Tenable Nessus Manager/Cloud
Strengths: Simplicity, comprehensive vulnerability scanning, reliability and solid reporting.
Weaknesses: None that we found.
Verdict: This is not expensive and one might want to consider it as a second scanning tool if one already has something else. For smaller organisations, it’s all that is needed. Nessus, the core of this product, probably is the best-known vulnerability scanner in the world.
Nessus has been a staple of the vulnerability analysis world for as long as we can recall. When Tenable took it over as a commercial product it only got better. Now there is a very nice enterprise-class front-end for the scan engine and we like that as well. We tested the Cloud version, although the Cloud and the Manager are, essentially, the same thing - with the Manager being an on-premises tool.
Startup is a walk in the park and we do like that. All we had to do was register for the cloud tool and get started. Everything happens under the covers. We decided to start right in with an ad hoc scan. We went to the scans menu and put our internet-facing honeynet into the New Scans, after we selected a scan template from a selection of 17 specialised templates. This selection is an excellent starting point - with everything from a comprehensive (advanced) scan to PCI, SCAP and OVAL auditing.
We ran the scan and were pleased with the results. It found - as we had hoped - our VMware bare metal host, as well as the devices running on it that were exposed to the internet. Next we visited the policy engine. Once one creates a scan policy, it will show up with the other scan templates. Asset lists are easy to add as well. You can add them manually - no one except small enterprises or someone doing a quick ad hoc scan of a small number of hosts would do this, though - or import a list. We went for the manual ad hoc approach.
As you set up your asset list you can add exclusions, so if you are inputting a list of everything you have and you're afraid that your Windows NT server might fall over if you hit it with anything current, you can exclude it from the scans.
Scanners can be paired with the Manager as can agents. What that means is that you can deploy scan engines or agents anywhere in the world and tie them back to your Manager or Cloud instance. Reporting is comprehensive and there is a lot of good detail about individual vulnerabilities. Patch management is accomplished by auditing patch status and reporting the results as it would any vulnerability.
We generated a report - there are several formats but we selected pdf. The report is well-indexed and contains everything we could ask for. This particular report provides vulnerabilities by (Nessus) plugin. Each finding was accompanied by a synopsis, a description, a solution, a risk factor, the CVSS base score and the hosts on which it was found. There is a lot of detail. For example, one of my targets suffers from weak SSH algorithms. Cloud's report told me which weak algorithms are supported, both in the client-to-server and server-to-client modes. There always are references so you can look up more detailed information if you wish.
This has next-generation capabilities. However, they are well hidden under the covers. Cloud and Manager use information about vulnerabilities to ensure that you get a good vulnerability picture. But, this is a pure-play vulnerability management tool. It does not perform simulations or threat analysis. What it does - vulnerability management - it does as well or better than any system we've seen and its long history makes it completely reliable. We have been doing vulnerability testing since the introduction of SATAN, and Nessus has been around nearly as long and it only gets better with age and experience. This is a good example of doing what you do best and not trying to get outside your wheelhouse.
The website is very complete and we liked the simple, straightforward documentation. Support is included.