Tenable Security Center Reviews

We use it to scan both our workstations and servers for vulnerabilities. This includes vulnerabilities related to software, operating systems, and package vulnerabilities. It helps us gain an overview of our organization's security status, which in turn guides our patching strategies and decision-making. 

We use agents for scanning and authenticated logins, but we do not utilize the scanner part that performs web scanning.

We've got better insights into our vulnerabilities and weaknesses. This has led us to a better situation where we have better control. Our ability to manage the situation has improved. 

Previously, we lacked a good overview, but now we possess detailed reports. We generate these reports internally and disseminate them to other responsible teams. Now, we have made it a part of our daily workflow and it helps us monitor vulnerabilities and related matters. It aids us in pinpointing weaknesses and facilitates more effective updates. If something slips, it becomes visible.

However, this is a significant feature, although it could potentially offer even more assistance. 

The scanning part, the agent part – that's the valuable aspect. The agent and plugin components function reasonably well. But setting up scans, those tasks are working decently. 

There are some logical elements that require consideration to understand their functionality, but they perform their function. 

Certain aspects require effort. The solution's built-in reporting components are somewhat clumsy. So, this is an area of improvement. 

Therefore, we export data and integrate it with our other reporting tools - the Elastic Stack, also known as Elasticsearch. We find it more comfortable to generate reports from Elasticsearch because we're well-versed in creating those dashboards there. It's more convenient for us to extract and integrate information in the same manner.

We've been in discussions with Tenable regarding a specific enhancement. It is a concept known as VPR, which stands for Vulnerability Priority Rating. This is related to the CVSS (Common Vulnerability Scoring System) value, which rates vulnerabilities on a scale from one to ten. However, the CVSS alone doesn't accurately determine the severity of a vulnerability; it doesn't indicate how exploitable it is. The VPR takes into account additional factors, such as how widely the vulnerability is being exploited in the wild and the volume of reports from affected sites. 

And if we want to have it on our dashboard, this is something that doesn't work well for us in that sense. We cannot extract it from the Tenable system; we're restricted to using Tenable's own dashboard and reports. However, there's certainly some logic or rationale behind it. It's not directly tied to the CVSS, but rather some other factors. So, it's not a one-to-one correlation with the CVSS, although CVSS is a metric commonly employed in various other systems for assessing vulnerabilities. 

Aligning these metrics and incorporating an additional feature indicating the early harmfulness of a vulnerability is lacking. We're hopeful that the CVSS framework is undergoing changes. I've heard that version four, while not specifically linked to Tenable, is likely to introduce more meaningful values. These values won't be solely focused on severity but also on the level of exploitability. For instance, if exploiting a vulnerability requires local access and specific conditions, it might not merit a higher score like ten; it could be lower due to limited feasibility. Thus, certain developments could be anticipated in this regard. Tenable is also working on its own approach, known as CPR (Cyber Exposure Priority), but this feature is not exportable, unfortunately.

In future releases, I would like to see a feature that provides insight into the actual degree of harm associated with certain vulnerabilities. Ideally, I'd want this information to be exportable to align it with other vulnerabilities. It's possible that I might have the same CVSS value from another source, not necessarily Tenable. We're not using Tenable IO for container security, where we have a separate collection of CVs for containers. However, it's challenging to compare them directly due to the differing numbers and systems. If we could implement this VPR concept for other CVs as well, we could customize it to better suit our needs.

We've been using this solution for close to five years. We probably use the latest version.

I would rate the stability an eight out of ten. Occasionally, there are some maintenance tasks that might cause a slight uptick in activity, but we have monitoring mechanisms in place. Fortunately, it hasn't experienced any major breakdowns. 

Sometimes we encounter issues with resources, like logs populating hard drives, which require manual or semi-manual cleanup. Overall, it maintains a relatively stable performance level. I would rate it at around an eight out of ten in terms of stability.

It is hard to tell because the size of our organization is not very big. Our license covers a range of assets, from 500 to 1000 assets, which we monitor. From their perspective, this falls within a very low scale. 

So, we haven't encountered any scalability issues. Our scale is relatively small; we're not dealing with tens of thousands of assets.

The Security Center is actively scanning every day, targeting different resources with varying scanning frequencies. It operates on a daily basis, generating reports intermittently – some on a daily basis and others weekly. The usage is consistent and spans almost around the clock. 

Certain tasks are scheduled during nighttime, while others are executed during the day. Essentially, there's a continuous level of activity distributed over time to avoid creating spikes in network usage. 

We use it to its maximum potential but ensure it doesn't overly strain our network resources. There was a problem. When initially setting it up, we needed to be cautious. There's the potential to generate substantial network noise, especially if the agent and scanner tasks are simultaneously active. We had to significantly scale it down and task the settings from their defaults. Perhaps it's partly due to our network's capacity, but we encountered initial challenges in managing the traffic.

It is not super good and could do some improvements. I've had interactions with different parties, and while it's not exceptional, we were able to resolve issues with some effort. 

We encountered certain challenges. Initially, the local distributor downplayed the situation, claiming that upgrading to a new version would instantly resolve the issue. However, it wasn't that simple. It took time to resolve the matter. I had expected better support, especially since we had informed them in advance about the downgrade we were planning. I had hoped for proactive support detailing what to expect and what actions to take. Instead, we received assurances that everything would work seamlessly after the version change, which didn't prove to be accurate.

There was a miscommunication or misunderstanding in that regard. It was quite frustrating at the time.

Neutral

The initial setup is somewhere in the middle. It's not very easy. Assistance is needed, especially when dealing with version changes. For instance, when we transitioned from Tenable Plus to the regular Tenable, there were complexities in changing the licensing. It was not so easy to change. 

It might even lean a bit toward the difficult side, so I would rate my experience maybe a three out of ten, where ten is easy and one is difficult. 

We had the support of a third party. We had to use the help of our reseller and also find an engineer from Tenable. 

In certain cases, such as upgrades or downgrades, the documentation isn't always well-defined. You might encounter challenges that require external guidance. For instance, we faced a two-week period of difficulty this year due to a change we were making. It might not be an annual occurrence, but when significant changes are made, it can be far from a straightforward upgrade. Putting new versions in place doesn't guarantee seamless operation; there can be quite a bit of hassle around it.

This wasn't the initial deployment. This occurred when we were switching back from Tenable Plus to regular Tenable at the beginning of this year. It took us around two weeks to ensure that everything was properly transitioned. It's important to note that this was not a continuous two weeks; it involved time periods over the span of around two weeks. This change involved a transition to a simplified licensing structure. We opted to revert to Tenable without the Plus version, as it fulfilled our requirements and was also more cost-effective, approximately a quarter less. This process took place during that time, and it was a hassle.

Only one person was involved in the deployment. We don't have a big team.  We have a dedicated engineer who oversees this service. He took the lead in managing the deployment. He also engaged with relevant contacts internally and externally, including the local distributor and partners, but overall, it was primarily handled by this one engineer.

For maintenance, the same engineer who handled the deployment also manages the ongoing maintenance.

We purchase the solution through a local distributor, but we also directly communicate with representatives at Tenable. So, we acquire the license from their distributor, but we are direct users as well.

I would rate the pricing a nine out of ten, where ten is expensive.

The pricing might deter some companies from adopting this solution, especially in our region, which includes countries like Estonia and neighboring Eastern European nations. For us, the cost is a significant consideration, and we often face challenges when budgeting for it each year.

There's on-premise hosting, which incurs some costs, but it's not a major factor. Additionally, we have an engineer providing support, but that's a shared responsibility across multiple tasks. So, licensing is the primary cost driver, and there aren't any other major expenses.

There are positives and negatives, but despite looking at other options, we haven't found anything better suited for us. So, we continue to use it and have plans to keep using it in the near future.

I would suggest running a proof of concept to evaluate the product's suitability. Test it on a smaller scale over a period of one to two months to see how it works. 

It's essential to assess whether the solution aligns with the organization's specific needs. Our approach involves using agent-based scanning, but this varies based on individual requirements.

Be aware of the network "noise" it might produce. Default scanning intensity might be too much and you might need to alter it in order to prevent network problems (DoS yourself).

My advice would be to give it a trial run before committing. It's hard to tell if it fits without firsthand experience. Additionally, the fact that Nessus, the scanning component of the security center, has been around for decades and even had open-source iterations in the early 2000s provides some confidence in its longevity and reliability. However, for newcomers, I would recommend testing it out on a smaller scale before making a decision.

Overall, I would rate the solution a seven out of ten.

We use Tenable.sc to conduct vulnerability scanning for our networks, and applications, and for the data protection we need in our environment. We are customers of Tenable and I'm the assistant manager of network security.

It provides us with clear visibility across our environment.

The best feature is the advanced scanning for the network.

I think the web application should be improved because it's not very functional.

We've been using this solution for almost three years. 

The solution is stable.

We haven't had the need to test scalability.

The technical support is not very good. We didn't get a good response when we contacted them. We had to go through all their documentation and get the information we needed from external sources. 

Negative

The initial setup is not difficult, it's just a matter of downloading which takes around 25 minutes and then uploading the plugins which takes several hours. I'm the only one in the company that uses this product.

The licensing costs are not expensive. I think we pay around $9,000 USD for an annual subscription. There are no additional expenses.

My recommendation is to stick with the data scanning tool and not worry about downloading the other features. 

I rate this solution nine out of 10. 

The reporting vulnerability is very helpful when you link it with the people who close it with the admin and support team, giving them the criticality to find how to close each item.  And it's up to date with all the vulnerabilities on the market thanks to prompt updates from the cloud.

In the next release, we would like to see the inclusion of external IPs and simplified reporting that's easier to deal with.

We have been using this solution for about two years.

The solution has been very stable up till now. I would give it nine or 10 out of 10 for scalability

For our size, it's scalable. It covers all the bank infrastructure and all that we have.

Two or three people from the security team manage the solution, but they extract it for the IT team to take action in different areas, including infrastructure and domain support. So 10 or more people assess the reports to fix the issues.

We are happy with the support from the Tenable side. But sometimes the vendor's people move between areas too often, causing occasional shortages on technical issues inside the country. When you raise tickets, the vendor sometimes takes some time to respond, but they are always helpful. 

Positive

Previously we used Rapid7, but we switched after comparing it with the solution because it had some additional features that we needed.

Overall, the initial setup was smooth and easy. Later we had to integrate it with other solutions in the system, but it didn't take long.

We had a consultant for two weeks at the beginning but in the end, we completed it, doing most of the work ourselves and gaining valuable experience. And, of course, we had to set up our systems inside the bank and the structure of the scope of the vulnerability, so that made it about a month.

Four people were involved in the deployment, two from the vendor and two from our team.

We're happy with the licensing cost and find it affordable.

We paid for three years, mostly for the finances and sourcing, but all features are inclusive.

I would rate our licensing cost as eight on a scale of one to ten.

I would give the product an overall rating of nine out of 10.

The product is a very good solution. I would advise potential users to look at other solutions. The product is our second solution, and we are happy that it meets our requirements.

The primary use cases are vulnerability management and dashboard creation. I utilize it to exhibit the current security posture to higher management, prioritize which paths to fix first, and identify vulnerabilities. Additionally, I escalate issues to management based on their criticality and business rating.

Tenable Security Center has significantly contributed to cost savings by identifying numerous bugs and security issues. It assists in safeguarding customer data, which is crucial to avoid fines imposed by local governing authorities.

The most valuable feature is the automatic and periodic management of security scans, along with the ability to consolidate all information into a single dashboard. This feature enables me to quickly identify which areas require attention, updating patches, and fixing bugs to stay protected against the latest security attacks.

The dashboard templates are limited. More templates that align with our daily needs would be beneficial. Current dashboards are available for Linux, separate unit systems, and other systems, but there aren't dashboards for app-related issues or application patches, such as Apache Tomcat applications or Java applications. This would be helpful.

I have been using Tenable Security Center for more than five years.

The solution is very stable. Still, it's not perfect. I would rate its stability as nine out of ten.

The solution is very scalable. It integrates easily with the environment, allowing for IP range management and concurrent scanning capabilities. I rate its scalability as nine out of ten.

Customer service is good. That said, there are sometimes delays in response from international support. The support teams can take time to analyze logs. I rate it as eight out of ten.

Positive

I previously used Qualys in a different organization, which I found difficult to use and not user-friendly. I chose Tenable Security Center for its user-friendly interface and feature set.

The initial setup was considerably tough due to deploying on Linux, yet it was manageable. I would rate its difficulty as seven out of ten.

We engaged partners from Singapore who remotely assisted with the deployment, supported by local partners for configuration and integration with SIEM systems.

The ROI is substantial because it prevents data breaches that could lead to significant fines. By continuously updating patches as per Tenable Security Center's reports, we have avoided customer data leaks.

Tenable Security Center is considered pricey compared to other solutions, yet relatively cheaper than some like Qualys. However, when compared to Rapid7, it is more expensive. I rate the pricing six out of ten.

I evaluated Qualys and Rapid7 before choosing Tenable Security Center.

Proper configuration and automation are key to success with Tenable Security Center. Automating vulnerability scans and notifications can significantly reduce manual repetitive tasks, leading to better efficiency and time management.

I'd rate the solution nine out of ten.

I use the solution in my company for vulnerability risk assessment, and we are quite happy with it.

The tool's initial configuration is not so easy. The hardware requirements related to the tool need to be better because we need a lot of memory to achieve speed in the solution. If our company needs to react at times, we need to upgrade more memory in the hardware. In general, Tenable Security Center is a very good solution according to me.

I have been using Tenable Security Center for six months. My company works in partnership with Tenable Security Center.

Stability-wise, I rate the solution an eight out of ten.

Scalability-wise, I rate the solution an eight out of ten.

I use the solution for quite a huge amount of computers in my company, and I see that its scalability is quite nice since it offers an unlimited number of scanners, so I think it's ready for big enterprises.

In the Czech Republic, the tool is mostly used by medium and enterprise-sized businesses consisting of 1,000 to 15,000 users.

I rate the technical support a nine out of ten.

Positive

I have previous experience with Tenable Security Center's competitive solutions, and now I see why Tenable is okay.

I rate the setup phase a six on a scale of one to ten, where one is difficult and ten is easy.

The solution is deployed on the cloud and on an on-premises model, but our company mainly relies on the latter.

The solution can be deployed in a few hours since you need to download the tool's initial package, which is quite big, but once it is done, the deployment process becomes really fast and can be done in 20 to 30 minutes.

I rate the solution's price as seven on a scale of one to ten, where one is cheap and ten is expensive. The tool is quite expensive.

I don't use the product for compliance support.

In terms of the product's valuable feature for threat detection, I would say that the solution's reporting overview in the dashboard is nice. The prioritization of vulnerabilities in the tool is very nice.

The real-time monitoring capabilities of the product are very useful for our company, as they help us to be more in control and interact more actively.

The tool's dashboard and reporting capabilities match our company's needs since we are able to modify the basic view to create a new dashboard, and it works out very well for our needs.

Speaking about how Tenable Security Center's integration capabilities with other tools have affected our company's security operations, I would say that I have very little experience with the integration part, but from what I can see in the product's documentation and description, it can be really well-integrated with a lot of systems, like service desk in ServiceNow and other security vendors, which is good for our company. I can say that the integration capabilities of the product are good.

I would definitely recommend the product to those who plan to use it.

I rate the tool a nine out of ten.

The usability is really good. It's very intuitive and any person can use it, you do not have to be an expert in vulnerability analysis. It's very easy to use and a good platform. 

In regards to additional features, I would say make it a little bit simpler. There are different menus for downloading reports that could just be a click and download. Right now, we have to go to the scan and then we have to go to the reports and download the Excel or CSV or PDF. I think these menus and clicks can be minimized.

We have had Tenable SC for the past year.

It is very stable. We have not had any issues.

It is scalable. You can add the scanner in. At present, we have five people working with it at our organization.

The technical support is fine. They're prompt and we've had no issues with them.

Neutral

It was super easy, not complex.

We set up a consultant to help with deployment and the full process took around a month.

Compared to other companies or other products it could maybe be a little bit less, but the price is okay. I would say it's not very expensive.

I would rate the solution as a nine out of ten. 

Vulnerability assessment and compliance auditing are our primary use cases. That includes baseline configuration scanning. We use it to protect everything in the enterprise environment: servers, workstations, pretty much all operating systems, networking gear. We are doing cloud and we are doing some IOT. We are not using their web application scanning tool.

The ability to view the plug-ins, the way that the plug-in library works, is really good. It's not an individual list of 80 million different CVEs. We can actually just say, "Hey, here's a plug-in," and it really helps us to boil things down. Instead of having a million CVEs, here's the specific plug-ins that are actually tying the CVE families together. That helps our platform owners, if there is an issue, to see what it is and understand better how to fix it.

Also, the fact that they display the very specific plug-in output in their details area helps our platform owners know, if there's an issue, specifically what was checked and what versions it was on at the time of the test. That's just huge. It increases the trust in the information from the tool. It cuts down on accusations of false-positives and it helps people do their job better.

It helps us to understand our cyber-exposure. At the end of the day, if you don't know what you have, then you cannot defend against it. Understanding what services, what technologies, and all those components will also give us an idea about how to predict what kinds of attacks are the things that we need to guard against in the future.

It also helps us focus resources on the vulnerabilities that are most likely to be exploited. Looking at what actually has an exploit available along with consideration of other things such as network proximity times and information about the threat - either VPR or CVSS - pulling all that together does allow us to identify pretty quickly what are the high-priority targets that we should work on.

One of the most valuable features is their distributed scan model for allotting engines to work together as a pool and handle multiple scans at once, across multiple environments. Automatic scanning distribution is a distinguishing feature of their toolset.

Also, the ability to trend data back as far back as we have disk space for, is helpful.

Finally, the ability to write custom audit files is a really helpful and useful feature. That's something that not a lot of assessment companies have gotten right. There's room for improvement, but literally being able to take the text file, open it up, and adjust the changes, write your own regex and write your own checks, is huge.

It's good at creating information, it's good creating dashboards, it's good at creating reports, but if you want to take that reporting metadata and put it into another tool, that is a little bit lacking. It does great for things for the API. For instance, if we say, "What vulnerabilities do we have?" or "How many things have we scanned?" those things are great. But if we want to know more trending stuff over time, it can create a chart, but that's in a format which is really difficult to get into another program. Integration into other reporting platforms, or providing more specific scanning program metadata, would be an opportunity.

It does have a fully-bolstered API which is available online that you can look at, but it is more aimed at getting more vulnerability information out instead of reporting information out.

We've had more problems with the underlying stuff that is running the operating system, as opposed to actually running Tenable. Tenable SecurityCenter has been pretty stable. We've only had one or two smaller technical issues. There have been other issues, but they've not been Tenable's fault.

It does have an upper limit. You can go on their website and see what their upper IP limit is.

We have seen that more and more teams want to get access to the data and get access to their vulnerability information, and it really has helped us grow our program.

Their tier-one, initial tech support is pretty bad. Their premium support is excellent. Whether premium support comes at an extra fee depends on how your negotiations go.

We migrated from Nexpose. We switched because Nexpose is not a scalable product for an enterprise. Also, in most instances, SecurityCenter is less false-positive prone and the detection seems to be better in most instances.

The initial setup was very straightforward. In fact, for some of our teams, we've actually done - "capture the flag" is a bad word for it - but effectively that type of an activity, and they pretty much go from naked box to Tenable scanning instances within a couple of hours. It's very easy to set up.

I can safely say that it can be deployed with one person. And it doesn't require a lot of maintenance. It depends on how much you use it for, but it's mostly just set-it-and-forget-it. Then there is just the mechanical stuff of patching the box and applying system updates, but it actually does a pretty good job most of the time.

We've seen return on investment through visibility, scan stability, ensuring that we're able to assess our environment. Also, ensuring that we are able to have good confidence in the data, and that we're able to do out-of-the-box reporting and various other dashboards that really help us drive our program and help sell our case.

We evaluated Qualys. It depends on whether you want to do on-prem or in the cloud. Qualys really is a black box. You literally put this thing on your network, you can't touch it, and if you want to do something like troubleshoot, it is just not very friendly from an "if things go wrong" perspective.

Make sure that your sizing is done correctly, in terms of the hardware size. When you do buy Tenable, a lot of times you'll use Professional Services to help you implement the tool. Whatever advice Tenable has, listen to it very specifically and also talk to them specifically about what your goals are. Instead of talking tactics, talk about goals. What's going to happen is that they may say "Hey, we're going to do things slightly differently than how you used to do it," but in a lot of instances, they're going to be right.

In terms of features that we're looking forward to, VPR is one that we're going to start using more. And they also recently had a SAML integration for single sign-on. That was a new feature in 5.9.

Overall, Tenable is easily a nine out of ten. It's not a ten because there is no perfect tool out there, and Tenable SecurityCenter does have its limitations.

Basically it reviews our threat landscape vulnerability. So, we just want to be sure that we check compliance in terms of our configuration and compliance to our policies. But, the key is to make sure that we are not exposed to vulnerabilities that can be exploited. So, it's more of just securing our threat landscape.

It easily detects issues, and alarms the site.

One valuable feature is the Assurance Report Card. with the Assurance Report Card, we are able to give our overview about security posters in just a glance. And with a report to cut this we can quickly, our executives can quickly consume that without going into the difficulties of the vulnerability issue.

In terms of the configuration of the reports, there's some level of flexibility that we are not able to achieve. In terms of configuring the reports to achieve certain percentages and all of that. So, that's really the main thing I've noticed. But, apart from that, I think it's one of the best vulnerability management tools I've used, in terms of giving us the full visibility into the environment.

One to three years.

There were no crashes, or anything of that sort. The solution is stable. At times, we have had the typical bugs, but it's not something I would say is a big deal. It is maybe once in a quarter--insignificant.

I did not have any issues with scalability. This is because once you scope the main control, the Security Center box, you do proper saving on the main box in terms of storage. Initially, when we did the first installation, we did not properly size our storage. So, we quickly entered issues. But, since it was  Linux box, we were able to reconfigure and make development for additional storage. Once we did that, there has not been anything that tested the scalability. So, when the growth becomes a little high, we just add a box and provide a scanner. Then, you define the territory within which you can scan, because each scanner can be assigned to a given territory in terms of sub-nets, and so on.

The tech support was fairly good enough. I would not rate them as top-notch, but it was fairly good enough. I would give it a rating between 70-80%.

I considered Rapid7 Nexpose and Metasploit in the past.

It was pretty straightforward.

It is slightly more expensive than other solutions in the same sphere.

If you are considering a product like this, you must take into account and properly plan, scope, and scan. You need to know how to properly place your scanners and how to schedule automatic scans. You need to properly schedule your scans, so for example you don't need to scan your data center during that day when your business is most active, you can schedule your scans to run in the middle of the night, when your systems are least active.

If you wake up on LAN, then you can even scan clients during the night. You schedule wake up on LAN, your boxes are woken up on LAN, then the scanning is run, and then the boxes are shut down once the scan is over. So that's proper scoping and planning with this solution.