What needs improvement with Tenable SC?

Additional costs are associated with using the solution, as additional scanners are required for different endpoints connected to the Tenable Security Center. If Tenable Security Center could extract information from these scanners automatically rather than manually, it would enhance user-friendliness for customers. For example, suppose I manually conducted CIS hardening or compliance scoring in a separate data centre. These scores should also be reflected in the Tenable Security Center dashboard. Since the scanner is connected to the Tenable Security Center, the dashboard should display the direct scan results from the general security centre and the connected scanners. There could be unusual activities or attacks with the rising AI-related issues or threats that the Tenable Security Center could track in the future.

The solution is expensive.

We are facing some challenges related to our channel. We are not having partner channel engagement if it's changed. Most probably due to the addressable market size, the solution providers are not putting that much purpose into the partners.

The product could be user-friendly, and they could enhance the web application's security features.

The product should provide risk-based vulnerability management. It is a popular feature. Large environments can have a lot of vulnerabilities. We need to prioritize them for remediation. So, risk-based vulnerability management is useful for large enterprises.

Though the solution's technical support is responsive, they do take a lot of time, making it one of the solution's shortcomings that needs improvement.

Certain aspects require effort. The solution's built-in reporting components are somewhat clumsy. So, this is an area of improvement. Therefore, we export data and integrate it with our other reporting tools - the Elastic Stack, also known as Elasticsearch. We find it more comfortable to generate reports from Elasticsearch because we're well-versed in creating those dashboards there. It's more convenient for us to extract and integrate information in the same manner. We've been in discussions with Tenable regarding a specific enhancement. It is a concept known as VPR, which stands for Vulnerability Priority Rating. This is related to the CVSS (Common Vulnerability Scoring System) value, which rates vulnerabilities on a scale from one to ten. However, the CVSS alone doesn't accurately determine the severity of a vulnerability; it doesn't indicate how exploitable it is. The VPR takes into account additional factors, such as how widely the vulnerability is being exploited in the wild and the volume of reports from affected sites. And if we want to have it on our dashboard, this is something that doesn't work well for us in that sense. We cannot extract it from the Tenable system; we're restricted to using Tenable's own dashboard and reports. However, there's certainly some logic or rationale behind it. It's not directly tied to the CVSS, but rather some other factors. So, it's not a one-to-one correlation with the CVSS, although CVSS is a metric commonly employed in various other systems for assessing vulnerabilities. Aligning these metrics and incorporating an additional feature indicating the early harmfulness of a vulnerability is lacking. We're hopeful that the CVSS framework is undergoing changes. I've heard that version four, while not specifically linked to Tenable, is likely to introduce more meaningful values. These values won't be solely focused on severity but also on the level of exploitability. For instance, if exploiting a vulnerability requires local access and specific conditions, it might not merit a higher score like ten; it could be lower due to limited feasibility. Thus, certain developments could be anticipated in this regard. Tenable is also working on its own approach, known as CPR (Cyber Exposure Priority), but this feature is not exportable, unfortunately. In future releases, I would like to see a feature that provides insight into the actual degree of harm associated with certain vulnerabilities. Ideally, I'd want this information to be exportable to align it with other vulnerabilities. It's possible that I might have the same CVSS value from another source, not necessarily Tenable. We're not using Tenable IO for container security, where we have a separate collection of CVs for containers. However, it's challenging to compare them directly due to the differing numbers and systems. If we could implement this VPR concept for other CVs as well, we could customize it to better suit our needs.

People do not prefer the solution for web applications. They prefer Acunetix or Netsparker over Tenable for web applications. The solution should provide better web application features and support. It could provide some add-ons to customers.

I think the web application should be improved because it's not very functional.

The solution needs to improve its support. I would like to see a bird's eye view of my network architecture. I would also like to see the continuous view feature in the tool.

The solution is expensive. They should work on its pricing.

Tenable.sc's user interface could be improved.

The solution is a bit on the expensive site. In a country like Bangladesh, most of the customers don't have a budget that could afford Tenable SecurityCenter. They'd rather go for Qualys and Nexpose, which cost less. The licensing policy is something they can improve. Support could be faster.

The solution needs to improve the vulnerability assessment because we have experienced some challenges with accuracy. Tenable.sc would benefit from a more user-friendly interface for the hands-on users of the configuration assessment. It is difficult to modify the policies because they require significant expertise that regular users do not have.

Tenable has some problems with agents going offline during scanning and lag between agents and the security center. In the next release, Tenable should include automated patching and integration with SSCM so missing patches can be pushed from there.

In the next release, we would like to see the inclusion of external IPs and simplified reporting that's easier to deal with.

Tenable SC can improve by adding more integrations with HCI-type tools and more accurate vulnerability detection.

Tenable SC could be improved with additional connectivity to external company postures and the capability of managing and sustaining agents in the systems directly without additional platforms in the middle.

Tenable SC can improve by making it easier to create complicated reports and have more effectiveness in the remediation area for comparison between the scans.

In regards to additional features, I would say make it a little bit simpler. There are different menus for downloading reports that could just be a click and download. Right now, we have to go to the scan and then we have to go to the reports and download the Excel or CSV or PDF. I think these menus and clicks can be minimized.

Tenable SC could improve by making the creation of the initial reports easier that correspond to our network.

Its reporting can be improved. It is not easy to generate a scan report the way we want. The data is okay, but we can't easily change the template to make it look the way we want.

The reporting side can be improved. The dashboards are nice, but exporting things out for reports for management was a little tough. We had the on-prem version and the cloud version, and I wasn't a big fan of having different consoles. It would have been nice to be able to have all those features in the cloud version because on-prem is a little tough to manage.

Internal ticketing systems require improvement. The GUI could be improved to have all concerns and priorities use the same GUI, allowing them to see all tickets, assign vulnerabilities, and assign variation failures to each member of their team.

Everything in life has room for improvement. While I consider the solution to perform as it should, most customers, for the wrong reasons, wish for it to have the penetration testing capabilities. This is not a problem with the product, but with the demands of the customer and I remain uncertain if I can meet these. The pricing is reasonable, but this could be brought down more aggressively, such as we see with Rapid7, Tenable SC's main competitor.

There is not much room for improvement. However, there should be a guide that describes the step-by-step procedures for doing tasks. Otherwise, training is required from a senior guy to a junior guy.

I'm pretty happy with it, but I do see a lot of stuff coming out about risk-based vulnerability management. And so I've been looking at that. I don't think we're using that as of yet and it seems like a newer feature they're talking about a lot that I'm interested in. I will say it's a lot slower compared to an MS scan. It takes so much longer, so the performance could definitely be worked on. There was also an issue with SecurityCenter once where we had agents deployed on each device, and while it was scanning we were collecting the data real time. During this process, we had an enclave that was not submitting. It didn't have the agent installed because it wasn't connected to the enterprise network. They were scanning locally and submitting the scans and we would then upload them into SecurityCenter manually. Each time that there were any duplicates with host names or IPs, or that there were issues with the scanner device with authentication, it failed. But then you scanned it again and it was successful. When you uploaded that, SecurityCenter was counting it as two devices. And when you ran your report for unauthorized devices, even though it was scanned a second time successfully, the first time would show as a failure. So it was throwing off reporting. So we would run a report and say, "Okay, which device has failed scanning with authentication?" And it would give a device and we'd be like, "Well, here's the secondary scan showing that it was successful." And so we were having to manually go in there and delete the failed ones. And that was a pain in the butt. We eventually got that enclave online so we fixed the problem, but I felt that was a limitation of Tenable SecurityCenter that it couldn't see that.

I think the company should redo their web page because the way things are now there are a lot of things you can't do. For example, if you want to filter something on the solution and have it filter down to all of your widgets, you can't do it, you have to go from one widget to the other. It takes some time if you have a big customer dashboard that's using some data. I think that the integration with a solution like Jira could be a little bit better for when you create tickets based on your vulnerability. I know they are working on additional features related to the integration with the patch management like Qualys has, which is really amazing. This is the future and I know they're working on it.

Parallel scanning would be a nice improvement because it would speed up the detection process. It is not possible to search for vulnerabilities and do compliance checking at the same time. Rather, they are done one after the other. The integration is very good, although it still needs to improve. For example, it would be useful to have better integration with other tools in the space of identity management (IAM). As it is now, integration with new tools has to be developed specifically, so it's not easy. We would like to see better collection capability for external data that will help to improve detection and discovery.

There should be an easier way to build your own type of reports because the data is there but it is quite painful to get what I want from it. I prefer Tenable SC to other solutions.

Using the product — especially very early on — even though we have things like prioritization, it can be a little verbose in that there's a lot of information being streamed out of the reports. What would be nice, and maybe we just haven't found it, would be more of an executive-type view. We still expect it to collect all this information, but we would like a feature that would allow us to show it to an executive or a director or someone like that and give them some type of high-level overview but not get into the nitty-gritty.

We need to give more customer demos and also highlight the strengths of the product that have been developed over a twenty-year period. The vulnerability scan does not work correctly until the access privileges are set by the system administrator.

It's good at creating information, it's good creating dashboards, it's good at creating reports, but if you want to take that reporting metadata and put it into another tool, that is a little bit lacking. It does great for things for the API. For instance, if we say, "What vulnerabilities do we have?" or "How many things have we scanned?" those things are great. But if we want to know more trending stuff over time, it can create a chart, but that's in a format which is really difficult to get into another program. Integration into other reporting platforms, or providing more specific scanning program metadata, would be an opportunity. It does have a fully-bolstered API which is available online that you can look at, but it is more aimed at getting more vulnerability information out instead of reporting information out.

In terms of the reporting, it's good for IT tools, but it doesn't give me contextual insight into what device, what kind of medical equipment it is. And in my world, that's a big deal. That's a con, given what my needs are. We can't integrate it with our biomed database to correlate data. So I can know what vulnerabilities are on it by IP address, but it doesn't tell me what device it is. Is it an MRI or a workstation? Is it the workstation which is running MRI's or is it the one that's just pulling patient images? Things like that are things that I need to know, and usually the tool can't do that in and of itself. With that said, we do have some work toward some other integrations to try to improve some of that. Also, I don't know of a process right now to do what I'll call mass risk-acceptance. I have thousands of devices which allow high and critical vulnerabilities and there's really not much I can do about it. But if we put a firewall in front of it, the risk of the whole device is accepted. I need to be able to accept all those risks in the tool. It's really not easy to do within my workflow at this time. There are ways to get around it, but they're not conducive to what I do in my work. If I want to have a very low-managed scan policy, it's a lot of work to create something which is very basic. If I use a tool like Nmap, all I have to do is download it, install it, type in the command, and it's good to go. In Security Center, I have to go through a lot of work to create a policy that's very basic. Finally, the way we're using it now, for routine scans, it's only good for as long as a device is active on the network. That's one of my biggest concerns at this time: What about the stuff I don't have access to on the network when it runs the scans?

The web application scanning area can be improved. A feature that I would like to see is the ability to integrate with exploit tools.

One of the challenges that we may have experienced with that platform would be the flexibility of how to modify or create. They have this configuration compliance audit function, so if ever an organization has their own configuration standards that should be set on their servers, you have to modify those plugins in Tenable for it to match the specific values that you are looking for when you perform the configuration assessment on your equipment. It is a small challenge because it uses regular expressions on their plugins and so we are having a hard time either creating a blank template from scratch. We usually base our compliance audit plugin on an existing one and then modify the values or describe whatever is not up to our standards. A good plugin editor is an additional option for the Security Center.

In terms of the configuration of the reports, there's some level of flexibility that we are not able to achieve. In terms of configuring the reports to achieve certain percentages and all of that. So, that's really the main thing I've noticed. But, apart from that, I think it's one of the best vulnerability management tools I've used, in terms of giving us the full visibility into the environment.

Security Center's vulnerability scanners are excellent in terms of compliance reporting, and the dashboards certainly seem to make the less technical of our staff all starry-eyed, but to be honest, I find SecurityCenter to be lacking in too many ways where my usage of it has been concerned. Dashboards, to me, are much less interesting than a powerful and flexible query engine, and that's an area where I find SecurityCenter most lacking.