Tenable Security Center Reviews

We use Tenable to scan all of our environments and plugins for vulnerabilities. Tenable helps us discover network vulnerabilities to threats and piracy. 

Tenable's reporting engine needs improvement. It needs to be more efficient and add more features.

I've been using Tenable for one year.

Tenable is scalable. 

Tenable technical support needs improvement.

Setting up Tenable SC was straightforward, and it took two months to deploy. 

A third-party vendor implemented Tenable for us.  

I rate Tenable SC nine out of 10. It needs some improvements in the reporting engine and training. For example, I need the ability to easily check what happened on Tenable specific dates.

Tenable SC can be used in any company for vulnerability management life cycle.

It's a very useful tool.

Internal ticketing systems require improvement. 

The GUI could be improved to have all concerns and priorities use the same GUI, allowing them to see all tickets, assign vulnerabilities, and assign variation failures to each member of their team.

I have been working with Tenable SC for more than five years.                                                             

Tenable SC is very stable.

According to the sizing that we are dealing with in this first stage, it is very scalable.

We have not experienced any issues with the scalability of Tenable SC.

The information security team has access to the solution. The number of users varies from one environment to another. It ranges, from five users to ten users maximum.

The same number of users can easily deploy and maintain this solution, included the access manager, administrator, and anyone who can configure the policies they test.

Tenable technical support is very good. They are very helpful, and responsive.

We had experienced some delays in two or three tickets we started, but that may have been because of the client, they were very unresponsive.

Overall, the technical support is very good.

I have worked with Rapid 7 and Qualys.

The installation is very straightforward. It's the easiest solution that I have ever implemented.

The installation was quick, taking no more than one or two minutes.

I completed the installation myself. It can easily be installed by anyone.

The license is perpetual and is based on the number of IP addresses you want to scan in your organization.

The support comes with a different license.

Tenable SC is without a doubt a good choice.

I would rate Tenable SC a nine out of ten.

Essentially we use the solution to monitor hard devices on a network with it. That includes laptops, desktops, tablets, et cetera. I'm just using that to make sure that all of our patching is up to date.

The UI, the user interface, is really, really good. It's really simple. I started with no prior experience in vulnerability management and picked it up in less than a day, pretty quickly. It's very intuitive.

Their overall cost of service is pretty good. 

I've worked with my CS manager and with them a lot, and I'd say every case I've opened, they've reached out to me within two hours. They're pretty prompt in their responses and overall the company is really easy to get ahold of.

Scaling the solution is very easy.

The stability of the product is pretty good.

The biggest issue I have with the solution is when I'm using the scanning it picks up the original DNS of that device. That means, before we image it and actually change the DNS to something within our company structure, it'll just be random numbers and letters and Tenable will stick to that DNS for a long time. I'll be searching for a gallery or a laptop and I can't find it due to the fact that the DNS when it was scanned went in as something non-sensical, like M P X 23 Z. That's the biggest issue I have with it. it's some sort of strange glitch.

While I started using the solution in January of last year, the company itself has been on the solution for about three years or so.

The stability of the solution has been quite good. I haven't experienced any real problems so far. It's been a rather smooth proess.

Scaling the solution would be pretty simple. The process would require us to reach out to Tenable to get more licenses, however, that's a pretty simple process. Overall, it's pretty easy. Essentially it'd just be adding a list of all the new IPs into any asset groups that they would be involved in. I don't think it would take much longer than a week.

Technical support is excellent. They are extremely responsive and very helpful. We are quite satisfied with the level of support we've received from them.

I would give them a ten out of ten. They are very prompt and very knowledgeable. They are great at answering questions and walking you through anything step-by-step.

When I started, the company was actually in the process of revamping the solution. 

It was a two-day process and the company walked us through the entire thing. I had a Tenable engineer on-call with me for eight hours. It was a long process, however, it was easy as they were walking me through it, step-by-step.

When we did a recent re-vamp, Tenable was on hand to walk us through the entire process. We had a very positive experience with them.

I don't handle the billing and therefore don't have an exact idea of how much the solution costs.

We just renewed the solution and didn't look into any other product on the market before we did.

We are just customers and end-users of the product.

If a company does decide to implement the solution, I'd advise working with Tenable engineers during the process, and even afterward, in order to ensure everything is set up appropriately.

I'd rate the solution at an eight out of ten We've had a largely very positive experience with the solution so far.

At work we use the enterprise version of Tenable, Tenable.io, and I also use Tenable.sc — which I refer to as SecurityCenter — for local scanning.

I use Tenable SecurityCenter every day to scan our entire environment for vulnerabilities. I use a local license during the discovery process for penetration testing. So I'll do an en masse scan, and then also do a scan with Tenable to scan for IPs and vulnerabilities.

User-wise, with Tenable SecurityCenter, there's different roles. We have security analysts, admin, etc. I'd say there's probably four or five different roles from people that can just go in and view. Security analysts can upload manual scans and create dashboards and download reports. Then administrators can create accounts, assign roles and responsibilities, and things like that.

Tenable SecurityCenter has absolutely improved our organization, by making everything more secure and helping ensure solid vulnerability management.

The feature we've liked most recently was being able to take the YARA rules from FireEye and put them into Tenable's scan for the most recent SolarWinds exploit. That was really useful.

I'm pretty happy with it, but I do see a lot of stuff coming out about risk-based vulnerability management. And so I've been looking at that. I don't think we're using that as of yet and it seems like a newer feature they're talking about a lot that I'm interested in.

I will say it's a lot slower compared to an MS scan. It takes so much longer, so the performance could definitely be worked on.

There was also an issue with SecurityCenter once where we had agents deployed on each device, and while it was scanning we were collecting the data real time. During this process, we had an enclave that was not submitting. It didn't have the agent installed because it wasn't connected to the enterprise network.

They were scanning locally and submitting the scans and we would then upload them into SecurityCenter manually. Each time that there were any duplicates with host names or IPs, or that there were issues with the scanner device with authentication, it failed. But then you scanned it again and it was successful.

When you uploaded that, SecurityCenter was counting it as two devices. And when you ran your report for unauthorized devices, even though it was scanned a second time successfully, the first time would show as a failure. So it was throwing off reporting.

So we would run a report and say, "Okay, which device has failed scanning with authentication?" And it would give a device and we'd be like, "Well, here's the secondary scan showing that it was successful." And so we were having to manually go in there and delete the failed ones.

And that was a pain in the butt. We eventually got that enclave online so we fixed the problem, but I felt that was a limitation of Tenable SecurityCenter that it couldn't see that.

I have been using Tenable SecurityCenter for the past few years now.

We have only run into one troublesome issue that I can remember. It had to do with the way SecurityCenter inaccurately reported real-time scan results whenever there was a transient problem such as with a duplicate host name or IP, or with authentication.

It was a pain to deal with, because we kept having to go in and manually delete all the failed (but actually successful) scan results.

When it comes to scalability, so far so good, and no issues. We've got the whole environment monitored right now and I don't see any significant increases in use anytime soon.

Their technical support is good. Because I don't give out tens much for anything, I would say in the eight to nine range, out of ten.

For vulnerability management, Tenable SecurityCenter is the only one I've used in the past six years. Though we do use other tools in conjunction with it.

We've pretty much used Nessus for scanning, vulnerability management, and reporting, and that's it. And it does it very well. And then I use different tools for other things. I'm sure Tenable had that on the plugins for other things, but we don't use those.

The setup is straightforward.

I personally implement SecurityCenter with a local license. And then we also have different roles like security analysts and administrators who can just go in and perform various functions such as uploading manual scans, creating dashboards, downloading reports, assigning accounts, and so on.

I use a local license to perform penetration testing and I'm pretty happy with everything when it comes to pricing and licensing. 

I can easily recommend Tenable SecurityCenter, and I have nothing really bad to say about it. I think it's a great tool for what it does. I enjoy the webinars, and the people that run the company seem very engaged with what's going on when you're into current events and the overall security climate, and they're continuously looking to improve.

I can't speak to every option that they have, but I have no reservations recommending them.

I would rate Tenable SecurityCenter an eight out of ten.

We are a reseller and Tenable SC is one of the products that we implement for our clients.

The primary use case is to check for compliance against a specific framework, like NIST, CIS, or something similar. Tenable will check compliance on the assets against that specific framework and give that visibility to the technical staff, top management, and the risk management team. In turn, this will enable them to evaluate the risk that they are facing for non-compliance issues.

The second use case is helping the technical staff that handles updates and upgrades to the operating system. It means that they have the most urgent upgrades that they need to cover the high-risk vulnerabilities that can be found and exploited.

Beyond this, Tenable SC assists with malware detection and similar functionality.

The most valuable features are the dashboards and reporting. They have multiple dashboards and reports for different types of details that can be used for different levels of reporting.  This means that by using a high-level report, the top rank in the company can understand what the risk is, as well as how it is violating policy. Similarly, technical people can use a more detailed report to understand what they have to cover and what the criticality of it is.

This product has the best results in terms of the lowest number of false-positives and false-negatives.

There are multiple types of engines that cover almost any necessity that the company can have for vulnerability and compliance.

Parallel scanning would be a nice improvement because it would speed up the detection process. It is not possible to search for vulnerabilities and do compliance checking at the same time. Rather, they are done one after the other.

The integration is very good, although it still needs to improve. For example, it would be useful to have better integration with other tools in the space of identity management (IAM). As it is now, integration with new tools has to be developed specifically, so it's not easy.

We would like to see better collection capability for external data that will help to improve detection and discovery.

I have been working with Tenable SC for six years.

In the past six years, we have had no disruption in terms of functionality. We have seen problems arise because of development and deployment strategy, but it is a very stable product. We have not had any problems with our implementations.

This platform is very scalable, both horizontally and vertically.

Our customers for Tenable SC vary in size. A smaller one might have 500 or 1,000 assets with two or three users, whereas a larger organization might have 100,000 assets with 30 users.

The support from Tenable is very agile. We use them regularly when we have problems.

There are three levels of support, all of which are very adept and available. It is very easy to get in touch with support.

We used to work with Rapid7 Metasploit.

The initial setup is always a little bit complex because most of the time, the people don't really know about their infrastructure. So, the most complex part is becoming familiar with the infrastructure and knowing what to search for. Tenable is very helpful in this regard because it has tools for discovery that help people to understand their infrastructure.

There is always a danger if the product is not well-configured but afterward, it is easy to use. When correctly implemented, this is a very effective and accurate product.

The length of time required for deployment varies based on several factors. The first is the level of integration, the second is the complexity of the assets that need to be covered, and the third is the maturity of the infrastructure. It can take weeks to deploy in an environment with a very mature infrastructure. If it is a larger organization that is graphically dispersed then it can even take months, depending on the capability of the company to cover all of the necessities for scanning.

The company has to address the necessities of the vulnerability management capabilities because it puts stress on traffic, stress on hosts, and it needs to be well-designed. Taking these precautions is necessary so that there is no damage to the infrastructure.

In the case of a smaller company, with perhaps 1,000 assets, it can take a week to install it and get everything working.

Maintenance for Tenable is a necessity, as it is a product that grows and changes because there are new detections every day. Sometimes, a detection is verified, whereas in other cases, support is needed to perform the verification.

The licensing fees are based on the number of assets. The price can start at €10,000 ($13,000 USD) for between 500 and 1,000 assets, and the price can climb into the millions as more assets are added.

There are two types of licenses available, which are the subscription, and the perpetual with maintenance. The subscription is the same price every year, with very small variations over the years. In the case of a perpetual license, there is a high initial cost compared to the subscription, but the maintenance is much lower.

I have researched other products on the market and by comparison, I would rate Tenable SC a ten out of ten. It still has some features lacking, but it is better than the other solutions that are on the market.

My advice for anybody who is implementing this product is to search for a certified partner to help with the process. It's not difficult, but it's very important to have a partner who knows the product well. The first steps in the implementation have to be the correct ones. If not, the product will not achieve the objectives that the company usually needs. It would be wrong for someone that doesn't know the product very well to begin implementing it by themselves.

This is the best product that we have found for risk management.

I would rate this solution a nine out of ten.

Our primary use case is compliance for our audits, for our customers. We were exposed in that we were not meeting contractual obligations.

We are monitoring our infrastructure: servers, switches, storage, routers, SAN storage, operating systems, and applications to the extent that the tool is able to see into them. We use it to hit the high ones like Adobe or Microsoft Office and the like. Some of the more niche products that we use may not be in their inventory of vulnerabilities.

It helps us prioritize based on risk and it also helps us prioritize manpower, to show we are getting the most value from the limited number of man-hours that all organizations face. We have the same problems: Where do we need to focus? Where do we need to focus money? And where do we need to focus additional expertise that we don't have or didn't think we needed.

Overall, we use it as a third-party — I don't want to say settle arguments — but as an expert opinion as to what is a true vulnerability is, versus what is something that isn't as high of a priority. It takes opinion — if two cybersecurity people are arguing or discussing if this thing is more important than that thing — and, since Tenable is not invested in our company, gives the best practice. It is very valuable in that sense.

In terms of cyber exposure, it allows us to centralize both vulnerability management and visibility. We have one place to look instead of going through: Okay, we're using the Microsoft tool, and now we're going to go use the Cisco tool, and now we're going to go use the Red Hat tool. It allows us to centralize and easily correlate all data together, and then use the prioritization or just understand where the gaps in our security posture lie. That's more valuable than saying, "Okay, here's this report for Microsoft, and now we're going to print out a report from Red Hat, and we're going to print out a report from Cisco, and we're going to print out a report from NetApp, and we're going to put them all together and then we're going to discuss it." Having it in a single view is very valuable to us in that it saves us a lot of time.

Tenable also helps us to focus resources on the vulnerabilities that are most likely to be exploited. And since it is continuously updated, it allows us to reevaluate quickly if there are new vulnerabilities found, versus ones that we're already working off and are already known to us.

And since cybersecurity and IT security are not a fix-it-and-forget-it scenario — it's a continuous process — having a tool like this, especially one that is continuously monitoring our environment, is very valuable. It's not that we're not doing this once a year, we're not doing this once a quarter. We're doing this every day.

Finally, the solution has reduced the number of critical and high vulnerabilities we need to patch first.

The continuous monitoring piece has been very valuable to us. 

The vulnerability priority setting in the software has been very useful to us as it allows us to focus on what's most important. We use it as a piece of our holistic look into our security stance.

The predictive prioritization features are pretty good. They do a lot of research and we trust the research that they do internally. They have knowledge of what's going on with many companies, where we only get a view into what's going on here. So the ability to get best practices out of them as part of this solution, is valuable to us.

The Vulnerability Priority Rating is also pretty good. It's a much more holistic view, instead of being very binary, which we tend to see. It lets us focus on what's most important to us, especially because it goes across many products that we have. It's good in that we see how each of these stacks up and where our priorities should be. Should they be in Cisco, should they be in Microsoft, should they be in Linux? That's very useful to us as well. We'd love to do all the work right now, but we have to pick some type of priority in terms of what we're going to focus on, before we focus on the less vulnerable items.

Using the product — especially very early on — even though we have things like prioritization, it can be a little verbose in that there's a lot of information being streamed out of the reports. What would be nice, and maybe we just haven't found it, would be more of an executive-type view. We still expect it to collect all this information, but we would like a feature that would allow us to show it to an executive or a director or someone like that and give them some type of high-level overview but not get into the nitty-gritty.

We started using this iteration of it two years ago, but we had been a previous customer of theirs as well.

We haven't had any problems with it. It seems stable. They make changes to it regularly, to both the vulnerability database and the product itself. They seem to be going through with a reasonable update path and they support previous versions for the expected amount of time.

We haven't seen any crashes or spikes.

It scales just fine. We're a Fortune 500 company so, obviously, we have very large networks here. As far as we know, it should scale. We don't think we can outpace the scalability of it. There are best-practices that we need to follow, but will this product be able to meet our needs for future growth. We expect it to be able to handle that.

Usage will be increased. There are two parts to the business. There's the business that is our overall corporate business, which is covered 100 percent by the solution. And then there's the manufacturing and design business. On that side, the solution is still growing. We have two contracts with Tenable for their SC product.

We think technical support is pretty good. We have specific needs as defense contractors and they're able to meet those. We have a good account team. We have a customer success manager, Ryan Zentz, and we have a good account executive, Scott Mahan, and they do as much as they can to head off any issues that we have, instead of putting in a ticket or getting something escalated. They do a good job of helping us.

We previously used their lower version of security management. It was their single-install product, Nessus. We were using the standalone, non-enterprise version.

The solution would be fairly simple, but because of our implementation it was fairly complex and we hired Professional Services to do it. We're not a typical example. As a straightforward install, I think it would be very easy. But because of our size and scope, it was a little tricky.

We have multiple deployments so we hired Professional Services for two weeks to do them. Some installations were done in a few hours and some of them took a few days. But, overall, we hired ten days of Professional Services.

We were focusing on installing first in our non-production environments; getting familiar with the installation, the capabilities, and what the overhead of the product was going to be on the network. From there did some testing and ran that through some discussion and a panel of in-house experts and decided that we would be good to go forward with production. 

We then repeated that, where we would install in a small section of production, run a test to make sure that it didn't break anything or that it didn't cause undue harm. And then we went forward with expanding it out.

Now we have a process in place for installing for any new section of the network that comes up or any new infrastructure that we put together. It's a little easier for us to handle now that we're not tackling the big network. We're just handling delta changes over time.

We used their in-house professional services. Our experience with them was good. They had someone onsite and who was well-versed in the defense industry. He was able to get it installed and answer our questions. We didn't have any problem with him. We liked him so much that we brought him back for another week.

Having Tenable is a requirement. It is a compliance piece which is part of our business. But it is money well-spent in that it focuses us to work on problems that are prioritized and it allows us to cut down on the manual integration of multiple reports from Microsoft and Linux, etc. It does save us considerably in that we can have less staff assigned to it, versus having a Linux team and a Windows team and a NetApp team, etc.

Running with a much smaller team of two people probably saves 80 percent of manpower. I would assume that the team would be ten people or so if we had to mash together multiple reports and spend time doing that.

I don't know our licensing costs but they're in the seven figures. We have an enterprise license, so I believe everything is tied up in that. We do not have any additional cost other than our large enterprise license.

The licensing is a little involved from both sides. That may be due to our specific implementation of it because we are a defense contractor. I feel we rely a lot on their customer service and they rely on us to do a lot of manual labor to get licensing installed or to get licensing. If there were some type of smoother transaction, that would be great.

I would like more self-service in the granting and rescinding of SC licenses, and that way we wouldn't have to be involved with customer service as much or with our account executive.

We did two sets of white papers looking at the competition. We did a white paper in 2015 and another one in 2018. We selected Tenable after the 2018 white paper was written.

Between 2015 and 2018, the market had contracted considerably. Many of the products that we evaluated in 2015 had either been bought out by a competitor or just no longer existed. When we looked at it in 2018, Tenable had the strongest pedigree. They also had the ability to scale the deployment, versus some of the other products. 

We looked at Ivanti, which really wasn't designed for vulnerability management; it was a bolt-on. We looked at Qualys. That was too heavy-handed. It was a good product, but there was too much overhead in managing or maintaining that product.

Tenable was the best fit for our needs. Tenable is also the provider for the ACAS solution for the US government. Since the vast majority of our customers are government customers, and our auditors are government officials, it was seen as an easy way to get past an audit, or at least that we would be looked upon favorably.

We did not test any of the competitors. We had done some tests in 2015, but again, many of those competitors were no longer in business or they had been bought out. The other product that made it as a finalist was Qualys, but there was a significant commitment and infrastructure needed. We felt that if that was the minimum just to get it tested, then it was not going to work for us on an enterprise scale.

Go in with open expectations. Companies don't realize how big their infrastructure really is before they can get a single pane of glass view, which Tenable provides. Don't be disheartened when you run that first scan. It is a process. This is not a sprint, this is a marathon. If you're not willing to invest in this for the long run, then maybe your organization just isn't ready.

I don't know how to assess our vulnerability status compared to that of our peers. The defense industry is fairly secretive about what goes on. But I think we're doing the right things. Having the licensing and the investment that we put in place puts us ahead in the industry. I can only really speak for myself, but I think that we are doing the right things, and investing the right dollar. And if our competitors are doing that, good for them. If not, I wish they would.

Security Center is generally run by either the information security manager or the information security officer. There are a few dozen people who have access to it and their roles would be two-fold: There are the lower-level, cybersecurity folks who are dealing with it on a day-to-day basis. And there are the more managerial types who would be getting reports and making decisions off of it. Lastly, the general IT staff would be using the reports or the remediation recommendations for making changes to their environment.

For deployment and maintenance of the solution we don't need that many. We had Professional Services in and we added a team of four to the Professional Services engineer to help us get it stood up over those two weeks. In terms of ongoing support of the solution, we have one or two people who are tasked with updating the vulnerability database and verifying scans and the like. But it's not overly burdensome. They are information security officers or cybersecurity specialists.

I would rate Security Center at eight out of ten. First, it's a little heavy-handed for us from a licensing perspective and second, there are some features and functionality that we'd like to see in the future which would make it more user-friendly for non-technical or more managerial types. It seems that the product is really written for technologists, especially on the reporting side.

The tool helps with vulnerability assessment and vulnerability management.

The tool gives us fewer false positives. Compared to its competitors, the solution’s reports are more accurate.

We experienced some difficulties with the solution’s support.

I have been working with the solution for two years. I use the tool’s latest version.

I would rate the tool’s stability a nine out of ten.

I would rate the tool’s scalability a ten out of ten. You can place sensors for the scanners and easily scale up.

I would rate the tool’s setup an eight out of ten. The tool’s deployment is very straightforward and it took only one day to deploy the solution. The solution’s deployment is simple and efficient.

I would rate the tool an eight out of ten. The tool has community support. From my experience of using the solution, I would recommend it to anyone looking to use it.

I primarily use Tenable for scanning and reporting.

Tenable's most valuable features are the credential scan, vulnerability reports, and vulnerability ratings (VPR).

Tenable has some problems with agents going offline during scanning and lag between agents and the security center. In the next release, Tenable should include automated patching and integration with SSCM so missing patches can be pushed from there.

Tenable is stable.

I'm satisfied with Tenable's technical support.

Positive

The initial setup was easy.

Tenable is open-source.

I would rate Tenable eight out of ten.