The Tenable Product Portfolio Explained
Tenable have an ever growing number of products and modules within their portfolio, in this short blog post we aim to position each one and the relevant merits.
Tenable have a number of products, their first and most famous is Tenable Nessus Pro.
Nessus Pro (or Nessus for short) is generally recognised as the industry’s best vulnerability scanner. You can point this at an environment and get the complete list of vulnerabilities. In most tests it does a better detection job than any other product.
The Nessus Pro product is focused on a consultant doing a one-time vulnerability assessment. This means that there is no link between subsequent scans, and the reporting is limited.
If you run a scan against say 1,000 servers, you will get a report. If you fix things up and run the same scan again in 4 weeks, you will get a new report, that has no connection to the first report.
There is no way to know that 50 servers have been decommissioned, 50 have been added, 700 have been updated and 250 have not been touched.
This information can be worked out by careful analysis, but the tool does not provide it.
Nessus Pro is licensed per install and has unlimited IPs; this works for the consultant who has it installed on a laptop that they move around. For a corporate with say 15 sites, this means that you probably need 15 copies; one per site. Whilst it is possible to scan through a router to a different network segment, it is not ideal for a number of technical reasons.
If you want the Nessus scanner with centralisation and history you need the next tools up in the portfolio.
After Nessus Pro Tenable then developed 2 tools for the enterprise, Tenable.sc (was Security Centre) and Tenable.io. These tools essentially solve the same problem, just one is SaaS and one on-premise.
What the enterprise tools allow you to do is scatter scanners throughout your network and have them all report back to the central console. This central console then allows you to control all scanners from one point and to report upon the data as it evolves over time.
Here it would be possible to see new machine additions, machines being decommissioned, what has been patched, what has not, and so on.
The scanners that are used are the exact same Nessus Pro scanners, but with a different license type that allows them to report centrally.
The Tenable.io (SaaS based console) and Tenable.sc (on premise console) are licensed based on the number of assets (or IPs) being scanned and include as many scanners as needed. So, in the situation where you have 1,000 assets and 15 offices, then the cost is based on the 1,000 assets and you can have as many scanners as needed.
Tenable.io vs Tenable.sc
The Tenable sales force will try and push everyone to Tenable.io. In truth this is the newest product and gets more of the development work, so if you are agnostic on the SaaS / on-premise conversation we would recommend it.
Tenable.sc has been around longer and deployed at some massive sites, it therefore has some areas of functionality that are ahead of Tenable.io (say in managing large user communities). Whilst the products have different user interfaces they are roughly equivalent.
Other Scanners and Products
Over the years Tenable have developed (or purchased in) other tools that sit bedside their Nessus scanner and feedback into the same consoles.
Whilst some of these tools may be available as a stand-alone solution, their real value comes when integrated with other elements of the Tenable platform. If you were just looking for a stand-alone Web Application Scanner then we would probably recommend Netsparker. If you have Tenable.io already, then integration within the platform adds extra value to the Tenable tool.
This tools works (very carefully) with industrial equipment (SCADA etc) and works with both the Tenable.io and Tenable.sc consoles
Tenable.io Web Application Scanning
Whilst the name of this products may be long, it does at least say what it does. It is a web application scanner, and only works with the Tenable.io console.
Tenable.io Container Security
Again, a very descriptive name; container security and only works with Tenable.io.
In truth our technical guys have not reviewed this product in detail, so we have no comment on how it compares to Twistlock, Aqua etc. That said this market is evolving very, very rapidly and the vendors all tend to leapfrog each other regularly.
The challenge with everything that we have discussed so far, is that all vulnerability data is scored based on the technical risk of exploitation. That is rather limiting, to put simply, if you have 2 servers, one internet facing and one internal facing, both with a score 10, you fix the internet facing one first. This is a much bigger conversation (see Risk Based Vulnerability Management for a discussion ), but this tool is Tenable’s attempt to try an help out.
The tools mixes your vulnerability scan data, threat intelligence and some other sources to try and give you a business risk. It also shows [anonymous] data from other companies for you to compare against.
If you have everything in Tenable, the tool is definitely worth looking at. If you have a mix of tools, or want to use more business inputs in the scoring algorithm, then we would say Brinqa does a far better job (it also does ticket management for you in Service Now / Jira / Remedy etc. for free).
Tenable started with the Nessus scanner, which has been the best technology to solve that problem for many years. They keep investing in the product and keep it ahead of the pack The two enterprise consoles that it works with are also fantastic, and we would recommend them for the vast majority of companies; they scale well and have on premise / SaaS options.
The layered technologies offer best value with working with other Tenable modules.