Tenable Vulnerability Management FAQ

Contents

Try Tenable Vulnerability Management

Run your first scan in under 60 seconds.

General Questions

What is Tenable Vulnerability Management?

Vulnerability Management is a risk-based vulnerability management solution that gives you full network visibility to predict attacks and quickly respond to critical vulnerabilities. Continuous, always-on discovery and assessment provide the visibility you need to find all assets on your network, as well as hidden vulnerabilities on those assets. Built-in prioritization, threat intelligence and real-time reporting help you understand your risk and proactively disrupt attack paths. Built on leading Tenable Nessus technology and managed in the cloud, you get complete visibility of the assets and vulnerabilities on your network so you can quickly and accurately understand your risk and know which vulnerabilities to fix first.

Tenable Vulnerability Management is an integral component of Tenable One, Tenable's Exposure Management Platform. Tenable One builds off of Tenable Vulnerability Management and provides actionable insight into your entire infrastructure's security risks- including cloud instances, web applications, Active Directory (AD) and more, even highly dynamic assets like mobile devices, virtual machines and containers. To elevate cyber risk management even further, you get additional prioritization metrics and capabilities, such as attack surface visualizations, asset criticality ratings, risk-based exposure scoring and peer benchmarking, as well as the ability to track risk reduction over time.

How can I learn more about Tenable Vulnerability Management?

To learn more about Tenable Vulnerability Management, please visit the Tenable Vulnerability Management product page, attend an upcoming webinar or contact your Tenable certified partner or Tenable representative for more information.

How can I evaluate Tenable Vulnerability Management applications?

Please register for a free evaluation of Tenable Vulnerability Management by visiting https://www.tenable.com/try.

How can I buy Tenable Vulnerability Management applications?

You can purchase Tenable Vulnerability Management applications by working with your local Tenable certified partner, contacting your Tenable representative or visiting tenable.com.

Can I license Tenable applications individually?

Yes. You can license Tenable applications individually. For example, Tenable Web App Scanning can be licensed on its own, without the vulnerability management capabilities of Tenable Vulnerability Management.

How is Tenable Vulnerability Management priced and licensed?

A Tenable Vulnerability Managemento is licensed by annual subscription and priced by asset, rather than by IP address. This enables customers to embrace new technologies like cloud without fear of double-counting.

For more information on pricing and licensing, please see the section below.

What is an asset?

An asset is:

  • A physical or virtual device with an operating system connected to a network
  • A web application with an FQDN
  • An active (not terminated) cloud resource

How are other Tenable Vulnerability Management applications priced and licensed?

Tenable Web App Scanning is licensed by annual subscription and priced by asset quantity. Tenable Web App Scanning is priced by the total number of fully qualified domain names (FQDN) the product assesses.

For more information on pricing and licensing, please see the section below.

Does Tenable offer a service level agreement (SLA) for Tenable Vulnerability Management?

Yes. Tenable provides the vulnerability management industry's first uptime guarantee through a robust service level agreement (SLA) for Tenable Vulnerability Management. Service credits are offered if the SLA is not met, just like leading cloud vendors, such as Amazon Web Services (AWS).

Where can I find documentation on Tenable Vulnerability Management?

Technical documentation for all Tenable products, including Tenable Vulnerability Management, is at https://docs.tenable.com.

What IPs does Tenable use for scanning from the cloud?

By default, Tenable Vulnerability Management is configured with region-specific cloud scanners. To view more information, please view our documentation.

Can I use both Tenable Security Center and Tenable Vulnerability Management?

Yes. You can use both solutions. Customers can choose a hybrid vulnerability management deployment by utilizing both Tenable Security Center and Tenable Vulnerability Management. Customers interested in Tenable Vulnerability Management PCI/ASV, or other Tenable Vulnerability Management applications, can also choose a hybrid deployment alongside their Tenable Security Center instance.

Can I migrate from Tenable Security Center to Tenable Vulnerability Management?

Yes. For customers who are interested, there are a range of options to smoothly migrate from Tenable Security Center to Tenable Vulnerability Management, with full support from Tenable or your certified partner. For more information, please contact your Tenable certified partner or Tenable representative.

What is External Attack Surface Management (EASM)?

External Attack Surface Management (EASM) is a capability Tenable offers that provides visibility into blind spots outside of your network perimeter. This allows you to scan your domain to find previously unknown internet-connected assets that can pose high risk to your organization.

Is External Attack Surface Management (EASM) included in Tenable Vulnerability Management?

Yes, Tenable Vulnerability Management offers External Attack Surface Management (EASM) capabilities. If you require additional domains, frequency and/or metadata in your results, you can purchase our Tenable Attack Surface Management add-ons.

What is Tenable Web App Scanning?

Tenable Web App Scanning is a dynamic application security testing (DAST) application. A DAST crawls a running web application through the front end to create a site map with all of the pages, links and forms for testing. Once the DAST creates a site map, it interrogates the site through the front end to identify any vulnerabilities in the application custom code or known vulnerabilities in the third-party components that comprise the bulk of the application

Where can I learn more about or evaluate Tenable Web App Scanning?

For more information about Tenable Web App Scanning, please visit Tenable Web App Scanning product page. Please register for a free evaluation by visiting tenable.com/try-was or contact your Tenable certified partner or Tenable representative for more information.

Does the product scan source code or perform static analysis?

No. Tenable Web App Scanning is a dynamic application security testing (DAST) solution that tests a web application "from the outside" when the application is running in a test or production environment.

Show more Show less

Elastic Asset Licensing Questions

Elastic Asset Licensing, built into Tenable Vulnerability Management, is an innovation that aligns vulnerability management licensing with today's elastic IT environments. Elastic Asset Licensing avoids double counting assets that have multiple and/or changing IP addresses. Additionally, it automatically reclaims licenses from assets that have not been recently scanned, including retired assets and assets that may have been inadvertently scanned.

What is Tenable Vulnerability Management Elastic Asset Licensing?

The primary benefits of Elastic Asset Licensing are:

  • Customers purchase the right amount of licenses, based on asset quantities, not inflated IP counts.
  • Customers avoid time-consuming and often inaccurate projects needed to reclaim licenses from decommissioned and/or inadvertently scanned assets.
  • Vulnerability management metrics are not corrupted by double and triple counting vulnerabilities for assets that have multiple IP addresses.

What customer asset and vulnerability data does Tenable Vulnerability Management manage?

The primary benefits of Elastic Asset Licensing are:

  • Customers purchase the right amount of licenses, based on asset quantities, not inflated IP counts.
  • Customers avoid time-consuming and often inaccurate projects needed to reclaim licenses from decommissioned and/or inadvertently scanned assets.
  • Vulnerability management metrics are not corrupted by double and triple counting vulnerabilities for assets that have multiple IP addresses.

Can Tenable Vulnerability Management customers scan more assets than licensed?

Yes, on a temporary basis, customers can exceed the licensed number of assets. Of course, customers need to true-up when license counts continue to be exceeded.

Can Tenable Vulnerability Management customers scan more assets than licensed? (Duplicate)

Yes, on a temporary basis, customers can exceed the licensed number of assets. Of course, customers need to true-up when license counts continue to be exceeded.

What is an asset?

An asset is an entity that can be analyzed. Examples include desktops, laptops, servers, storage devices, network devices, phones, tablets, VMs, hypervisors and containers.

How does Tenable Vulnerability Management identify an asset?

When Tenable Vulnerability Management first discovers an asset, it gathers multiple identification attributes, which may include a BIOS UUID, the system's MAC Address, NetBIOS name, FQDN, and/or other attributes that can be used to reliably identify an asset. Additionally, authenticated scanning and Nessus agents assign a Tenable UUID to the device. When Tenable Vulnerability Management subsequently scans an asset, it compares it to previously discovered assets. If the newly discovered asset does not match a previously discovered asset, the asset is added to the Tenable Vulnerability Management asset inventory.

How are assets different from IPs?

IPs are typically a property of an asset, and many assets have multiple IPs assigned (such as DHCP devices, systems with both wired and wireless interfaces, etc.).

Why are asset counts likely to be lower than IP counts?

Frequently, assets have multiple network interface cards, enabling them to be accessed by multiple networks. As examples, a web server may have simultaneously been on a production network and an administrative network, or a laptop will often have both a wired and wireless network interface. Additionally, laptops often get new IPs as they move from one location to another. If they are scanned with one IP and then another, they will be counted twice.

How can prospects estimate their asset count?

Tenable Vulnerability Management supports unlimited discovery scans using both active and passive sensors. Customers can use these scans to comprehensively inventory all of their assets and determine the appropriate license size.

How do you avoid counting the same asset multiple times?

Tenable Vulnerability Management supports a variety of methodologies to avoid double- or triple- counting the same asset for calculating the appropriate licensing size. With traditional assets, Tenable Vulnerability Management uses a proprietary algorithm that matches newly discovered assets with already discovered assets to eliminate duplicates and ensure more accurate vulnerability reporting.

Show more Show less

PCI ASV

What is PCI ASV?

PCI ASV refers to requirement 11.2.2 of the Payment Card Industry (PCI) Data Security Standard (DSS) Requirements and Security Assessment Procedures that requires quarterly external vulnerability scans, which must be performed (or attested to) by an Approved Scanning Vendor (ASV). An ASV is an organization with a set of services and tools ("ASV Scanning Solution") to validate adherence to the external scanning requirement of PCI DSS Requirement 11.2.2.

Which systems are in scope for ASV Scanning?

The PCI DSS requires vulnerability scanning of all externally accessible (internet-facing) system components owned or utilized by the scan customer that are part of the cardholder data environment, as well as any externally facing system component that provides a path to the cardholder data environment.

What is the ASV process?

The main phases of ASV scanning consist of:

  • Scoping: Performed by the customer to include all internet-facing system components that are part of the cardholder data environment.
  • Scanning: Using the Tenable Vulnerability Management PCI Quarterly External Scan template
  • Reporting/remediation: Results from interim reports are remediated.
  • Dispute resolution: Customer and ASV work together to document and resolve disputed scan results.
  • Rescan (as needed): Until a passing scan that resolves disputes and exceptions is generated.
  • Final reporting: Submitted and delivered in a secure fashion.

How frequently are ASV scans required?

ASV vulnerability scans are required at least quarterly and after any significant change in the network, such as new system component installations, changes in network topology, firewall-rule modifications or product upgrades.

How is an approved scanning vendor (ASV) different from a qualified security assessor (QSA)?

An approved scanning vendor (ASV) specifically performs only the external vulnerability scans described in PCI DSS 11.2. A qualified security assessor (QSA) refers to an assessor company the PCI Security Standards Council (SSC) has qualified and trained to perform general PCI DSS on-site assessments.

Is Tenable a certified PCI ASV?

Yes. Tenable is qualified as an approved scanning vendor (ASV) to validate external vulnerability scans of internet-facing environments (used to store, process or transmit cardholder data) of merchants and service providers. The ASV qualification process consists of three parts: the first involves the qualification of Tenable Network Security as a vendor. The second relates to the qualification of Tenable employees responsible for the remote PCI scanning services. The third consists of the security testing of the Tenable remote scanning solution (Tenable Vulnerability Management and Tenable PCI ASV).

As an approved scanning vendor (ASV), does Tenable actually perform the scans?

ASVs may perform the scans. However, Tenable relies on customers to conduct their own scans using the PCI Quarterly External Scan template. This template prevents customers from changing configuration settings, such as disabling vulnerability checks, assigning severity levels, altering scan paraments, etc. Customers use Tenable Vulnerability Management cloud-based scanners to scan their internet-facing environments and then submit compliant scan reports to Tenable for attestation. Tenable attests the scan reports, and then the customer submits them to their acquirers or payment brands as directed by the payment brands.

Does Tenable PCI ASV comply with EU data sovereignty requirements?

Vulnerability data is not EU DPD 95/46/EC data, so any data residency requirements would be customer, not regulatory driven. EU state governmental organizations could have their own data residency requirements, but those would have to be assessed on a case-by-case basis and probably not an issue for PCI-ASV scans.

Does Tenable Vulnerability Management include any PCI ASV licenses?

Yes, Tenable Vulnerability Management includes a PCI ASV license for a single, unique PCI asset. Some organizations have taken great pains to limit the assets in scope for PCI, often by outsourcing payment processing functions. Because these customers are arguably "not in the PCI business," Tenable has simplified its purchasing and licensing. A customer can change their asset every 90 days.

How is Tenable PCI ASV licensed?

For customers having more than a single, unique PCI asset, the Tenable PCI ASV solution is licensed as an add-on to Tenable Vulnerability Management subscriptions.

Why isn't Tenable PCI ASV licensed according to the number of a customer's internet-facing PCI assets?

The number of internet-facing hosts that are within or provide a path to an entity's cardholder data environment (CDE) can change frequently, thereby creating licensing complexity. Tenable elected to use a simpler licensing approach.

How many attestations may a customer submit per quarter?

Customers can submit an unlimited number of quarterly attestations.

Are trial/evaluation customers eligible to evaluate Tenable PCI ASV?

Yes. An evaluation customer can use the PCI Quarterly External Scan template to scan assets and review results. However, they cannot submit the scan reports for attestation.

Show more Show less
Back to top

See
Tenable
in action

See how Tenable can give your team the clarity to fix what matters, at the speed of AI.

Get started
  • Tenable Vulnerability Management