We just raised a $30M Series A: Read our story

Tenable SecurityCenter Continuous View OverviewUNIXBusinessApplication

Tenable SecurityCenter Continuous View is the #36 ranked solution in our list of best Network Monitoring Tools. It is most often compared to Fortinet FortiSIEM: Tenable SecurityCenter Continuous View vs Fortinet FortiSIEM

What is Tenable SecurityCenter Continuous View?

SecurityCenter Continuous View is the market-leading continuous network monitoring platform. It integrates SecurityCenter along with multiple Nessus Network Monitor sensors and Log Correlation Engine (LCE) to provide comprehensive continuous network monitoring.

Tenable SecurityCenter Continuous View is also known as SecurityCenter Continuous View, SecurityCenter CV.

Buyer's Guide

Download the Network Monitoring Software Buyer's Guide including reviews and more. Updated: September 2021

Tenable SecurityCenter Continuous View Customers

Methodist Healthcare Ministries

Tenable SecurityCenter Continuous View Video

Archived Tenable SecurityCenter Continuous View Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
GS
Director - Information Risk Management at a consultancy with 1,001-5,000 employees
Real User
Provides the best network-based vulnerability scanning, but the dynamic scanning is lackluster

Pros and Cons

  • "The first of the valuable features is how easy it is to access all of the information that's gathered from the assessments... With a lot of other technologies, like Rapid7, if you're using Nexpose you effectively have to be a DBA to get some of the lower-level results from the scans. And Qualys wasn't very intuitive."
  • "The next big one is supportability. In a large enterprise, we have many types of technologies. The technology we previously had didn't even support authentication to a lot of those technologies."
  • "When it comes to... dynamic application scanning, I think they are lagging behind the curve. They have a lackluster solution, to the point where I think they need to determine, as a company, whether or not that's a space they even want to play in."

What is our primary use case?

We have three or four use cases. 

The first is enterprise vulnerability management through continuous scanning. Twice a week, every week, we fully authenticate every host in the environment to perform authenticated scans. The caveat there is our mobile workstations, like our Macs or our Windows laptops. We've deployed agents on them and we do those scans daily. 

The second use case is baseline adherence. We have tailored, customized, secure baselines for about 40 technologies in the environment and we attest to them once a week: everything from common server versions, to a dozen or more database technologies, to middleware, etc. 

Thirdly, we use Tenable.io as our PCI ASV. That's our scanning platform to satisfy some of our PCI controls. 

Finally, we also use Tenable.io to perform truly continuous - in the sense that it never stops - unauthenticated scanning at the perimeter.

We use Tenable to monitor many dozens of technologies. For the most part, any database technology you can think of: multiple versions of Windows Server, Windows 10 on the workstation, High Sierra and Mojave for macOS, a bunch of different networking technologies. The list goes on.

How has it helped my organization?

A major advantage, that falls under the "supportability" umbrella, is that with the previous technologies, they didn't have a great way to create highly customized or tailored baselines. With Tenable all the baselines we have are tailored to what we want to see in the environment, and that's what we attest to. It's a little different now, but when we were doing an RFP, the other players would allow you to do CIS, but they wouldn't really allow you customize them or create your own custom checks, and that's something we do extensively.

The nice thing about Tenable's Predictive Prioritization features is that, while our SOPs haven't been updated yet, with Predictive Prioritization it effectively allows us to scale out our tailored risk calculations in the environment.

With Tenable's ability to do highly customized and tailored baselines, it has allowed us to much more accurately measure our adherence to a tailored baseline, versus something like base CIS. With that greater visibility, it allows us to better manage our actual platforms. Every week, at least for our major platforms, we're partnering with them to continuously drive adherence to our tailored baselines. Previously, we were unable to do that effectively.

The level of visibility Tenable provides us, compared to our previous solutions is night and day. For traditional, network-based vulnerability scanning, Tenable is at the top. It's that simple.

What is most valuable?

The first of the valuable features is how easy it is to access all of the information that's gathered from the assessments. That was one of the differentiators when we did an RFP a year-and-a-half ago or so. With a lot of other technologies, like Rapid7, if you're using Nexpose you effectively have to be a DBA to get some of the lower-level results from the scans. And Qualys wasn't very intuitive. (We actually had both Nexpose and Qualys in-house, historically. We had really good experience with all the leading platforms). How easy it is to get the data is a big feature.

The next big one is supportability. In a large enterprise, we have many types of technologies. The technology we previously had didn't even support authentication to a lot of those technologies.

In terms of vulnerability prioritization through Tenable's Predictive Prioritization, internally we have something called a residual risk calculation. Whether through manual vulnerability research or through scanning, vulnerabilities go through this residual risk calculation. We already had a pretty big data set of what the base CVSS scores look like, compared to what they should be for our environment. We use that data set to compare against the Predictive Prioritization to really pressure-test whether or not Predictive Prioritization was accurate for our environment. This far, it's wildly similar. It seems to be very accurate. We shared a bunch of data with Tenable to give them some affirmation as to what we were seeing across our enterprise.

Regarding their Vulnerability Priority Rating, so far so good. I love what they've done with their integration, looking toward the future. It's a great step forward. I don't think it's in its final form, it's not its final iteration, but it's definitely a good step forward.

What needs improvement?

One thing that is missing from the Predictive Prioritization is some extra context. I've given this feedback to their engineering leadership. What's missing is integrating with certain data sources like the CMDB. If you knew a given asset was supporting a Tier-1 application, you would naturally rate the vulnerability on that asset higher than you would that same vulnerability on an asset that's in a protected enclave.

There are other areas with room for improvement. When it comes to traditional network-based vulnerability assessment Tenable is, hands-down, the best solution. I'm highly confident in that statement. When it comes to some of the other areas they have ventured into, like dynamic application scanning, I think they are lagging behind the curve. They have a lackluster solution, to the point where I think they need to determine, as a company, whether or not that's a space they even want to play in. And if they want to play in that space, they need a significant investment in it.

In the container space, they are not really viewed as a market leader yet. I think they've got a way to go in container vulnerability management. There are a bunch of other solutions out there, like Anchor, that a lot of folks use. That's definitely an area of opportunity.

Also, you see a bunch of other technologies that lay on top of platforms such as Tenable for risk prioritization. Tenable is dabbling in that with their Predictive Prioritization, dabbling in ranking solutions. That needs to be a continued focus. I think there is a lot of opportunity there, and it has gone down a good path, but that needs to be a continued focus.

The difficulty with that is that it's limited. When you look at an enterprise vulnerability management program, Tenable's solutions aren't going to cover every aspect. If you think about the SDLC, aside from some of their container scanning, they don't really have much embedded in the SDLC. You're going to have a bunch of different types of scanning that all need to come together to effectively rank your priorities, or the solutions that need to be implemented. Tenable is really just looking at one piece, which is primarily your operating system, databases, and middleware. They're not really looking at any of the applications.

For how long have I used the solution?

Personally, I've been using Tenable for many years. In our enterprise environment, we deployed Tenable.io and Tenable Security Center just over 12 months ago.

What do I think about the stability of the solution?

The stability has been excellent, almost perfect. A couple of caveats: 

If you have to do a lot of trending dashboards, Security Center will come to a screeching halt. We had to be methodical about when we schedule our trending dashboards. 

Also, the way you design or create your repositories in Security Center needs to be well thought out, because there's a direct correlation between the size of the repository and how much memory you have on that given server. In other words, you can't create one repository and put 150,000 assets of data in it. It simply won't work. We found that out the hard way. We didn't know that going into it.

We redesigned our repositories. We have a repository just for our agents, we have a repository for each of our subsidiaries, we have a repository for our compliance scanning, etc. We have something like 25 or 28 repositories.

But the stability is, for the most part, rock solid.

What do I think about the scalability of the solution?

We've had zero issues so far with scalability. We're now an international company and we've had no issues. 

There is the common stuff that isn't related to Tenable. If you have, say, a really small pipe to a remote office, naturally you're going to have lesser performance. Or if you're scanning across the WAN you're going to have higher latency. Aside from those obvious network issues, we've had no issues whatsoever with Tenable's scalability.

How are customer service and technical support?

Tenable's technical support is the best I've ever had for any product. We have paid for something called Elite Support. It's their premium support where you have an analyst or engineer assigned to your account. For us it has been really beneficial. Given our large environment, we have edge cases. Having somebody who already knows our environment, our infrastructure, and the analysts on my team, allows us to move at a much higher velocity.

Also, whenever we have a request for enhancement or a feature request, our Tenable contact manages them through Tenable's lifecycle. A guy named Eric is our lead support contact, and he has been, hands-down, the best support contact I've ever had.

Which solution did I use previously and why did I switch?

We used Qualys as an ASV, and Nexpose for all our internal scanning.

How was the initial setup?

The initial setup was very straightforward. We actually had our MVP employed in four months. We defined MVP as feature-parity with our previous solution, which included enterprise coverage, full credentials, and baselines. Doing that in four months in a highly complex enterprise environment was actually a really big win. It took us quite a bit longer with other technologies.

When it came to an implementation strategy, first of all the implementation had to be quick because we had to have an enterprise deployment before our licensing with the other technologies expired. Timing was a key driver. The strategy was simple. We backed into the strategy. We knew what our high-level goals were: We wanted enterprise coverage with credentials, and we wanted baselines. That's where the strategy came from. We broke it down by milestones. We're an Agile shop so we had some sort of release every two or three weeks and we had good folks driving the project; good delivery management.

What about the implementation team?

It was all internal. We did have some time with Professional Services to validate architecture, validate the size of the infrastructure prior to deploying it, to ensure that we wouldn't have any performance issues. We had a lot of validation work on the front side, but other than that, it was all deployed through internal resources.

What was our ROI?

In the security space, ROI is a horribly difficult question to address. 

It's helping us better manage our configuration adherence, our baseline adherence, as well as vulnerabilities, so there is an ROI but it hasn't been quantified. It's a qualitative ROI. I couldn't give you a quantitative response.

What's my experience with pricing, setup cost, and licensing?

We did a three-year deal where the cost is amortized over the three years. The Elite Support was an additional cost to the standard licensing fees.

In terms of other potential costs, if you use Security Center, most of the time it is on-premise, so you're going to have some sort of infrastructure to build out and there's going to be a cost associated with that. Depending upon the size of your enterprise, it could range from a couple of thousand to $100,000. If you're using Tenable.io, it's all out in the cloud so you don't have any infrastructure cost.

Which other solutions did I evaluate?

Rapid7 and Qualys were the final players in our RFP, in addition to Tenable.

What other advice do I have?

My advice isn't vendor-specific, it's much more agnostic. Whoever is looking for a new solution for vulnerability management or configuration management, needs to ensure that they take their time. Develop a strong RFP process that's objective and quantitative and removes bias. Then, perform a well-thought-out PoC and let the data speak for itself. For me, it's extremely important that when you're planning on spending millions of dollars, or making a large purchase, that you remove any emotion or bias. You take the relationships out of the picture, and you let the best product win, given a certain use case.

In terms of Tenable focusing our resources on vulnerabilities which are most likely to be exploited, I can't say yes or no. One of the functions our team has is to focus on vulnerability research and emerging threats, and that was before there was ever a plugin created for Tenable. The team is actually really proactive in identifying vulnerabilities through manual research. That's where a lot of the critical stuff comes from. We'll find something critical before the scanning vendors even have a check for it.

The output of Tenable is used by dozens of folks, primarily engineers. Tenable itself, as a platform, is used by 15 or 20 folks. Most of them are vulnerability analysts and some of them are platform engineers. There are a dozen or so executive leaders who reference Tenable's data, as well. We built some 50 dashboards, tailored to a given audience, so that they can see near real-time results. For example, our CIO has an enterprise goal of reducing X percent of vulnerabilities in our enterprise, so we've built out specific dashboards reflecting all of that work. Maintenance of the product requires one person, and it's not a full-time position. For deployment, I had two people, who are security analysts. I actually did not need software engineers to do it.

We're using Tenable very extensively. Some of the feedback I got from Tenable this week is that we're actually one of their more mature clients. And we are expanding our usage. Our company was procured in early December last year, and we'll be expanding not only the scope of what we currently use but also increasing some of the functionality.

For traditional, network-based vulnerability management, I would rate Tenable a nine out of ten. For dynamic application scanning, it's a two out of ten. Overall, I'd put Tenable at a seven out of ten, which is still definitely higher than any of the other technologies that operate in the market. I think this segment of the market is a bit confused. There are too many companies looking to be a silver-bullet and own it all, and their strategy is a bit confused.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Eric Noe
Senior Information Technology Security Engineer at a insurance company with 10,001+ employees
Real User
Enables us to find vulnerabilities and maintain PCI compliance

Pros and Cons

  • "The scanning itself is really the core of the tool, and it's what we're most interested in."
  • "There are certain circumstances where they may have found a vulnerable service and they just removed the service completely from the device because nobody was using it. There's no way to go into SecurityCenter and mark it, to say, "This is no longer an issue. It doesn't exist anymore." Or, "The risk was accepted for one year, so let's not report it as 'high' until that one year period is done." The handling of operational flow around vulnerability management could be improved."

What is our primary use case?

We use it for scanning across our network. We leverage the Nessus scanners to scan the environments we have. That includes the external view, scanning across our DMZ, PCI, and internal environments. We have our Windows and Linux clients and servers. We have IP enabled on almost everything, including the printers, cameras, and elevator banks. It does some analysis on anything that's plugged into the network, with varying degrees of efficiency based on what the device is.

We do full IP-import scans periodically. When we do the actual scans themselves they're usually more narrowed and focused, because if you did every port and every IP every time it would take forever.

How has it helped my organization?

SecurityCenter enables us to find all the vulnerabilities, export that data, prioritize it, and address the highest-risk vulnerabilities. That is definitely the main goal of the tool and it wouldn't be possible without the scanning technology accurately assessing the environment. 

It helps to limit our cyber exposure because every time we identify one of the exposed or high-risk vulnerabilities and enclose that, or address it, it reduces the overall exposure. This solution is just one tool in the whole chain that helps accomplish that. It is a very critical component, but it's not doing it in a vacuum.

The scanning helps us focus resources on the vulnerabilities that are most likely to be exploited. We're just starting to look into doing the compliance policies. That will be the next step. Right now, we're reactive, addressing vulnerabilities that are detected. We'd like to identify misconfigurations upfront, address those to speed things up, and reduce the resource cost. If you let a bad image go out to production, and deploy it on 50 systems, you have 50 tickets instead of a single place to fix it. That's what we're looking to leverage next.

In terms of financial value, within PCI compliance especially, if you don't have a scanner in place or you're not conducting PCI scans, you can't participate in the credit industry and accept credit cards. That's a requirement and a role that Tenable fills, one that must be addressed through regulation. We are also subject to GRC and a couple of others which are directly addressed, or a component of them is addressed, through Tenable and scans that it runs.

What is most valuable?

The scanning itself is really the core of the tool, and it's what we're most interested in.

What needs improvement?

There are two areas that have room for improvement. 

One is account lockouts; we have had some issues with that. Part of it could just be the way we've handled it, but if we're scanning a large section of the network, and we end up with an account lockout, we can't do authenticated scans. That scan will just continue executing, even without credentials and that makes it difficult to figure things out. Where did it fail? Which ones were fully scanned? Which ones weren't fully scanned? We'd like the ability to only do authenticated scans, so if there's an authentication failure perhaps the scan stops. Or we'd like to have some way to recover scanned data. We export that scanned data to another tool and that's where things start breaking down, because it doesn't know. It sees that it was an authenticated scan, but half the hosts might not have been authenticated to. That may be specific to our use case, to a certain degree.

The other area for improvement is that in specific vulnerability occurrences we would like a little more support for various operational needs. There are certain things that might be false positives. There are certain circumstances where they may have found a vulnerable service and they just removed the service completely from the device because nobody was using it. There's no way to go into SecurityCenter and mark it, to say, "This is no longer an issue. It doesn't exist anymore." Or, "The risk was accepted for one year, so let's not report it as a 'high' until that one-year period is done." The handling of operational flow around vulnerability management could be improved.

For how long have I used the solution?

I have been using the solution for a little over a year.

What do I think about the stability of the solution?

So far we haven't seen any stability issues.

What do I think about the scalability of the solution?

The only issue we've been looking at so far is getting our scan cycles lower. There may be some optimizations needed in the scans, as well as deploying additional scan agents. But it's been pretty simple, as we need more capacity, to deploy more scan agents to various parts of the network. So far we haven't seen any issues with that and we're running with something like 60,000 licenses, to give you an idea of the volume that we're working with.

How are customer service and technical support?

We have a dedicated account contact and rep whom we work with if we need anything. So far our experience has been good. Every time we've reached out, as far as I know, when we have had any issues they've responded. We may not have always gotten the answers we were looking for, but they're always quick and able to respond and provide the information we need.

Which solution did I use previously and why did I switch?

We were using one of Tenable's main competitors. There are only a couple. Part of the reason for our switch to Tenable was related to licensing costs. Some of it was related to the speed of updates that we were seeing with plugins, and things of that nature. We found that Tenable was a little bit quicker in rolling out updated plugins, especially for some high-level vulnerabilities which came out. Coincidentally, right around the time of our PoC, there were some of those remote code execution vulnerabilities in WebLogic and a couple of other devices. We found Tenable was just a lot faster delivering updated plugins to detect those than the product we were using before.

In terms of the visibility of Tenable versus our previous solution, they're comparable. We have visibility everywhere that we can reach and scan, that has an IP address.

How was the initial setup?

I didn't do the initial deploy, but I was involved from the proof of concept and use the tool on a pretty regular basis. It was pretty easy to set up, from the discussions I've had with our team. A different team member handled the initial install and configuration, but it was pretty straightforward. The initial setup, getting certificate deployed, and rolling out the additional Nessus scan agents was all pretty straightforward and easy, as far as I understand.

Part of the time it took was internal to us, where we were waiting on the devices to host both environments. We did a QA and a production environment. We were waiting on internal servers to be stood up and things like that. But the initial install and deploying, once everything was in place, didn't take very long at all.

We were running a different product which did similar scans for a long time, so we already had the plan set up for the QA and production servers. I believe they had some failover to our other environments. We already knew where we were going to deploy agents within the DMZ and within the PCI networks so they could reach everything, including firewall rules. We already were aware of everything and mirrored it when we brought in SecurityCenter.

What about the implementation team?

We just had some discussions with Tenable and then used internal resources.

We have a team of four people who work on the scanning, the standing-up and managing of SecurityCenter. There are three people who do it on a regular basis and one who supports it based on vacations and people out of the office, etc.

What was our ROI?

The areas of ROI include the visibility, the scanning, and being able to identify those vulnerabilities and then feed them through the pipeline to get those prioritized results. Without the scanner and Tenable doing the initial scans, none of the rest of the flow - addressing those vulnerabilities, and reducing our risk and exposure - would be possible. 

It also helps with certain PCI compliance because you have to have scans.

We don't get down to the nitty-gritty cost of specific risks. We report a risk as we see it, and there's a different audit organization within our organization that does IT risk management. It will take all the risks and combine that with the financial impacts. I couldn't tell you, "We're saving a million dollars." Our team doesn't look at it at that level. We identify the vulnerabilities as they exist and prioritize them for other teams to consume.

What's my experience with pricing, setup cost, and licensing?

I believe we have a yearly contract. I don't have the details around the exact cost.

Which other solutions did I evaluate?

When we switched over we did a proof of concept across multiple products. We looked at about six vendors in both the scanning and prioritization spaces, since they overlap. Quite a few products will do scanning and prioritization. Some do only scanning. Some do only prioritization. We looked at many vendors before settling on Tenable.

What other advice do I have?

The fundamentals are the most important part. Make sure you can access and scan all the different parts of your network with the correct authenticated scans. That is what is most important. Everything else derives from that base data, so you have to make sure that's in place and organized correctly.

In terms of vulnerability prioritization, a lot of it is based on the CVSS score. We're just starting to look into the VPR feature and see how well we agree with that. The way we have it, within our architecture, is that SecurityCenter will run the scans, and then we export the scanned results into a different tool that does network modeling and prioritization. After that system prioritizes, it forwards it into our ServiceNow platform for ticketing and remediation. So far it's been effective in accomplishing the goals we had.

In terms of SecurityCenter reducing the number of critical and high vulnerabilities we need to patch first, I can't really answer that question. With such a large environment, we have quite a number of vulnerabilities. We're not using, for the most part, Tenable's built-in prioritization, or the VPR rating. So it's hard to say if Tenable increased or decreased the number of vulnerabilities that we have to address, compared to the previous solution. A lot of stuff changed around the same time, so it's not comparing apples to apples.

Our team is the only one that manages SecurityCenter day-to-day and runs the scans. After the scans are done it goes out to a prioritization tool which applies some additional context and additional data to drive a risk score. Based on a threshold there, it's sent into ServiceNow where the team which owns the asset or the device will do the remediation. Most of the data they get comes directly from Tenable. It's just removed a couple of steps by going through those other platforms.

Overall I would rate SecurityCenter at nine out of ten. There are definitely some things that could probably be improved, but how we use it might not be how every other customer uses it. Just because we don't use a feature, or we're missing a feature, doesn't mean that other customers aren't getting more leverage out of it.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Product Categories
Network Monitoring Software
Buyer's Guide
Download our free Network Monitoring Software Report and find out what your peers are saying about Tenable Network Security, ManageEngine, Microsoft, and more!