It provides us with clear visibility across our environment.

We've got better insights into our vulnerabilities and weaknesses. This has led us to a better situation where we have better control. Our ability to manage the situation has improved. 

Previously, we lacked a good overview, but now we possess detailed reports. We generate these reports internally and disseminate them to other responsible teams. Now, we have made it a part of our daily workflow and it helps us monitor vulnerabilities and related matters. It aids us in pinpointing weaknesses and facilitates more effective updates. If something slips, it becomes visible.

However, this is a significant feature, although it could potentially offer even more assistance. 

My department is not enterprise-managed. We don't use like tools like SCCM to push out patches. Everything is manual updating. I need to be able to track and audit against our devices and know what exactly what Microsoft hotfixes I need to see. I need to identify what specific patches are missing on devices. Or, for example, there was a Microsoft CVE alert that was put out a couple of weeks ago for RDP, Remote Desktop Protocol. I'm using the scanner now to try to identify what devices we actually need to look at to address risk on. Including IP cameras for our different labs, I manage over 40,000 devices. So I really need to know what exactly I need to focus on for a given vulnerability, such as the Microsoft one, as they come about. Tenable really helps with the identification piece, in a way that traditional IT policies and procedures and tools cannot.

It saves me time. When I get into actually identifying impacted assets in my environment - and having to deal with fewer false positives - it could save me up to eight to ten hours a week, for things like the RDP issue we're dealing with now; for the things that really come out as priorities.

Security Center helps to limit our organization's cyber exposure. In our environment there is a lot of stuff we can't deal with in terms of endpoints, but it has definitely helped in identifying the devices we have out there which haven't had Microsoft updates applied in years, potentially. It's really helped identify those, the low-hanging fruit. But then, you get into the devices that are relatively up to date but their vendor application has been the same for however many years. In the least, we're able to identify and understand which devices those are and what the risks are, even if we can't immediately address it.

In terms of reducing the number of critical and high vulnerabilities we need to patch, it has helped me to identify them, and I address them accordingly. As I said, there is stuff we can't address, but at least it helps us identify them, and we are able to address some of them. It's helped us identify vulnerabilities and put in compensating controls and mitigating controls. It has definitely reduced the risk exposure we've had.

Also, rather than rely on high-level communication from vendors about whether or not their products may be impacted, I can use scans to actually identify what is impacted or in scope for a given vulnerability. It used to be, a couple of years ago, if I had to identify systems, I had to know at a high level if some of these devices could be impacted. It would create a lot of false positives. Since we've been using the scanner, I've been able to narrow that down quite a bit. I still get false positives, but I certainly get a lot fewer than I used to. It helps me have a more managed focus with any scope I'm looking at.

It helps us prioritize based on risk and it also helps us prioritize manpower, to show we are getting the most value from the limited number of man-hours that all organizations face. We have the same problems: Where do we need to focus? Where do we need to focus money? And where do we need to focus additional expertise that we don't have or didn't think we needed.

Overall, we use it as a third-party — I don't want to say settle arguments — but as an expert opinion as to what is a true vulnerability is, versus what is something that isn't as high of a priority. It takes opinion — if two cybersecurity people are arguing or discussing if this thing is more important than that thing — and, since Tenable is not invested in our company, gives the best practice. It is very valuable in that sense.

In terms of cyber exposure, it allows us to centralize both vulnerability management and visibility. We have one place to look instead of going through: Okay, we're using the Microsoft tool, and now we're going to go use the Cisco tool, and now we're going to go use the Red Hat tool. It allows us to centralize and easily correlate all data together, and then use the prioritization or just understand where the gaps in our security posture lie. That's more valuable than saying, "Okay, here's this report for Microsoft, and now we're going to print out a report from Red Hat, and we're going to print out a report from Cisco, and we're going to print out a report from NetApp, and we're going to put them all together and then we're going to discuss it." Having it in a single view is very valuable to us in that it saves us a lot of time.

Tenable also helps us to focus resources on the vulnerabilities that are most likely to be exploited. And since it is continuously updated, it allows us to reevaluate quickly if there are new vulnerabilities found, versus ones that we're already working off and are already known to us.

And since cybersecurity and IT security are not a fix-it-and-forget-it scenario — it's a continuous process — having a tool like this, especially one that is continuously monitoring our environment, is very valuable. It's not that we're not doing this once a year, we're not doing this once a quarter. We're doing this every day.

Finally, the solution has reduced the number of critical and high vulnerabilities we need to patch first.

The tool provides us insight into the happens of the network and its hosts. It provides me with a list of hosts. 

The initial product price is quite high, and in our country, this market is very price sensitive, and we have multiple segments of customers. If I invest ten dollars on behalf of my customers and profit just five percent; in such a market, how does the solution provider ensure expansion from our side? This should be taken care of by the channel or legal system. Due to this, we need to work in a very tight situation. 

The ability to view the plug-ins, the way that the plug-in library works, is really good. It's not an individual list of 80 million different CVEs. We can actually just say, "Hey, here's a plug-in," and it really helps us to boil things down. Instead of having a million CVEs, here's the specific plug-ins that are actually tying the CVE families together. That helps our platform owners, if there is an issue, to see what it is and understand better how to fix it.

Also, the fact that they display the very specific plug-in output in their details area helps our platform owners know, if there's an issue, specifically what was checked and what versions it was on at the time of the test. That's just huge. It increases the trust in the information from the tool. It cuts down on accusations of false-positives and it helps people do their job better.

It helps us to understand our cyber-exposure. At the end of the day, if you don't know what you have, then you cannot defend against it. Understanding what services, what technologies, and all those components will also give us an idea about how to predict what kinds of attacks are the things that we need to guard against in the future.

It also helps us focus resources on the vulnerabilities that are most likely to be exploited. Looking at what actually has an exploit available along with consideration of other things such as network proximity times and information about the threat - either VPR or CVSS - pulling all that together does allow us to identify pretty quickly what are the high-priority targets that we should work on.

This solution has given us visibility of the vulnerability in our network. It also shows what needs to be done to negate the vulnerabilities by providing links to the solution for those issues. Generally, we are now able to manage our vulnerabilities better. We can identify them, prioritize them, and then negate them. It has improved our security posture.

It easily detects issues, and alarms the site.

Tenable SecurityCenter has absolutely improved our organization, by making everything more secure and helping ensure solid vulnerability management.

The solution has been beneficial for our organization.

Before, we did manual management of our assets. We have an EXO file that has all our assets in it. They have the IP address and all the details of each equipment. We manually enrolled those assets to our vulnerability scanning tool for them to be scanned on a monthly basis and check what new vulnerabilities they may have. With the  Security Center, we are able to automate. We were able to automate how we enroll our assets in the Security Center, and the scheduling of when we scan each asset, and how we report them to respective system owners. We are trying to use it as a channel of a self-service platform to the system owners or system administrators. It helps to access the Security Center for them to review the vulnerabilities that the equipment or the servers may be assigned or under the domain.

In terms of vulnerability mitigation, SecurityCenter has worked quite well and is a perfect replacement for GFI LanGuard. Unfortunately, it's also being posed to my team as what we're supposed to use in place of ArcSight Express, which I've worked with for several years now.  SecurityCenter could be much more useful to our agency as a whole if it were configured better, but I'm not sure that the team that directly manages that system knows how to do that, or has the right licenses they need to bring in all of the data my team needs in SecurityCenter to make good use of it.  Basically, it comes down to two teams trying to use the same product for very different purposes, and while one team is pleased with the results, the other (mine) is not.

This solution has a much lower rate of false positives compared to competing products.

It can operate in hybrid mode, too. The greatest strength of the product comes up when the agent is deployed on the endpoint to be scanned. Thereafter, even if the agent is out of the office network, it can still be scanned and will also send back data to the parent console.

Previously, we were using Nessus, which required a lot of manual work in terms of reporting. We do a lot of customization, and Tenable SC has been very helpful. Reporting is just a click away in Tenable SC, whereas it used to take a long time to create a similar report and customize it in Nessus.