The Tenable portfolio continues to grow with a number of products and modules; in this short blog post, we aim to position each one and the relevant merits.
Tenable have a number of products, their first and most famous in their Tenable portfolio is Tenable Nessus Professional (Nessus Pro for short).
Nessus Pro is generally recognised as the industry’s best vulnerability scanner. You can point this at an environment and get the complete list of vulnerabilities. In most tests, it does a better detection job than any other product.
The Nessus Pro product is focused on a consultant doing a one-time vulnerability assessment. This means that there is no link between subsequent scans.
If you run a scan against, say, 1,000 servers, you will get a report. If you fix things up and run the same scan again in 4 weeks, you will get a new report that has no connection to the first report.
There is no way to know that 50 servers have been decommissioned, 50 have been added, 700 have been updated and 250 have not been touched.
This information can be worked out by careful analysis, but the tool does not provide it.
Nessus Pro is licensed per install and has unlimited IPs; this works for the consultant who has it installed on a laptop that they move around. For an organisation with, say, 15 sites, you probably need 15 copies, one per site. Whilst it is possible to scan through a router to a different network segment, it is not ideal for a number of technical reasons.
If you want the Nessus scanner with centralisation and history, you need the next tools up in the portfolio.
The Tenable portfolio has developed 2 tools for the enterprise, Tenable Security Center (was Tenable.SC) and Tenable Vulnerability Management (was Tenable.io). These tools essentially solve the same problem; just one is SaaS and one is on-premise.
The enterprise tools allow you to scatter scanners throughout your network and have them all report back to the central console. This central console then allows you to control all scanners from one point and to report upon the data as it evolves over time.
Here it would be possible to see new machine additions, machines being decommissioned, what has been patched, what has not, and so on.
The scanners that are used are the exact same Nessus Pro scanners but with a different license type that allows them to report centrally.
The Tenable Vulnerability Management (SaaS based console) and Tenable Security Center (on-premise console) products are licensed based on the number of assets (or IPs) being scanned and include as many scanners as needed. So, if you have 1,000 assets and 15 offices, then the cost is based on the 1,000 assets, and you can have as many scanners as needed.
Read more about vulnerability management in our blog: 8 best practice steps for effective Vulnerability Lifecycle Management.
Over the years, Tenable has developed other scanners that sit bedside the Nessus scanner and feedback into the same consoles. These include a web application scanner (WAS) and an Operational Technology scanner (SCADA).
There are some restrictions around what scanners can connect to which consoles, and these provide additional information adding to the Nessus scan; they don’t replace it.
Tenable Vulnerability Manager vs Tenable Security Center
The Tenable sales force will try and push everyone to Tenable Vulnerability Management. In truth, this is the newest product and gets more of the development work, so if you are agnostic on the SaaS / on-premise conversation, we would recommend it.
Tenable Security Center has been around longer and deployed at some massive sites, it therefore has some areas of functionality that are ahead of Tenable Vulnerability Management (say in managing large user communities). Whilst the products have different user interfaces, they are roughly equivalent.
Read more about: Staying safe with Risk Based Vulnerability Management in our blog.
Tenable – Translating vulnerability data into business insights for security teams.
The Tenable platform can holistically assess, manage and measure cyber risk across the modern attack surface. It communicates cyber risk in business terms to help your organisation make better strategic decisions.