A short summary on the differences between Nessus and Tenable
Nessus is a product that scans for security vulnerabilities in your infrastructure, with prices starting at just a few thousand $ / € / £.
Tenable is the company that sells the Nessus product range, plus a number of other products that are built upon Nessus and help aggregate the Nessus output in ways more useful to businesses.
To understand more about how these products work read on, or jump to “Where best to Start” to get the S4 Applications recommendations.
Tenable and Nessus – the Background
If you have got this far, I am guessing that you are relatively new to the information security (InfoSec) market and looking to take some important first steps. If so, I would recommend out maturity assessment model for when you have finished.
As they say, security it all about layers, if a bad guy gets through one layer, you want another one right behind it, a deep defence approach.
One of the most critical layers, is that of offensive security, i.e. looking and behaving as an attacker would; seeing what they see – spotting the potential weaknesses.
Virtually every environment will have security issues (or often referred to as vulnerabilities in the cyber security jargon) within it. These need to be found, analysed and normally fixed. Vulnerability Management is the act of doing this search, analysis and fix process.
Read more about the difference between Vulnerability Scanning v. Pen Testing in our blog.
Vulnerability management is an integral part of maintaining your organisation’s computer and network security. It entails scanning your IT infrastructure or software applications to locate and address known software vulnerabilities.
If you find vulnerabilities then you’ll want to get them fixed. Unfortunately, this is a dynamic, ever-changing situation. This is not a one-time thing like installing a fire wall, it is an on-going process that you have to do all the time; Cyber Criminals don’t take Christmas, Eid, Diwali, Hanukkah or any other holiday off; in fact, they often use them because they know you will be out of the office and slow to respond.
Nothing stands still
This is all harder than you think, because for any given piece of software, you may not make a change, but the situation changes around you.
Consider a piece of software:
- Monday, your system is considered secure
- Tuesday, a hacker finds a theoretical vulnerability in software that you happen to use (say Microsoft Office)
- Wednesday, the hacker builds some code to exploit that vulnerability
- Thursday, the vendor (in this example Microsoft) releases a fix
- Friday, you apply the fix and you are back where you started, i.e. a system that is considered secure
The above events pan out many of times a day, across any given corporate network, in any particular order. This is why we get about 100 fixes from Microsoft every month. It is not just Microsoft Windows that you have to look out for; how about versions of Adobe Photoshop, WinZip, Notepad++ and so on.
We suggest a simplified 3 step process
- Proactively look for problems
- Prioritise them – work out which ones you really need to focus on
- Fix the bad ones
In this blog, we will be focusing on point 1 which is where Nessus and Tenable sit. If you want more information on points 2 and 3 will be giving you more information in subsequent blogs on how to deal with them.
We also have a more detailed recommendation on best practice steps for Vulnerability management which you can read on our blog: 8 best practice steps for effective Vulnerability Lifecycle Management.
What is Nessus?
Nessus Pro is a Tenable scanning product, that scans your network and looks for around 120,000 known vulnerabilities.
The product is fantastic value at under $4,000, which allows you to scan as many items on your network as you wish. Once the scan is complete, you can run a report and see all of the different issues, along with a simple to understand priority score (called the CVSS).
Above I described the process as 3 steps: search, prioritise, fix. This process should be repeated regularly, say weekly. The reporting with Nessus Pro is very much point in time, and does not help you manage things as they evolve. It is not possible to get a list of “what has changed since last time” report.
If you are looking to add more sophistication around the process, then you’ll need to buy one of the other products in the Tenable portfolio. This is their strategy, show you the value of the tool, then up-sell.
Other vendors will argue about this, but most people think that Nessus does the best detection job of all the tools available. Because of this great detection, it is loved by pen-testers the world over. Also because of this ability for detection, it is also loved by the bad guys the world over.
What is Tenable?
Tenable is a US based security company with revenues of around $500M per year. They focus on helping customers find vulnerabilities in their IT environments.
Their first and most famous product is Nessus, now called Nessus Professional or Nessus Pro for short (discussed above).
They have a number of other technologies that build upon the great scanner to offer the sort of features that enterprises need. So all of the things listed above as missing from Nessus are in the enterprise tools, plus an awful lot more.
Tenable’s first and probably most famous enterprise tool was Security Center. This has recently been renamed to Tenable.SC.
More recently Tenable have released another product called Tenable.IO which has similar product features as the Tenable.SC, but is offered as a SaaS platform, whereas Tenable.SC is on-premise.
If you want more detail on these then have a read of our blog: Keeping up-to-date with the Tenable Product Portfolio.
A little history on Tenable and Nessus
The Nessus tool was originally an open source project and got as far as version 2. The company Tenable was then formed, the project was then made proprietary and Nessus version 3 was released by Tenable.
At this time the code was forked and OpenVAS was created as the open-source successor to Nessus.
OpenVAS is still being on-developed. It has recently become Greenbone Vulnerability Manager, but is still available in an Open source version if required.
Tenable took the Nessus tool and on-developed it adding the extra layers that the Enterprise customers are interested in.
Whilst Tenable still sell the Nessus Pro software their main focus is the Enterprise market which is where there is a bigger sales opportunity, actively encouraging Nessus users to move to the enterprise tools.
Every now and again they make modifications to the Nessus scanner to remove some feature or another to encourage adoption of the enterprise offering. The most recent changes were at the end of 2019 when they took away some of the APIs from Nessus and also made it single user. If customers want these features, then they will need to move to Tenable.SC or Tenable.IO.
Where best to start?
So, the Nessus scanner is probably the best scanning tool on the market when it comes to finding issues. So that’s it right? May as well go for Nessus???
Well possibly; it depends on what is right for your business needs.
Firstly, consider a server on your network, Nessus will probably find about 100 things wrong with it. Nessus will also give you a severity rating from 0 to 10 to indicate where you should prioritise your patching resource.
Remember it is the patching that makes you more secure, not getting a list of issues to deal with. Within that 100 issues will also be some items that you cannot patch for a variety of reasons, not least that the vendor has not released a patch, others will be hard work to fix and insignificant security risk.
So if another scanner didn’t find the 100 issues, only 90 of them, because it didn’t check for the lowest priority issues, would that be ok?
Now let’s say that the other scanner also gave you a software inventory of the machine, prioritised the vulnerabilities for you based more on business risk, and provided a way to apply the patches all from one place.
The answer for some people is that they must have the best scanner, for others, having an integrated tool that allows them to patch faster is more important.
Next steps on Tenable and Nessus
S4 Applications wants to help your business invest wisely to reduce risk exposure and protect business value. Contact us to guide you through our 6 step Maturation Model to get to grips with what your current maturity level is and prepare with you an effective plan to enhance your security maturity.
