Tenable Security Center Reviews

My company uses Tenable Security Center to detect and manage our environment's vulnerabilities.

Feature-wise, Tenable Security Center is a very fast tool with many dashboards and reports, and it covers all our systems.

The solution's user interface has some issues. Sometimes, when it comes to a table's interface, shortening a column which in general should be enabled for every column, is not possible. The aforementioned details can be considered for improvement.

I have been using Tenable Security Center for a year. I am using the solution's latest version.

The stability of Tenable Security Center can be described as a straightforward one.

Stability-wise, I rate the solution a ten out of ten.

It is a very scalable solution. Scalability-wise, I rate the solution a ten out of ten.

In my company, we have 20 users of the solution.

The solution is extensively used in our company.

I don't plan to increase the solution's usage since it is used by the security department only.

The technical support is good and provides a quick response whenever contacted by us.

Previously, I have used Tripwire IP360.

My company started using Tenable Security Center because of its reporting capabilities, including the number of reports and dashboards.

The initial setup was straightforward.

The deployment took place in a week.

During the deployment process, we first define your network zones, then we define your organization, define the scan policies, and then finally, we schedule the scanning.

The installation phase can be done in-house, but we chose to seek the help of a consultant.

My company needs to make yearly payments towards the licensing costs. The pricing of the solution falls in the mid-range level, so it is not too expensive.

Overall, I rate the solution a nine out of ten.

The reporting vulnerability is very helpful when you link it with the people who close it with the admin and support team, giving them the criticality to find how to close each item.  And it's up to date with all the vulnerabilities on the market thanks to prompt updates from the cloud.

In the next release, we would like to see the inclusion of external IPs and simplified reporting that's easier to deal with.

We have been using this solution for about two years.

The solution has been very stable up till now. I would give it nine or 10 out of 10 for scalability

For our size, it's scalable. It covers all the bank infrastructure and all that we have.

Two or three people from the security team manage the solution, but they extract it for the IT team to take action in different areas, including infrastructure and domain support. So 10 or more people assess the reports to fix the issues.

We are happy with the support from the Tenable side. But sometimes the vendor's people move between areas too often, causing occasional shortages on technical issues inside the country. When you raise tickets, the vendor sometimes takes some time to respond, but they are always helpful. 

Positive

Previously we used Rapid7, but we switched after comparing it with the solution because it had some additional features that we needed.

Overall, the initial setup was smooth and easy. Later we had to integrate it with other solutions in the system, but it didn't take long.

We had a consultant for two weeks at the beginning but in the end, we completed it, doing most of the work ourselves and gaining valuable experience. And, of course, we had to set up our systems inside the bank and the structure of the scope of the vulnerability, so that made it about a month.

Four people were involved in the deployment, two from the vendor and two from our team.

We're happy with the licensing cost and find it affordable.

We paid for three years, mostly for the finances and sourcing, but all features are inclusive.

I would rate our licensing cost as eight on a scale of one to ten.

I would give the product an overall rating of nine out of 10.

The product is a very good solution. I would advise potential users to look at other solutions. The product is our second solution, and we are happy that it meets our requirements.

The product is useful for vulnerability management. The Auto-Remediate feature is good. The tool enables centralized vulnerability management.

The product should provide risk-based vulnerability management. It is a popular feature. Large environments can have a lot of vulnerabilities. We need to prioritize them for remediation. So, risk-based vulnerability management is useful for large enterprises.

I have been using the solution for almost ten years.

We don't face many challenges with the product’s stability. We have two or three issues in a year.

The tool is easy to scale. Almost 1,800 users are using the tool in our organization.

The technical support is good. When we raise the issues to Tenable’s support persons, they respond well.

The initial setup was easy. One engineer is required to deploy the solution in two hours. We do not face challenges in maintaining the product.

The tool provides competitive pricing. We pay a yearly license fee. There are no additional costs associated with the tool.

We explored other products, but Tenable was more user-friendly. Tenable has better accuracy, too.

We are satisfied with the solution. Overall, I rate the product a nine out of ten.

Our customers use the product for scanning their network for vulnerabilities.

Tenable is the leading product for vulnerability scanning. Most of the customers use Tenable in our region. The customers are happy with the product.

People do not prefer the solution for web applications. They prefer Acunetix or Netsparker over Tenable for web applications. The solution should provide better web application features and support. It could provide some add-ons to customers.

I have been using the solution for the past six months.

I rate the tool’s stability a ten out of ten.

We have 15 to 25 customers who use the solution. I rate the tool’s scalability a nine out of ten.

The support team was helpful. Usually, we don't contact the support team because our engineers do the installation. It's not so complicated.

Positive

The initial setup is easy. We have certified engineers of the product.

Two engineers are needed to maintain the solution. The time taken for deployment depends on the prerequisites of the customers. If the customers provide all details to us at the proper time, we can deploy the solution in two to three days.

The annual licensing fee of the product is $25,000. The pricing depends upon the number of IPs. There are no additional fees associated with the solution.

I am dealing with the latest version of the solution. It's a very good product to use. Overall, I rate the product a nine out of ten.

We use the solution for patch and vulnerability management. We scan our critical systems, keep track of any exploitable vulnerabilities, and prioritize their remediation efforts in terms of patching. 

In the future, we hope to extend the solution to our cloud services. We are moving to Azure Cloud and planning to start a DevOps initiative that might include container deployment. We know Tenable has the CI/CD pipeline security support so we will seek that solution when we are ready. 

The solution has a lean and easy-to-use interface that is not confusing to first-time users.

The solution should include compliance-based scanning. 

I have been using the solution for three weeks but my company has been using it for one year. 

The solution is very stable. 

The solution is scalable and we are happy with the way it is operating. 

We currently have forty users and a team of four for maintenance. 

Technical support has been excellent and provides a lot of support when needed. 

The company was using OpenVAS, an open-source solution that is miles apart from Tenable. 

At a previous job, I used Rapid7 which compares strongly to Tenable. 

I did not handle the initial setup but know from previous implementations that setting up a vulnerability management solution can be somewhat complex because it involves loading assets, configuring the network, and authenticating.

The ROI is almost guaranteed because there is a lot of value in using the product and reporting that to our company. 

The price is reasonable based on our scope of work and how we use the solution. 

The rule is always garbage in, garbage out. Be sure to configure the solution well and take advantage of technical support to understand how things should work. Mistakes are made when people assume they know how to do things. I believe in using technical support to confirm the process and ensure everything is done correctly. 

I rate the solution a ten out of ten. 

We use the product to scan threats and conduct risk assessments for NCA. 

Tenable Security Center scans networks and gives reports. 

The solution is expensive. 

I haven't contacted the support team yet. 

Tenable Security Center's deployment is easy. 

The tool costs around 15,000 Saudi riyals monthly. 

I rate Tenable Security Center a five out of ten. 

We use Tenable SC for internal vulnerability scans with agents, and agentless scanning in the cloud. For example, we're scanning the AMI in the cloud and making it part of the base image.

The most valuable features of Tenable SC are scanning, reporting, dashboards, and automation.

Tenable SC can improve by adding more integrations with HCI-type tools and more accurate vulnerability detection.

I have been using Tenable SC for approximately three years.

Tenable SC is stable.

The scalability of Tenable SC is scalable.

We have more than 10,000 people using this solution. We are using the solution extensively.

The support from Tenable SC is good.

I rate the support from Tenable SC a four out of five.

We previously used Qualys.

The implementation of Tenable SC is straightforward. It took us approximately two to three months to complete.

I rate the initial setup of Tenable SC a four out of five.

We did the implementation of Tenable SC in-house. We used five or six staff members for the process and we did most of it through automation. We have engineers, managers, administrators, and product managers assisting.

I would recommend this solution to others.

I rate Tenable SC an eight out of ten.

I'm the one who scans and performs assessments on clinical and medical equipment in our environment. I manage the clinical endpoint devices: MRI systems, bedside monitoring, Alaris pumps, fusion pumps, CTUs, EEGs, EKGs, wireless defibrillators, and a lot of IP cameras that are part of operation room labs. My colleague handles all the regular enterprise IT, database servers, etc. From a scanning standpoint, I do everything from discovery scanning to full-credential auditing and anything and everything in between. That's just for the medical space in a 24/7 production medical environment.

We're also using a bit of the Passive Vulnerability Scanner and, eventually, I want to get to using the agents, but we haven't gotten to that stage yet.

My department is not enterprise-managed. We don't use like tools like SCCM to push out patches. Everything is manual updating. I need to be able to track and audit against our devices and know what exactly what Microsoft hotfixes I need to see. I need to identify what specific patches are missing on devices. Or, for example, there was a Microsoft CVE alert that was put out a couple of weeks ago for RDP, Remote Desktop Protocol. I'm using the scanner now to try to identify what devices we actually need to look at to address risk on. Including IP cameras for our different labs, I manage over 40,000 devices. So I really need to know what exactly I need to focus on for a given vulnerability, such as the Microsoft one, as they come about. Tenable really helps with the identification piece, in a way that traditional IT policies and procedures and tools cannot.

It saves me time. When I get into actually identifying impacted assets in my environment - and having to deal with fewer false positives - it could save me up to eight to ten hours a week, for things like the RDP issue we're dealing with now; for the things that really come out as priorities.

Security Center helps to limit our organization's cyber exposure. In our environment there is a lot of stuff we can't deal with in terms of endpoints, but it has definitely helped in identifying the devices we have out there which haven't had Microsoft updates applied in years, potentially. It's really helped identify those, the low-hanging fruit. But then, you get into the devices that are relatively up to date but their vendor application has been the same for however many years. In the least, we're able to identify and understand which devices those are and what the risks are, even if we can't immediately address it.

In terms of reducing the number of critical and high vulnerabilities we need to patch, it has helped me to identify them, and I address them accordingly. As I said, there is stuff we can't address, but at least it helps us identify them, and we are able to address some of them. It's helped us identify vulnerabilities and put in compensating controls and mitigating controls. It has definitely reduced the risk exposure we've had.

Also, rather than rely on high-level communication from vendors about whether or not their products may be impacted, I can use scans to actually identify what is impacted or in scope for a given vulnerability. It used to be, a couple of years ago, if I had to identify systems, I had to know at a high level if some of these devices could be impacted. It would create a lot of false positives. Since we've been using the scanner, I've been able to narrow that down quite a bit. I still get false positives, but I certainly get a lot fewer than I used to. It helps me have a more managed focus with any scope I'm looking at.

What is useful to me is being able to fulfill very customized scanning policies. In the clinical environment, because of vendor control, we can't perform credential-vulnerability scanning. And network scans, which I've done before, can cause a lot of impact. Being able to create very customized policies to be able to routinely scan and audit our clinical networks, while simultaneously not causing impact, is important to us. That requires a lot of flexibility in how we create the policies, so flexibility in policy-creation is a big feature. 

For me, another useful feature of the tool is the dashboard and reporting. That is a big piece for me. The reporting covers most of my needs.

In terms of integrations, so far, from what we've seen and for what we're trying to accomplish, it's been pretty flexible.

The Vulnerability Priority Rating is useful. I run scans on all of our medical equipment and we have stuff that's still Windows 2000. Equipment is so expensive to upgrade and replace. I find a lot of it shows up red for vulnerabilities that we really can't do anything about. The predictive stuff helps prioritize some of those risks. At a high level, it helps narrow that scope. There is still a lot of manual work on my end because, as I mentioned, I really have to know what equipment I'm looking at exactly from a medical standpoint. But it does help narrow the scope.

In terms of the reporting, it's good for IT tools, but it doesn't give me contextual insight into what device, what kind of medical equipment it is. And in my world, that's a big deal. That's a con, given what my needs are. We can't integrate it with our biomed database to correlate data. So I can know what vulnerabilities are on it by IP address, but it doesn't tell me what device it is. Is it an MRI or a workstation? Is it the workstation which is running MRI's or is it the one that's just pulling patient images? Things like that are things that I need to know, and usually the tool can't do that in and of itself. With that said, we do have some work toward some other integrations to try to improve some of that.

Also, I don't know of a process right now to do what I'll call mass risk-acceptance. I have thousands of devices which allow high and critical vulnerabilities and there's really not much I can do about it. But if we put a firewall in front of it, the risk of the whole device is accepted. I need to be able to accept all those risks in the tool. It's really not easy to do within my workflow at this time. There are ways to get around it, but they're not conducive to what I do in my work.

If I want to have a very low-managed scan policy, it's a lot of work to create something which is very basic. If I use a tool like Nmap, all I have to do is download it, install it, type in the command, and it's good to go. In Security Center, I have to go through a lot of work to create a policy that's very basic.

Finally, the way we're using it now, for routine scans, it's only good for as long as a device is active on the network. That's one of my biggest concerns at this time: What about the stuff I don't have access to on the network when it runs the scans?

We have quirks every now again. Sometimes, when I click into the analysis dashboard, I get errors. For example, it will say it can't pull up a specific query. I just let the problem persist. I can work around it and, eventually, it just seems to fix itself.

Beyond that, it's been pretty stable. We have a lot of firepower behind it and in my experience, it has always been up. There aren't that many operational issues with it.

When you throw in the Passive Vulnerability Scanner, just being able to spit out more hardware if we need it, it seems like it scales well, at least with respect to our environment. When we first had it, we only had a handful of servers powering it and scans took forever. I don't know how many servers we have on the back end powering it now, but it's a lot faster. We've added to it to give it more juice. That's been pretty easy and straightforward as well.

I don't generally talk to tech support. That's handled by my colleague or someone else in the security team. But I talked to them when I was at my previous organization where we used Security Center. From what I vaguely remember they were helpful.

We used Rapid7 Nexpose. In our view, Security Center is a more thorough tool. It has more plugins to scan against a lot of vulnerabilities, and it is a bit more granular. Overall, it's been a better tool to use.

As for the initial setup, that would be a tech question. The only thing I've set up is the Passive Vulnerability Scanner. That was pretty straightforward. When I got to the point of setting it up with Security Center, it took my colleague and me under an hour. That was just our first one. It's pretty straightforward once you know how to do it.

We have an enterprise issue, so for us to be able to capture all that is needed from the clinical side, we would have to have deployed it at every site. It's because there is a lot of Layer 2 traffic. Since we have Security Center centralized, traffic will route out. Since we have networks at the sites that don't route out, we can't scan that traffic remotely. The idea is to have one at each site but, because of the standards in our organization at this time, we can't do that.

It's less a question of ROI and more a question of cost avoidance, meaning avoiding the potential cost from having a vulnerable device that can be breached. Security is a sunk cost in any organization. You never truly know its value until you have an incident.

The pricing is more than Rapid7 Nexpose. PVS and the agents, etc., are all part of that agreement. So it's pretty comprehensive, but I don't know how much it is.

In my own work, I've used some open-source solutions like Nmap. I've messed around with Retina, another open-source solution. Most of the stuff I've used has been freeware, open-source tools. In terms of a commercial competitor, the one I've used most is Nexpose, Rapid7's tool.

One thing I liked about Rapid7 Nexpose, that Security Center does not have, is that when we scheduled scans in Rapid7 Nexpose, there was a graphical calendar that showed when scans are taking place. Security Center doesn't have that. It's a small thing, but it helps to visualize what's happening.

In my type of medical environment, when you get into an operational technology environment, PVS or something that's a passive scanner is more the way to go than something that actively goes out and scans and tries to interrogate endpoints, because that can cause impact. When dealing with the healthcare space or, say, the electrical grid, the consequences can be very widespread or can cause significant impact. Something like PVS is a great idea to look into.

If you're scanning operational technology, definitely use connectionless-oriented discovery policies. For example, perform UDP scans instead of TCP scans. From my experience, TCP scans have definitely brought down systems.

When it comes to insight, it helps but, the way we're using it now, scans only pick up what's active on the network, while the scan is occurring. For my environment, I perform most of my scans overnight, so I'm missing a lot of stuff that is used during the day in the clinical environment. That includes point-of-care devices, ultrasonography, and some other stuff. I don't scan the networks during the day, for the most part, so I do miss a lot of that stuff. PVS, the passive scanner, would pick up on a lot of that. When talking about actually detecting intrusion, I think it would be more powerful if we're able to get it deployed everywhere.

Two people in our organization actively use it for a lot of scanning. Some of the other security guys use it, but for the most part, it's just my colleague and I who use it. I have my scheduled, routine scans that run automatically and there are the scans I schedule for overnight. I run discovery scans daily. I run my vulnerability audit scans every other month. I'm doing the RDP scans now. I log into it daily and I run scans in it several times a week manually, outside of the scheduled scans. I use it heavily.

Right now there is just one person who manages the solution. I handle some of the PVS stuff but it's my colleague who is running the show.

Overall, I would give Security Center a nine out of ten. Of all the tools I've used, when it comes to managing the vulnerabilities and risks of a whole enterprise environment, I don't think I've used a better tool than Security Center. The reason I say nine and not a ten, is because I like to have a lot of control. When I use a Nmap, I'm able to write my own scripts. Security Center has a lot of that built-in, but I feel like there's very deep and more granular control once you know how to use some of the open-source tools out there.