Tenable Security Center Reviews

We use Tenable to scan all of our environments and plugins for vulnerabilities. Tenable helps us discover network vulnerabilities to threats and piracy. 

Tenable's reporting engine needs improvement. It needs to be more efficient and add more features.

I've been using Tenable for one year.

Tenable is scalable. 

Tenable technical support needs improvement.

Setting up Tenable SC was straightforward, and it took two months to deploy. 

A third-party vendor implemented Tenable for us.  

I rate Tenable SC nine out of 10. It needs some improvements in the reporting engine and training. For example, I need the ability to easily check what happened on Tenable specific dates.

Essentially we use the solution to monitor hard devices on a network with it. That includes laptops, desktops, tablets, et cetera. I'm just using that to make sure that all of our patching is up to date.

The UI, the user interface, is really, really good. It's really simple. I started with no prior experience in vulnerability management and picked it up in less than a day, pretty quickly. It's very intuitive.

Their overall cost of service is pretty good. 

I've worked with my CS manager and with them a lot, and I'd say every case I've opened, they've reached out to me within two hours. They're pretty prompt in their responses and overall the company is really easy to get ahold of.

Scaling the solution is very easy.

The stability of the product is pretty good.

The biggest issue I have with the solution is when I'm using the scanning it picks up the original DNS of that device. That means, before we image it and actually change the DNS to something within our company structure, it'll just be random numbers and letters and Tenable will stick to that DNS for a long time. I'll be searching for a gallery or a laptop and I can't find it due to the fact that the DNS when it was scanned went in as something non-sensical, like M P X 23 Z. That's the biggest issue I have with it. it's some sort of strange glitch.

While I started using the solution in January of last year, the company itself has been on the solution for about three years or so.

The stability of the solution has been quite good. I haven't experienced any real problems so far. It's been a rather smooth proess.

Scaling the solution would be pretty simple. The process would require us to reach out to Tenable to get more licenses, however, that's a pretty simple process. Overall, it's pretty easy. Essentially it'd just be adding a list of all the new IPs into any asset groups that they would be involved in. I don't think it would take much longer than a week.

Technical support is excellent. They are extremely responsive and very helpful. We are quite satisfied with the level of support we've received from them.

I would give them a ten out of ten. They are very prompt and very knowledgeable. They are great at answering questions and walking you through anything step-by-step.

When I started, the company was actually in the process of revamping the solution. 

It was a two-day process and the company walked us through the entire thing. I had a Tenable engineer on-call with me for eight hours. It was a long process, however, it was easy as they were walking me through it, step-by-step.

When we did a recent re-vamp, Tenable was on hand to walk us through the entire process. We had a very positive experience with them.

I don't handle the billing and therefore don't have an exact idea of how much the solution costs.

We just renewed the solution and didn't look into any other product on the market before we did.

We are just customers and end-users of the product.

If a company does decide to implement the solution, I'd advise working with Tenable engineers during the process, and even afterward, in order to ensure everything is set up appropriately.

I'd rate the solution at an eight out of ten We've had a largely very positive experience with the solution so far.

At work we use the enterprise version of Tenable, Tenable.io, and I also use Tenable.sc — which I refer to as SecurityCenter — for local scanning.

I use Tenable SecurityCenter every day to scan our entire environment for vulnerabilities. I use a local license during the discovery process for penetration testing. So I'll do an en masse scan, and then also do a scan with Tenable to scan for IPs and vulnerabilities.

User-wise, with Tenable SecurityCenter, there's different roles. We have security analysts, admin, etc. I'd say there's probably four or five different roles from people that can just go in and view. Security analysts can upload manual scans and create dashboards and download reports. Then administrators can create accounts, assign roles and responsibilities, and things like that.

Tenable SecurityCenter has absolutely improved our organization, by making everything more secure and helping ensure solid vulnerability management.

The feature we've liked most recently was being able to take the YARA rules from FireEye and put them into Tenable's scan for the most recent SolarWinds exploit. That was really useful.

I'm pretty happy with it, but I do see a lot of stuff coming out about risk-based vulnerability management. And so I've been looking at that. I don't think we're using that as of yet and it seems like a newer feature they're talking about a lot that I'm interested in.

I will say it's a lot slower compared to an MS scan. It takes so much longer, so the performance could definitely be worked on.

There was also an issue with SecurityCenter once where we had agents deployed on each device, and while it was scanning we were collecting the data real time. During this process, we had an enclave that was not submitting. It didn't have the agent installed because it wasn't connected to the enterprise network.

They were scanning locally and submitting the scans and we would then upload them into SecurityCenter manually. Each time that there were any duplicates with host names or IPs, or that there were issues with the scanner device with authentication, it failed. But then you scanned it again and it was successful.

When you uploaded that, SecurityCenter was counting it as two devices. And when you ran your report for unauthorized devices, even though it was scanned a second time successfully, the first time would show as a failure. So it was throwing off reporting.

So we would run a report and say, "Okay, which device has failed scanning with authentication?" And it would give a device and we'd be like, "Well, here's the secondary scan showing that it was successful." And so we were having to manually go in there and delete the failed ones.

And that was a pain in the butt. We eventually got that enclave online so we fixed the problem, but I felt that was a limitation of Tenable SecurityCenter that it couldn't see that.

I have been using Tenable SecurityCenter for the past few years now.

We have only run into one troublesome issue that I can remember. It had to do with the way SecurityCenter inaccurately reported real-time scan results whenever there was a transient problem such as with a duplicate host name or IP, or with authentication.

It was a pain to deal with, because we kept having to go in and manually delete all the failed (but actually successful) scan results.

When it comes to scalability, so far so good, and no issues. We've got the whole environment monitored right now and I don't see any significant increases in use anytime soon.

Their technical support is good. Because I don't give out tens much for anything, I would say in the eight to nine range, out of ten.

For vulnerability management, Tenable SecurityCenter is the only one I've used in the past six years. Though we do use other tools in conjunction with it.

We've pretty much used Nessus for scanning, vulnerability management, and reporting, and that's it. And it does it very well. And then I use different tools for other things. I'm sure Tenable had that on the plugins for other things, but we don't use those.

The setup is straightforward.

I personally implement SecurityCenter with a local license. And then we also have different roles like security analysts and administrators who can just go in and perform various functions such as uploading manual scans, creating dashboards, downloading reports, assigning accounts, and so on.

I use a local license to perform penetration testing and I'm pretty happy with everything when it comes to pricing and licensing. 

I can easily recommend Tenable SecurityCenter, and I have nothing really bad to say about it. I think it's a great tool for what it does. I enjoy the webinars, and the people that run the company seem very engaged with what's going on when you're into current events and the overall security climate, and they're continuously looking to improve.

I can't speak to every option that they have, but I have no reservations recommending them.

I would rate Tenable SecurityCenter an eight out of ten.

We are a reseller and Tenable SC is one of the products that we implement for our clients.

The primary use case is to check for compliance against a specific framework, like NIST, CIS, or something similar. Tenable will check compliance on the assets against that specific framework and give that visibility to the technical staff, top management, and the risk management team. In turn, this will enable them to evaluate the risk that they are facing for non-compliance issues.

The second use case is helping the technical staff that handles updates and upgrades to the operating system. It means that they have the most urgent upgrades that they need to cover the high-risk vulnerabilities that can be found and exploited.

Beyond this, Tenable SC assists with malware detection and similar functionality.

The most valuable features are the dashboards and reporting. They have multiple dashboards and reports for different types of details that can be used for different levels of reporting.  This means that by using a high-level report, the top rank in the company can understand what the risk is, as well as how it is violating policy. Similarly, technical people can use a more detailed report to understand what they have to cover and what the criticality of it is.

This product has the best results in terms of the lowest number of false-positives and false-negatives.

There are multiple types of engines that cover almost any necessity that the company can have for vulnerability and compliance.

Parallel scanning would be a nice improvement because it would speed up the detection process. It is not possible to search for vulnerabilities and do compliance checking at the same time. Rather, they are done one after the other.

The integration is very good, although it still needs to improve. For example, it would be useful to have better integration with other tools in the space of identity management (IAM). As it is now, integration with new tools has to be developed specifically, so it's not easy.

We would like to see better collection capability for external data that will help to improve detection and discovery.

I have been working with Tenable SC for six years.

In the past six years, we have had no disruption in terms of functionality. We have seen problems arise because of development and deployment strategy, but it is a very stable product. We have not had any problems with our implementations.

This platform is very scalable, both horizontally and vertically.

Our customers for Tenable SC vary in size. A smaller one might have 500 or 1,000 assets with two or three users, whereas a larger organization might have 100,000 assets with 30 users.

The support from Tenable is very agile. We use them regularly when we have problems.

There are three levels of support, all of which are very adept and available. It is very easy to get in touch with support.

We used to work with Rapid7 Metasploit.

The initial setup is always a little bit complex because most of the time, the people don't really know about their infrastructure. So, the most complex part is becoming familiar with the infrastructure and knowing what to search for. Tenable is very helpful in this regard because it has tools for discovery that help people to understand their infrastructure.

There is always a danger if the product is not well-configured but afterward, it is easy to use. When correctly implemented, this is a very effective and accurate product.

The length of time required for deployment varies based on several factors. The first is the level of integration, the second is the complexity of the assets that need to be covered, and the third is the maturity of the infrastructure. It can take weeks to deploy in an environment with a very mature infrastructure. If it is a larger organization that is graphically dispersed then it can even take months, depending on the capability of the company to cover all of the necessities for scanning.

The company has to address the necessities of the vulnerability management capabilities because it puts stress on traffic, stress on hosts, and it needs to be well-designed. Taking these precautions is necessary so that there is no damage to the infrastructure.

In the case of a smaller company, with perhaps 1,000 assets, it can take a week to install it and get everything working.

Maintenance for Tenable is a necessity, as it is a product that grows and changes because there are new detections every day. Sometimes, a detection is verified, whereas in other cases, support is needed to perform the verification.

The licensing fees are based on the number of assets. The price can start at €10,000 ($13,000 USD) for between 500 and 1,000 assets, and the price can climb into the millions as more assets are added.

There are two types of licenses available, which are the subscription, and the perpetual with maintenance. The subscription is the same price every year, with very small variations over the years. In the case of a perpetual license, there is a high initial cost compared to the subscription, but the maintenance is much lower.

I have researched other products on the market and by comparison, I would rate Tenable SC a ten out of ten. It still has some features lacking, but it is better than the other solutions that are on the market.

My advice for anybody who is implementing this product is to search for a certified partner to help with the process. It's not difficult, but it's very important to have a partner who knows the product well. The first steps in the implementation have to be the correct ones. If not, the product will not achieve the objectives that the company usually needs. It would be wrong for someone that doesn't know the product very well to begin implementing it by themselves.

This is the best product that we have found for risk management.

I would rate this solution a nine out of ten.

Our primary use case is compliance for our audits, for our customers. We were exposed in that we were not meeting contractual obligations.

We are monitoring our infrastructure: servers, switches, storage, routers, SAN storage, operating systems, and applications to the extent that the tool is able to see into them. We use it to hit the high ones like Adobe or Microsoft Office and the like. Some of the more niche products that we use may not be in their inventory of vulnerabilities.

It helps us prioritize based on risk and it also helps us prioritize manpower, to show we are getting the most value from the limited number of man-hours that all organizations face. We have the same problems: Where do we need to focus? Where do we need to focus money? And where do we need to focus additional expertise that we don't have or didn't think we needed.

Overall, we use it as a third-party — I don't want to say settle arguments — but as an expert opinion as to what is a true vulnerability is, versus what is something that isn't as high of a priority. It takes opinion — if two cybersecurity people are arguing or discussing if this thing is more important than that thing — and, since Tenable is not invested in our company, gives the best practice. It is very valuable in that sense.

In terms of cyber exposure, it allows us to centralize both vulnerability management and visibility. We have one place to look instead of going through: Okay, we're using the Microsoft tool, and now we're going to go use the Cisco tool, and now we're going to go use the Red Hat tool. It allows us to centralize and easily correlate all data together, and then use the prioritization or just understand where the gaps in our security posture lie. That's more valuable than saying, "Okay, here's this report for Microsoft, and now we're going to print out a report from Red Hat, and we're going to print out a report from Cisco, and we're going to print out a report from NetApp, and we're going to put them all together and then we're going to discuss it." Having it in a single view is very valuable to us in that it saves us a lot of time.

Tenable also helps us to focus resources on the vulnerabilities that are most likely to be exploited. And since it is continuously updated, it allows us to reevaluate quickly if there are new vulnerabilities found, versus ones that we're already working off and are already known to us.

And since cybersecurity and IT security are not a fix-it-and-forget-it scenario — it's a continuous process — having a tool like this, especially one that is continuously monitoring our environment, is very valuable. It's not that we're not doing this once a year, we're not doing this once a quarter. We're doing this every day.

Finally, the solution has reduced the number of critical and high vulnerabilities we need to patch first.

The continuous monitoring piece has been very valuable to us. 

The vulnerability priority setting in the software has been very useful to us as it allows us to focus on what's most important. We use it as a piece of our holistic look into our security stance.

The predictive prioritization features are pretty good. They do a lot of research and we trust the research that they do internally. They have knowledge of what's going on with many companies, where we only get a view into what's going on here. So the ability to get best practices out of them as part of this solution, is valuable to us.

The Vulnerability Priority Rating is also pretty good. It's a much more holistic view, instead of being very binary, which we tend to see. It lets us focus on what's most important to us, especially because it goes across many products that we have. It's good in that we see how each of these stacks up and where our priorities should be. Should they be in Cisco, should they be in Microsoft, should they be in Linux? That's very useful to us as well. We'd love to do all the work right now, but we have to pick some type of priority in terms of what we're going to focus on, before we focus on the less vulnerable items.

Using the product — especially very early on — even though we have things like prioritization, it can be a little verbose in that there's a lot of information being streamed out of the reports. What would be nice, and maybe we just haven't found it, would be more of an executive-type view. We still expect it to collect all this information, but we would like a feature that would allow us to show it to an executive or a director or someone like that and give them some type of high-level overview but not get into the nitty-gritty.

We started using this iteration of it two years ago, but we had been a previous customer of theirs as well.

We haven't had any problems with it. It seems stable. They make changes to it regularly, to both the vulnerability database and the product itself. They seem to be going through with a reasonable update path and they support previous versions for the expected amount of time.

We haven't seen any crashes or spikes.

It scales just fine. We're a Fortune 500 company so, obviously, we have very large networks here. As far as we know, it should scale. We don't think we can outpace the scalability of it. There are best-practices that we need to follow, but will this product be able to meet our needs for future growth. We expect it to be able to handle that.

Usage will be increased. There are two parts to the business. There's the business that is our overall corporate business, which is covered 100 percent by the solution. And then there's the manufacturing and design business. On that side, the solution is still growing. We have two contracts with Tenable for their SC product.

We think technical support is pretty good. We have specific needs as defense contractors and they're able to meet those. We have a good account team. We have a customer success manager, Ryan Zentz, and we have a good account executive, Scott Mahan, and they do as much as they can to head off any issues that we have, instead of putting in a ticket or getting something escalated. They do a good job of helping us.

We previously used their lower version of security management. It was their single-install product, Nessus. We were using the standalone, non-enterprise version.

The solution would be fairly simple, but because of our implementation it was fairly complex and we hired Professional Services to do it. We're not a typical example. As a straightforward install, I think it would be very easy. But because of our size and scope, it was a little tricky.

We have multiple deployments so we hired Professional Services for two weeks to do them. Some installations were done in a few hours and some of them took a few days. But, overall, we hired ten days of Professional Services.

We were focusing on installing first in our non-production environments; getting familiar with the installation, the capabilities, and what the overhead of the product was going to be on the network. From there did some testing and ran that through some discussion and a panel of in-house experts and decided that we would be good to go forward with production. 

We then repeated that, where we would install in a small section of production, run a test to make sure that it didn't break anything or that it didn't cause undue harm. And then we went forward with expanding it out.

Now we have a process in place for installing for any new section of the network that comes up or any new infrastructure that we put together. It's a little easier for us to handle now that we're not tackling the big network. We're just handling delta changes over time.

We used their in-house professional services. Our experience with them was good. They had someone onsite and who was well-versed in the defense industry. He was able to get it installed and answer our questions. We didn't have any problem with him. We liked him so much that we brought him back for another week.

Having Tenable is a requirement. It is a compliance piece which is part of our business. But it is money well-spent in that it focuses us to work on problems that are prioritized and it allows us to cut down on the manual integration of multiple reports from Microsoft and Linux, etc. It does save us considerably in that we can have less staff assigned to it, versus having a Linux team and a Windows team and a NetApp team, etc.

Running with a much smaller team of two people probably saves 80 percent of manpower. I would assume that the team would be ten people or so if we had to mash together multiple reports and spend time doing that.

I don't know our licensing costs but they're in the seven figures. We have an enterprise license, so I believe everything is tied up in that. We do not have any additional cost other than our large enterprise license.

The licensing is a little involved from both sides. That may be due to our specific implementation of it because we are a defense contractor. I feel we rely a lot on their customer service and they rely on us to do a lot of manual labor to get licensing installed or to get licensing. If there were some type of smoother transaction, that would be great.

I would like more self-service in the granting and rescinding of SC licenses, and that way we wouldn't have to be involved with customer service as much or with our account executive.

We did two sets of white papers looking at the competition. We did a white paper in 2015 and another one in 2018. We selected Tenable after the 2018 white paper was written.

Between 2015 and 2018, the market had contracted considerably. Many of the products that we evaluated in 2015 had either been bought out by a competitor or just no longer existed. When we looked at it in 2018, Tenable had the strongest pedigree. They also had the ability to scale the deployment, versus some of the other products. 

We looked at Ivanti, which really wasn't designed for vulnerability management; it was a bolt-on. We looked at Qualys. That was too heavy-handed. It was a good product, but there was too much overhead in managing or maintaining that product.

Tenable was the best fit for our needs. Tenable is also the provider for the ACAS solution for the US government. Since the vast majority of our customers are government customers, and our auditors are government officials, it was seen as an easy way to get past an audit, or at least that we would be looked upon favorably.

We did not test any of the competitors. We had done some tests in 2015, but again, many of those competitors were no longer in business or they had been bought out. The other product that made it as a finalist was Qualys, but there was a significant commitment and infrastructure needed. We felt that if that was the minimum just to get it tested, then it was not going to work for us on an enterprise scale.

Go in with open expectations. Companies don't realize how big their infrastructure really is before they can get a single pane of glass view, which Tenable provides. Don't be disheartened when you run that first scan. It is a process. This is not a sprint, this is a marathon. If you're not willing to invest in this for the long run, then maybe your organization just isn't ready.

I don't know how to assess our vulnerability status compared to that of our peers. The defense industry is fairly secretive about what goes on. But I think we're doing the right things. Having the licensing and the investment that we put in place puts us ahead in the industry. I can only really speak for myself, but I think that we are doing the right things, and investing the right dollar. And if our competitors are doing that, good for them. If not, I wish they would.

Security Center is generally run by either the information security manager or the information security officer. There are a few dozen people who have access to it and their roles would be two-fold: There are the lower-level, cybersecurity folks who are dealing with it on a day-to-day basis. And there are the more managerial types who would be getting reports and making decisions off of it. Lastly, the general IT staff would be using the reports or the remediation recommendations for making changes to their environment.

For deployment and maintenance of the solution we don't need that many. We had Professional Services in and we added a team of four to the Professional Services engineer to help us get it stood up over those two weeks. In terms of ongoing support of the solution, we have one or two people who are tasked with updating the vulnerability database and verifying scans and the like. But it's not overly burdensome. They are information security officers or cybersecurity specialists.

I would rate Security Center at eight out of ten. First, it's a little heavy-handed for us from a licensing perspective and second, there are some features and functionality that we'd like to see in the future which would make it more user-friendly for non-technical or more managerial types. It seems that the product is really written for technologists, especially on the reporting side.

I'm the one who scans and performs assessments on clinical and medical equipment in our environment. I manage the clinical endpoint devices: MRI systems, bedside monitoring, Alaris pumps, fusion pumps, CTUs, EEGs, EKGs, wireless defibrillators, and a lot of IP cameras that are part of operation room labs. My colleague handles all the regular enterprise IT, database servers, etc. From a scanning standpoint, I do everything from discovery scanning to full-credential auditing and anything and everything in between. That's just for the medical space in a 24/7 production medical environment.

We're also using a bit of the Passive Vulnerability Scanner and, eventually, I want to get to using the agents, but we haven't gotten to that stage yet.

My department is not enterprise-managed. We don't use like tools like SCCM to push out patches. Everything is manual updating. I need to be able to track and audit against our devices and know what exactly what Microsoft hotfixes I need to see. I need to identify what specific patches are missing on devices. Or, for example, there was a Microsoft CVE alert that was put out a couple of weeks ago for RDP, Remote Desktop Protocol. I'm using the scanner now to try to identify what devices we actually need to look at to address risk on. Including IP cameras for our different labs, I manage over 40,000 devices. So I really need to know what exactly I need to focus on for a given vulnerability, such as the Microsoft one, as they come about. Tenable really helps with the identification piece, in a way that traditional IT policies and procedures and tools cannot.

It saves me time. When I get into actually identifying impacted assets in my environment - and having to deal with fewer false positives - it could save me up to eight to ten hours a week, for things like the RDP issue we're dealing with now; for the things that really come out as priorities.

Security Center helps to limit our organization's cyber exposure. In our environment there is a lot of stuff we can't deal with in terms of endpoints, but it has definitely helped in identifying the devices we have out there which haven't had Microsoft updates applied in years, potentially. It's really helped identify those, the low-hanging fruit. But then, you get into the devices that are relatively up to date but their vendor application has been the same for however many years. In the least, we're able to identify and understand which devices those are and what the risks are, even if we can't immediately address it.

In terms of reducing the number of critical and high vulnerabilities we need to patch, it has helped me to identify them, and I address them accordingly. As I said, there is stuff we can't address, but at least it helps us identify them, and we are able to address some of them. It's helped us identify vulnerabilities and put in compensating controls and mitigating controls. It has definitely reduced the risk exposure we've had.

Also, rather than rely on high-level communication from vendors about whether or not their products may be impacted, I can use scans to actually identify what is impacted or in scope for a given vulnerability. It used to be, a couple of years ago, if I had to identify systems, I had to know at a high level if some of these devices could be impacted. It would create a lot of false positives. Since we've been using the scanner, I've been able to narrow that down quite a bit. I still get false positives, but I certainly get a lot fewer than I used to. It helps me have a more managed focus with any scope I'm looking at.

What is useful to me is being able to fulfill very customized scanning policies. In the clinical environment, because of vendor control, we can't perform credential-vulnerability scanning. And network scans, which I've done before, can cause a lot of impact. Being able to create very customized policies to be able to routinely scan and audit our clinical networks, while simultaneously not causing impact, is important to us. That requires a lot of flexibility in how we create the policies, so flexibility in policy-creation is a big feature. 

For me, another useful feature of the tool is the dashboard and reporting. That is a big piece for me. The reporting covers most of my needs.

In terms of integrations, so far, from what we've seen and for what we're trying to accomplish, it's been pretty flexible.

The Vulnerability Priority Rating is useful. I run scans on all of our medical equipment and we have stuff that's still Windows 2000. Equipment is so expensive to upgrade and replace. I find a lot of it shows up red for vulnerabilities that we really can't do anything about. The predictive stuff helps prioritize some of those risks. At a high level, it helps narrow that scope. There is still a lot of manual work on my end because, as I mentioned, I really have to know what equipment I'm looking at exactly from a medical standpoint. But it does help narrow the scope.

In terms of the reporting, it's good for IT tools, but it doesn't give me contextual insight into what device, what kind of medical equipment it is. And in my world, that's a big deal. That's a con, given what my needs are. We can't integrate it with our biomed database to correlate data. So I can know what vulnerabilities are on it by IP address, but it doesn't tell me what device it is. Is it an MRI or a workstation? Is it the workstation which is running MRI's or is it the one that's just pulling patient images? Things like that are things that I need to know, and usually the tool can't do that in and of itself. With that said, we do have some work toward some other integrations to try to improve some of that.

Also, I don't know of a process right now to do what I'll call mass risk-acceptance. I have thousands of devices which allow high and critical vulnerabilities and there's really not much I can do about it. But if we put a firewall in front of it, the risk of the whole device is accepted. I need to be able to accept all those risks in the tool. It's really not easy to do within my workflow at this time. There are ways to get around it, but they're not conducive to what I do in my work.

If I want to have a very low-managed scan policy, it's a lot of work to create something which is very basic. If I use a tool like Nmap, all I have to do is download it, install it, type in the command, and it's good to go. In Security Center, I have to go through a lot of work to create a policy that's very basic.

Finally, the way we're using it now, for routine scans, it's only good for as long as a device is active on the network. That's one of my biggest concerns at this time: What about the stuff I don't have access to on the network when it runs the scans?

We have quirks every now again. Sometimes, when I click into the analysis dashboard, I get errors. For example, it will say it can't pull up a specific query. I just let the problem persist. I can work around it and, eventually, it just seems to fix itself.

Beyond that, it's been pretty stable. We have a lot of firepower behind it and in my experience, it has always been up. There aren't that many operational issues with it.

When you throw in the Passive Vulnerability Scanner, just being able to spit out more hardware if we need it, it seems like it scales well, at least with respect to our environment. When we first had it, we only had a handful of servers powering it and scans took forever. I don't know how many servers we have on the back end powering it now, but it's a lot faster. We've added to it to give it more juice. That's been pretty easy and straightforward as well.

I don't generally talk to tech support. That's handled by my colleague or someone else in the security team. But I talked to them when I was at my previous organization where we used Security Center. From what I vaguely remember they were helpful.

We used Rapid7 Nexpose. In our view, Security Center is a more thorough tool. It has more plugins to scan against a lot of vulnerabilities, and it is a bit more granular. Overall, it's been a better tool to use.

As for the initial setup, that would be a tech question. The only thing I've set up is the Passive Vulnerability Scanner. That was pretty straightforward. When I got to the point of setting it up with Security Center, it took my colleague and me under an hour. That was just our first one. It's pretty straightforward once you know how to do it.

We have an enterprise issue, so for us to be able to capture all that is needed from the clinical side, we would have to have deployed it at every site. It's because there is a lot of Layer 2 traffic. Since we have Security Center centralized, traffic will route out. Since we have networks at the sites that don't route out, we can't scan that traffic remotely. The idea is to have one at each site but, because of the standards in our organization at this time, we can't do that.

It's less a question of ROI and more a question of cost avoidance, meaning avoiding the potential cost from having a vulnerable device that can be breached. Security is a sunk cost in any organization. You never truly know its value until you have an incident.

The pricing is more than Rapid7 Nexpose. PVS and the agents, etc., are all part of that agreement. So it's pretty comprehensive, but I don't know how much it is.

In my own work, I've used some open-source solutions like Nmap. I've messed around with Retina, another open-source solution. Most of the stuff I've used has been freeware, open-source tools. In terms of a commercial competitor, the one I've used most is Nexpose, Rapid7's tool.

One thing I liked about Rapid7 Nexpose, that Security Center does not have, is that when we scheduled scans in Rapid7 Nexpose, there was a graphical calendar that showed when scans are taking place. Security Center doesn't have that. It's a small thing, but it helps to visualize what's happening.

In my type of medical environment, when you get into an operational technology environment, PVS or something that's a passive scanner is more the way to go than something that actively goes out and scans and tries to interrogate endpoints, because that can cause impact. When dealing with the healthcare space or, say, the electrical grid, the consequences can be very widespread or can cause significant impact. Something like PVS is a great idea to look into.

If you're scanning operational technology, definitely use connectionless-oriented discovery policies. For example, perform UDP scans instead of TCP scans. From my experience, TCP scans have definitely brought down systems.

When it comes to insight, it helps but, the way we're using it now, scans only pick up what's active on the network, while the scan is occurring. For my environment, I perform most of my scans overnight, so I'm missing a lot of stuff that is used during the day in the clinical environment. That includes point-of-care devices, ultrasonography, and some other stuff. I don't scan the networks during the day, for the most part, so I do miss a lot of that stuff. PVS, the passive scanner, would pick up on a lot of that. When talking about actually detecting intrusion, I think it would be more powerful if we're able to get it deployed everywhere.

Two people in our organization actively use it for a lot of scanning. Some of the other security guys use it, but for the most part, it's just my colleague and I who use it. I have my scheduled, routine scans that run automatically and there are the scans I schedule for overnight. I run discovery scans daily. I run my vulnerability audit scans every other month. I'm doing the RDP scans now. I log into it daily and I run scans in it several times a week manually, outside of the scheduled scans. I use it heavily.

Right now there is just one person who manages the solution. I handle some of the PVS stuff but it's my colleague who is running the show.

Overall, I would give Security Center a nine out of ten. Of all the tools I've used, when it comes to managing the vulnerabilities and risks of a whole enterprise environment, I don't think I've used a better tool than Security Center. The reason I say nine and not a ten, is because I like to have a lot of control. When I use a Nmap, I'm able to write my own scripts. Security Center has a lot of that built-in, but I feel like there's very deep and more granular control once you know how to use some of the open-source tools out there.

The tool helps with vulnerability assessment and vulnerability management.

The tool gives us fewer false positives. Compared to its competitors, the solution’s reports are more accurate.

We experienced some difficulties with the solution’s support.

I have been working with the solution for two years. I use the tool’s latest version.

I would rate the tool’s stability a nine out of ten.

I would rate the tool’s scalability a ten out of ten. You can place sensors for the scanners and easily scale up.

I would rate the tool’s setup an eight out of ten. The tool’s deployment is very straightforward and it took only one day to deploy the solution. The solution’s deployment is simple and efficient.

I would rate the tool an eight out of ten. The tool has community support. From my experience of using the solution, I would recommend it to anyone looking to use it.

I primarily use Tenable for scanning and reporting.

Tenable's most valuable features are the credential scan, vulnerability reports, and vulnerability ratings (VPR).

Tenable has some problems with agents going offline during scanning and lag between agents and the security center. In the next release, Tenable should include automated patching and integration with SSCM so missing patches can be pushed from there.

Tenable is stable.

I'm satisfied with Tenable's technical support.

Positive

The initial setup was easy.

Tenable is open-source.

I would rate Tenable eight out of ten.