scanning technology accurately assessing the environment.
It helps to limit our cyber exposure because every time we identify one of the exposed or high-risk vulnerabilities and enclose that, or address it, it reduces the overall exposure. This solution is just one tool in the whole chain that helps accomplish that. It is a very critical component, but it's not doing it in a vacuum.
The scanning helps us focus resources on the vulnerabilities that are most likely to be exploited. We're just starting to look into doing the compliance policies. That will be the next step. Right now, we're reactive, addressing vulnerabilities that are detected. We'd like to identify misconfigurations upfront, address those to speed things up, and reduce the resource cost. If you let a bad image go out to production, and deploy it on 50 systems, you have 50 tickets instead of a single place to fix it. That's what we're looking to leverage next.
In terms of financial value, within PCI compliance especially, if you don't have a scanner in place or you're not conducting PCI scans, you can't participate in the credit industry and accept credit cards. That's a requirement and a role that Tenable fills, one that must be addressed through regulation. We are also subject to GRC and a couple of others which are directly addressed, or a component of them is addressed, through Tenable and scans that it runs.
What is most valuable?
The scanning itself is really the core of the tool, and it's what we're most interested in.
What needs improvement?
There are two areas that have room for improvement.
One is account lockouts; we have had some issues with that. Part of it could just be the way we've handled it, but if we're scanning a large section of the network, and we end up with an account lockout, we can't do authenticated scans. That scan will just continue executing, even without credentials and that makes it difficult to figure things out. Where did it fail? Which ones were fully scanned? Which ones weren't fully scanned? We'd like the ability to only do authenticated scans, so if there's an authentication failure perhaps the scan stops. Or we'd like to have some way to recover scanned data. We export that scanned data to another tool and that's where things start breaking down, because it doesn't know. It sees that it was an authenticated scan, but half the hosts might not have been authenticated to. That may be specific to our use case, to a certain degree.
The other area for improvement is that in specific vulnerability occurrences we would like a little more support for various operational needs. There are certain things that might be false positives. There are certain circumstances where they may have found a vulnerable service and they just removed the service completely from the device because nobody was using it. There's no way to go into SecurityCenter and mark it, to say, "This is no longer an issue. It doesn't exist anymore." Or, "The risk was accepted for one year, so let's not report it as a 'high' until that one-year period is done." The handling of operational flow around vulnerability management could be improved.
For how long have I used the solution?
I have been using the solution for a little over a year.
What do I think about the stability of the solution?
So far we haven't seen any stability issues.
What do I think about the scalability of the solution?
The only issue we've been looking at so far is getting our scan cycles lower. There may be some optimizations needed in the scans, as well as deploying additional scan agents. But it's been pretty simple, as we need more capacity, to deploy more scan agents to various parts of the network. So far we haven't seen any issues with that and we're running with something like 60,000 licenses, to give you an idea of the volume that we're working with.
How are customer service and technical support?
We have a dedicated account contact and rep whom we work with if we need anything. So far our experience has been good. Every time we've reached out, as far as I know, when we have had any issues they've responded. We may not have always gotten the answers we were looking for, but they're always quick and able to respond and provide the information we need.
Which solution did I use previously and why did I switch?
We were using one of Tenable's main competitors. There are only a couple. Part of the reason for our switch to Tenable was related to licensing costs. Some of it was related to the speed of updates that we were seeing with plugins, and things of that nature. We found that Tenable was a little bit quicker in rolling out updated plugins, especially for some high-level vulnerabilities which came out. Coincidentally, right around the time of our PoC, there were some of those remote code execution vulnerabilities in WebLogic and a couple of other devices. We found Tenable was just a lot faster delivering updated plugins to detect those than the product we were using before.
In terms of the visibility of Tenable versus our previous solution, they're comparable. We have visibility everywhere that we can reach and scan, that has an IP address.
How was the initial setup?
I didn't do the initial deploy, but I was involved from the proof of concept and use the tool on a pretty regular basis. It was pretty easy to set up, from the discussions I've had with our team. A different team member handled the initial install and configuration, but it was pretty straightforward. The initial setup, getting certificate deployed, and rolling out the additional Nessus scan agents was all pretty straightforward and easy, as far as I understand.
Part of the time it took was internal to us, where we were waiting on the devices to host both environments. We did a QA and a production environment. We were waiting on internal servers to be stood up and things like that. But the initial install and deploying, once everything was in place, didn't take very long at all.
We were running a different product which did similar scans for a long time, so we already had the plan set up for the QA and production servers. I believe they had some failover to our other environments. We already knew where we were going to deploy agents within the DMZ and within the PCI networks so they could reach everything, including firewall rules. We already were aware of everything and mirrored it when we brought in SecurityCenter.
What about the implementation team?
We just had some discussions with Tenable and then used internal resources.
We have a team of four people who work on the scanning, the standing-up and managing of SecurityCenter. There are three people who do it on a regular basis and one who supports it based on vacations and people out of the office, etc.
What was our ROI?
The areas of ROI include the visibility, the scanning, and being able to identify those vulnerabilities and then feed them through the pipeline to get those prioritized results. Without the scanner and Tenable doing the initial scans, none of the rest of the flow - addressing those vulnerabilities, and reducing our risk and exposure - would be possible.
It also helps with certain PCI compliance because you have to have scans.
We don't get down to the nitty-gritty cost of specific risks. We report a risk as we see it, and there's a different audit organization within our organization that does IT risk management. It will take all the risks and combine that with the financial impacts. I couldn't tell you, "We're saving a million dollars." Our team doesn't look at it at that level. We identify the vulnerabilities as they exist and prioritize them for other teams to consume.
What's my experience with pricing, setup cost, and licensing?
I believe we have a yearly contract. I don't have the details around the exact cost.
Which other solutions did I evaluate?
When we switched over we did a proof of concept across multiple products. We looked at about six vendors in both the scanning and prioritization spaces, since they overlap. Quite a few products will do scanning and prioritization. Some do only scanning. Some do only prioritization. We looked at many vendors before settling on Tenable.
What other advice do I have?
The fundamentals are the most important part. Make sure you can access and scan all the different parts of your network with the correct authenticated scans. That is what is most important. Everything else derives from that base data, so you have to make sure that's in place and organized correctly.
In terms of vulnerability prioritization, a lot of it is based on the CVSS score. We're just starting to look into the VPR feature and see how well we agree with that. The way we have it, within our architecture, is that SecurityCenter will run the scans, and then we export the scanned results into a different tool that does network modeling and prioritization. After that system prioritizes, it forwards it into our ServiceNow platform for ticketing and remediation. So far it's been effective in accomplishing the goals we had.
In terms of SecurityCenter reducing the number of critical and high vulnerabilities we need to patch first, I can't really answer that question. With such a large environment, we have quite a number of vulnerabilities. We're not using, for the most part, Tenable's built-in prioritization, or the VPR rating. So it's hard to say if Tenable increased or decreased the number of vulnerabilities that we have to address, compared to the previous solution. A lot of stuff changed around the same time, so it's not comparing apples to apples.
Our team is the only one that manages SecurityCenter day-to-day and runs the scans. After the scans are done it goes out to a prioritization tool which applies some additional context and additional data to drive a risk score. Based on a threshold there, it's sent into ServiceNow where the team which owns the asset or the device will do the remediation. Most of the data they get comes directly from Tenable. It's just removed a couple of steps by going through those other platforms.
Overall I would rate SecurityCenter at nine out of ten. There are definitely some things that could probably be improved, but how we use it might not be how every other customer uses it. Just because we don't use a feature, or we're missing a feature, doesn't mean that other customers aren't getting more leverage out of it.