If you were talking to someone whose organization is considering Tenable Nessus, what would you say?
How would you rate it and why? Any other tips or advice?
There are at least ten people in our organization making use of the solution. Tenable Nessus is an appropriate solution for a small scale company, one with budgeting constraints and no complexities within the organization. It not that user-friendly. I would rate Tenable Nessus as a seven out of ten.
So far, I am quite pleased with this product and don't have any complaints. I would recommend this solution to others who are interested in using it. I would rate this solution a nine out of ten.
Ultimately, we plan to use this product less because it is something that we advise our customers to buy for themselves. They should not be using our solution. My advice for anybody who is considering Tenable Nessus is that it is easy to install, easy and straightforward to use, and not expensive. These are the reasons that we advice our customers to use it. I would rate this solution an eight out of ten.
On a scale of one to ten, I would give Tenable Nessus an eight. What happens is Nessus keeps on updating and this becomes a showstopper. We are unable to proceed with the vulnerability scans or testing if we do not update to the latest available patch. We can understand the risk if it's maybe one version earlier, meaning, we understand something was updated with XYZ patch but there should be something which gives us an option so that not all of our deployments need to have the latest patch. This would save the deployment time because of frequent updates. I would recommend Tenable Nessus. Especially the commercial model. We operate in small and medium enterprises and for them, Nessus is becoming expensive. Because of this I may not buy Nessus this year and I might switch to Qualys, for example. Overall, Tenable Nessus is not so price pocket friendly for small and medium users.
We're just customers. We're end-users. We don't have a business relationship with the company. We're using the solution as what I would consider a hybrid, where the security center is managed by another group. However, we have a scanner in our network that connects back to the security center and the DOD of Azure. We're largely happy with the product. Overall, I'd rate the solution eight out of ten. If it weren't for the reporting or the scanning difficulties, I would rate it higher.
For anyone who is interested in this solution, they should test the scan timing to see if it consumes a lot of time or not. Research the remediation information to see if it is okay, or trust proof or not. The reporting works well and it allows you to share. Also, support is important. I would rate Tenable Nesuss an eight out of ten.
The advice would be definitely doing your proof of concept because that's what you're going to need for your buy-in for your upper management because it is going to cost some money. I would do a hybrid version, where your own Nessus is internal, and then you have your cloud. If you lose connection to the internet, you could still run an internal Nessus scan to save the scan and then input the scan into Tenable.sc. Do your proof of concepts, get your reports, and use your proof of concepts when you do your presentation to upper management to purchase. If you use your own nodes and your own network as your proof of concept, it gives them an eye view of, "Hey, we're vulnerable because of this, and here's the tool that did it." To me, that was a better selling point because it was real. It wasn't the demo data. Once you have purchased it and get it all set up, use it continuously, meaning include your scanned reports with your change control. This way, it shuts all the administrators who have been there over 20 years and say, "Hey, I don't want to patch right now because it takes the network down." Yes, it's going to take the network down. However, the longer you wait, the more vulnerable you are because if I'm doing change requests every week, and I'm calling on more and more risk and you start to find the same nodes in the same reports, then somebody up high is going to say to the network administrator guy to fix it. I would rate Tenable Nessus a ten out of ten right now. If you had asked me last year, Rapid7 would have been the same and on top, but now that I've been using Tenable and I'm comparing the jobs that I'm doing right now, Tenable is cut and clear to what the report is saying. My favorite report is the VPR report. Instead of just looking at CVS numbers, it has a VPR report that ranks, whereas, in Rapid7, it's just focused on CVS. It is CVS version 2 or 3, which kind of gets confusing. For example, in Tenable, I can run a scheduled scan and have my report, but let's say, for instance, I did patching in the middle before my scheduled scan. I could kick off a new scan specifically for that vulnerability and get a report, whereas, in Rapid7, you could not easily do that. Therefore, you were stuck waiting for the scan to go again and to see if your mitigation efforts fixed it.
We are simply customers. We don't have a business relationship with Tenable. We're using the latest version of the solution. I would definitely recommend this solution. It's the best that I've used so far. On a scale from one to ten, I'd rate it at an eight overall.
In some cases, we deploy on-premises because the customer is still evaluating the readiness to go to the cloud. A few of our customers are already on the cloud, and others are migrating. We have deployed on both models. With my experience, I would definitely recommend it. This is the only tool we have used recently. I would rate this solution an eight out of ten.
A cost/benefit interesting tool.
If I were to speak to someone who works with IBM Guardium they would probably tell me, "Ah, Nessus is too simple for me. Guardium is better." But I can recommend Nessus to anyone who wants a good product for a "small amount of money." It's the best buy. When I speak with my colleagues we usually share our experiences. I know that some of my colleagues are thinking about Nessus for next year because they don't have any solution, but they need one, according to regulations. When I explain how it works they usually say that they will check into it. Probably, in Bosnia, there will be two more banks using Nessus in the next year. Alem, as a company, is very friendly and that's most important. They come to our office to explain things. They spent three or four hours here with me, explaining everything about Nessus. They suggested a free trial. It's important to have that kind of support. I know that if I need something, I can ask them without any problems, at any time. Overall, Nessus is working well.
Tenable mainly works on vulnerability scanning and prioritizing.
If you're going to employ this product, it's the better one for smaller to medium businesses because of the executive documentation. I would not try to sell it as a technical tool for a technical group. As a consultant it would be best for you to run it and manage it for clients. With that, you're a one-stop shop for them. I would remind clients that most auditing requirements state that you need a third-party individual to do an assessment of your environment. As a consultant you would do that for them. Keep it in-house. I wouldn't sell it. The priority rating is an industry-standard rating, so it's not like it pulls it out of a hat. It's a known rating, so that's good.
Leverage authenticated scans if you can. That reduces the number of false positives compared to just network-based scanning. Leverage the Tenable Agents if you can, as well, because that will help reduce the scan time and make it easier to get data from machines that are all over your network. The solution isn't really helping to reduce our exposure over time because there are always new vulnerabilities coming out. It's helping us keep track of what's out there better. The next part is going to be convincing external auditors that VPR is a reasonable way to actually prioritize, in terms of whatever our policy statements say for what we fix and how quickly; to get that to line up. A lot of people are still in the, "You must patch criticals with this number of days, highs with this number of days." We want to be able to turn that into a more risk-based approach but haven't really been able to do that. The users of the solution in our organization are really just the people on our security team, so the number is under ten people. They're really just using it to look at the vulnerabilities, analyze the vulnerabilities, and figure out where our risks are and what should get patched. For deployment and maintenance of the solution we have a quarter of an FTE.
Know that it's only a detection tool and that it has limitations as a detection tool, but the deployment can be pretty scalable. The solution didn't reduce the number of critical and high vulnerabilities we needed to patch first. It tells you what the critical vulnerabilities are that you need to patch, but it didn't reduce anything. It doesn't patch it for you. I would give Nessus a seven out of ten, as it doesn't automatically resolve the vulnerabilities. There are tools out there that give you an option: "Hey, do you want me to patch that vulnerability?" You just hit "yes" and it automatically does it. Nessus doesn't do that. And, as I said, the grouping could be a little bit better.
My advice to others would be to include post-implementation support for six months from the vendor to help with the fine-tuning. I rate this solution an eight out of ten. In the future, I would like to see better reporting for high impact vulnerabilities.
Scans using agents are very useful, and taking advantage of them is the best way to take advantage of the tool.
I would suggest that people considering this solution should choose the cloud-based solution versus the on-premise version.
I'm a Senior System Engineer at a mid-sized enterprise. I am comparing Qualys VM and Tenable Nessus:
Let the community know what you think. Share your opinions now!