If you were talking to someone whose organization is considering Tenable SecurityCenter Continuous View, what would you say?
How would you rate it and why? Any other tips or advice?
I would recommend this solution to potential users. On a scale from one to ten, I would give Tenable SecurityCenter Continuous View a nine.
The fundamentals are the most important part. Make sure you can access and scan all the different parts of your network with the correct authenticated scans. That is what is most important. Everything else derives from that base data, so you have to make sure that's in place and organized correctly. In terms of vulnerability prioritization, a lot of it is based on the CVSS score. We're just starting to look into the VPR feature and see how well we agree with that. The way we have it, within our architecture, is that SecurityCenter will run the scans, and then we export the scanned results into a different tool that does network modeling and prioritization. After that system prioritizes, it forwards it into our ServiceNow platform for ticketing and remediation. So far it's been effective in accomplishing the goals we had. In terms of SecurityCenter reducing the number of critical and high vulnerabilities we need to patch first, I can't really answer that question. With such a large environment, we have quite a number of vulnerabilities. We're not using, for the most part, Tenable's built-in prioritization, or the VPR rating. So it's hard to say if Tenable increased or decreased the number of vulnerabilities that we have to address, compared to the previous solution. A lot of stuff changed around the same time, so it's not comparing apples to apples. Our team is the only one that manages SecurityCenter day-to-day and runs the scans. After the scans are done it goes out to a prioritization tool, which it applies some additional context and additional data to drive a risk score. Based on a threshold there, it's sent into ServiceNow, where the team which owns the asset or the device will do the remediation. Most of the data they get comes directly from Tenable. It's just removed a couple of steps by going through those other platforms. Overall I would rate SecurityCenter at nine out of ten. There are definitely some things that could probably be improved, but how we use it might not be how every other customer uses it. Just because we don't use a feature, or we're missing a feature, doesn't mean that other customers aren't getting more leverage out of it.
My advice isn't vendor-specific, it's much more agnostic. Whoever is looking for a new solution for vulnerability management or configuration management, needs to ensure that they take their time. Develop a strong RFP process that's objective and quantitative and removes bias. Then, perform a well-thought-out PoC and let the data speak for itself. For me, it's extremely important that when you're planning on spending millions of dollars, or making a large purchase, that you remove any emotion or bias. You take the relationships out of the picture, and you let the best product win, given a certain use case. In terms of Tenable focusing our resources on vulnerabilities which are most likely to be exploited, I can't say yes or no. One of the functions our team has is to focus on vulnerability research and emerging threats, and that was before there was ever a plugin created for Tenable. The team is actually really proactive in identifying vulnerabilities through manual research. That's where a lot of the critical stuff comes from. We'll find something critical before the scanning vendors even have a check for it. The output of Tenable is used by dozens of folks, primarily engineers. Tenable itself, as a platform, is used by 15 or 20 folks. Most of them are vulnerability analysts and some of them are platform engineers. There are a dozen or so executive leaders who reference Tenable's data, as well. We built some 50 dashboards, tailored to a given audience, so that they can see near real-time results. For example, our CIO has an enterprise goal of reducing X percent of vulnerabilities in our enterprise, so we've built out specific dashboards reflecting all of that work. Maintenance of the product requires one person, and it's not a full-time position. For deployment, I had two people, who are security analysts. I actually did not need software engineers to do it. We're using Tenable very extensively. Some of the feedback I got from Tenable this week is that we're actually one of their more mature clients. And we are expanding our usage. Our company was procured in early December last year, and we'll be expanding not only the scope of what we currently use but also increasing some of the functionality. For traditional, network-based vulnerability management, I would rate Tenable a nine out of ten. For dynamic application scanning, it's a two out of ten. Overall, I'd put Tenable at a seven out of ten, which is still definitely higher than any of the other technologies that operate in the market. I think this segment of the market is a bit confused. There are too many companies looking to be a silver-bullet and own it all, and their strategy is a bit confused.
What do you like most about Tenable SecurityCenter Continuous View?
Thanks for sharing your thoughts with the community!