Tenable is one of the biggest names in vulnerability management, partly due to its sponsorship of several popular security podcasts. But due diligence requires taking a look at multiple solutions. So here’s an overview of Tenable competitors and my notes on them, having used each of them in the field.
Yes, to some extent Tenable competes with itself. For vulnerability scanning, Tenable offers Nessus. For on-premise vulnerability management, Tenable offers Security Center. And for cloud-based vulnerability management, it offers Tenable.io.
For one-off vulnerability scans. Nessus is ideal. If you need to centralize scans and analyze the results, you need Security Center or Tenable.io. Security Center is the choice when you don’t want any of the data leaving your network. Tenable.io offers a modernized user interface, dynamic scalability, and your sysadmins don’t have to administer it. Tenable takes care of all of the system maintenance.
Tenable’s efforts to stop competing with itself is leading to some customer dissatisfaction in the short term, but in the long run it will reduce confusion, which is probably best for everyone.
When it comes to Tenable competitors, Qualys is the largest and one of the oldest. Qualys was doing cloud-based security before people called it the cloud. It has extremely good accuracy and scales to millions of hosts. Storing vulnerability data in the cloud scares people, but Qualys protects your data in a virtual private database and the encryption key is based on your user ID. Even Qualys employees can’t access your data without you creating them an account. Qualys encrypts your data both at rest and in transit.
The Qualys solution is easy to use and easy to deploy. It can be a little daunting to learn, but Qualys offers free training and certification, much like Tenable. Two days of training is generally enough to learn how to deploy the Qualys platform and put it to use. Take advantage of it. Trust me on this. The biggest difference between a satisfied Qualys customer and a dissatisfied one is usually that the dissatisfied one tried to figure things out on their own.
Qualys offers a cloud agent, which sits on each host and eliminates the need to scan. When they see port 443 open and have a change to report, the agents send metadata about the changes back to the Qualys cloud for analysis. The CPU and memory utilization for this are minimal.
Since Qualys is cloud-based, your administrators don’t have to do any maintenance. Qualys takes care of all updates and scaling the platform to meet demand.
The biggest downside with Qualys is cost. Qualys usually costs more than competing solutions. Compared to the others, Qualys asset tracking is clunky and, frankly, 20th century. Finally, the user interface can take some getting used to, but there’s usually some method to the madness. Taking the training helps you make sense of that.
I’m also a bit frustrated with Qualys’ tendency to prioritize creating new products, like a Network Access Control solution, over enhancing its vulnerability management and policy compliance products. When a new technology shows up, or an existing one changes, Qualys doesn’t respond as quickly as Tenable in some cases.
Outside of the government space, Rapid7 is the second largest of Tenable competitors. Rapid7’s platforms, Nexpose and Insight, are extremely easy to learn how to use.
Rapid7 is easy to learn to use. After using a Rapid7 solution, Tenable and the others seem needlessly complex. Another advantage is its integration into Metasploit Pro. If you buy both products, you can use Metasploit Pro to demonstrate a vulnerability. You should do this with caution, but since people frequently will question how big of a problem a finding really is, Metasploit integration helps you demonstrate the issue in a very real way.
Rapid7’s downsides are scalability and accuracy. Nexpose does not scale well to enterprise environments. When I ran it in an enterprise setting with 30,000 hosts, it struggled under the load. For a few hundred hosts, it’s fine.
Regarding accuracy, Rapid7 queries the registry on Windows systems or the package database on Unix and Unix-like systems, but it doesn’t dig into the filesystem. This gives you faster scan times, which is nice. But it also means it doesn’t find partially-applied patches that left vulnerable components behind. These false negatives are problematic.
When you evaluate a Rapid7 solution against others in a lab environment, be sure to use older existing systems in your test. The best way to do this is to intercept some decommissioned workstations and servers before your infrastructure teams send them off for disposal. A good test needs to include systems that suffered through years of patching and upgrading.
Rapid7 does not offer free training, so this offsets some of the cost advantage.
Retina is Tenable’s biggest competitor in the government space. Like Rapid7 Nexpose, Retina is fine for small networks. It’s fine for government use because the government and military tend to use lots of small interconnected networks. Like Nessus, Retina is more of a solution for one-off scans than for full-blown vulnerability management.
Retina’s accuracy on Windows systems is pretty good. In my experience, it did find partially applied Windows patches and when I resolved them, it saw the difference. Retina’s pricing also tends to be very good, at least in the government space.
I found it didn’t do a very good job of evaluating Linux systems. It had a tendency to misidentify Debian-based systems as printers. This is problematic since Kali Linux is Debian-based. You don’t want to misidentify a rogue Kali system as a printer and ignore it.
If you’re stuck with Retina, be sure to investigate any printer it finds to ensure it actually is a printer. Better yet, re-scan the network with something else, even if it’s just Nmap, to get a second opinion. Shadow IT is a real problem, and you don’t want people using Retina’s weaknesses to hide it from you.
Tenable competitors: In conclusion
Although some people argue that vulnerability management has become a commodity, I don’t see it just yet. There are still several differentiators among both Tenable and Tenable competitors that mean you can’t just change one for the other without losing something. You may gain something too. But if you just buy the cheapest solution each year so you can tell regulators you scan your network every quarter, it’s going to catch up with you.
To find the best solution, you really need to evaluate them using a lab consisting of recently decommissioned systems. Or better yet, tell your sales rep you want a 60- or 90-day proof of concept evaluation that consists of deploying it in your production environment so you can scan real systems with each solution you want to evaluate.
Over the course of 2-3 patch cycles, you should be able to see the differences between the various platforms so you can make a good decision that will stand the test of time.
One more thing: If you don’t use a managed service provider, or more specifically, a managed security service provider, I strongly recommend you look into one. Having help from someone who’s done this before and has seen how other companies solved problems greatly increases your chance of success.