Steady safety and vulnerability detection—each Tenable and Qualys have constructed industry-leading suites round these two cybersecurity disciplines. The latter particularly serves as a focus for each distributors, with Tenable.sc, previously referred to as Tenable SecurityCenter, and Qualys Enterprise going head-to-head for the highest slot within the vulnerability administration class. Let’s have a look at how the 2 stack up on this comparability.
Although it is turn out to be fairly trendy these days to declare perimeter safety “dead”, the reality of the matter is that firewalls and endpoint safety mechanisms stay essential parts of enterprise safety. Nonetheless, they need to by no means stand as lone sentries between the enterprise’s IT property and cyber attackers.
The steady safety required for safeguarding towards at the moment’s cyberattacks is offered by a myriad of instruments and platforms working in conjunction:
vulnerability detection, compliance monitoring, safety info occasion administration programs (SIEM) / log administration system, good / next-generation firewalls (NGFW), and extra.
Tenable and Qualys each provide built-in safety platforms constructed round vulnerability detection, layering on extra safety mechanisms like malware detection, safety analytics, and anomaly detection. There are lots of similarities and overlaps in performance. Each vulnerability administration options have performance for vulnerability scanning and help detailed safety threat evaluation.
Relating to particular benefits of every of those instruments, Tenable stands out as an audit device for identified hosts in addition to a dependable catch-all toolkit for black-box testing. It really works equally nicely throughout the complete group or deployed in only a single division of, say, a big company.
Qualys has distinctive benefits of its personal, together with prime quality of help, in addition to ease of use and admin. From a value perspective, Qualys can also be extra reasonably priced, and that is typically the deciding distinction for smaller organizations.
Tenable
Maybe finest identified for its free (for private use) Tenable Nessus vulnerability scanner, Tenable.sc, previously referred to as SecurityCenter, gives vulnerability administration and safety analytics—seen/managed with a collection of pre-built, extremely customizable dashboards and studies.
The Tenable interface. Supply: Tenable Community Safety / YouTube.com.
Tenable.sc Steady View (CV) provides extra options for steady visibility, superior analytics, real-time metrics, and steady compliance, amongst others. Tenable.sc is nice at dealing with community sweeps and vulnerability scans, in addition to community and host auditing, together with NIST, CIS, and DoD audit insurance policies.
Relying on the group, Tenable might be cumbersome, particularly for smaller organizations. This lack of straightforward, step-wise scaling could be a disadvantage, opening the door to different, smaller options for the vary of cybersecurity and vulnerability scanning necessities.
That mentioned, Tenable is commonly considered a large of the {industry}, capable of go toe to toe towards different notable vulnerability administration suppliers like Rapid7 and BeyondTrust. Many outlets depend on Tenable instruments, which embrace Tenable.sc, Tenable.io, and Nessus Skilled. Penetration testing turns into simpler with a device as highly effective as this, and Tenable’s toolset can catch a number of issues and vulnerabilities that your workforce would possibly simply miss.
Qualys
Based in 1999, Qualys is a longtime title in enterprise safety, with a full vary of freemium options, steady safety platforms, and subscription-based safety companies. Its flagship platform is the aptly-named Qualys Enterprise, previously often called QualysGuard.
The Qualys Vulnerability Administration UI. Supply: Qualys.com
Qualys Enterprise is actually a steady safety suite of instruments for vulnerability administration, asset discovery, community safety, internet app safety, risk safety, and compliance monitoring. Qualys receives high billing for its efficiency in vulnerability scanning. Qualys has extraordinarily excessive accuracy, typically superior to competing instruments, at surfacing vulnerabilities. Customers additionally profit from the Qualys’s sturdy efficiency at scanning and monitoring vulnerabilities robotically, with little to no consumer intervention.
This makes it straightforward so as to add endpoints to your stock and have Qualys shield your endpoints for you. Qualys maps out the vulnerability degree and criticality in order that your safety workforce can prioritize so as to handle your most important vulnerabilities forward of the remaining.
Regardless of its many options and positives, Qualys additionally comes with potential drawbacks, chief amongst that are intermittent gradual scans when scanning endpoints, in addition to false positives.
Aspect-by-Aspect Scoring: Tenable vs. Qualys1. Functionality Set
Each Tenable.sc CV and Qualys Enterprise have been designed to be complete steady safety options, and each actually excel on this regard. Qualys Enterprise’s asset administration capabilities and cloud/internet app security measures, particularly, are value noting, whereas Tenable.sc CV’s Nessus vulnerability scanner and superior safety analytics are the platform’s sturdy factors.
Tenable’s set of capabilities gives the power to deal with all of your vulnerability administration in a single place. It combines most endpoint visibility with broad scanning sorts and help for quite a few compliance requirements. Tenable makes it straightforward to plan and arrange your scans, with consumer teams permitting coordination between groups in your group.
The place Tenable.sc is optimized for real-time, steady evaluation of your safety posture managed on-premises, Qualys brings cloud administration and the consolidation of compliance and safety options so as to decrease your whole price of possession (TCO). It has a transparent UI and brings a modular strategy with its suite of totally built-in safety apps.
2. Ease of Use
Tenable’s providing contains a streamlined HTML5 interface and intuitive, user-friendly navigation parts—an unlimited enchancment from its earlier Flash-based implementation. Equally, Qualys Enterprise’s web-based interface is simple to stand up to hurry with however can really feel considerably over modularized because of the quantity of shifting, interacting elements within the resolution suite.
Tenable is fast to implement and comes with defaults that make sense out of the field. This provides considerably to the product’s ease of use, permitting groups to shortly assess vulnerabilities, see which programs are affected, and plan remediation. Tenable’s graphical representations of your setting are among the many finest within the {industry}, with progress monitoring to point out the vulnerabilities you’ve patched over time. Tenable’s VPR score gives extra vulnerability prioritization over that represented by CVSS scores, making it simpler to zero in on the vulnerabilities your workforce should sort out first.
Qualys may be very straightforward to make use of, with environment friendly efficiency for any community. You possibly can simply deploy it within the cloud, whereas, for companies in areas with strict information sovereignty necessities, the on-premises Qualys Non-public Cloud Platform is simply as straightforward to deploy.
3. Safety Ranking
Cybersecurity’s Vendor Threat platform is utilized by a whole lot of corporations to robotically monitor their third-party distributors. We ran a fast floor scan on each Tenable and Qualys and located them in the same safety place. Each corporations have related dangers which embrace:
DNS being vulnerable to man-in-the-middle attacksPotential for emails to be fraudulently despatched from their domainIncreased susceptibility to man-in-the-middle assaults
Qualys has a better threat of area hijacking, as they don’t use area registry safety. This offers Tenable a slight edge and a barely increased score.
Area hijacking is likely one of the delicate types of cyberattack that may, nonetheless, have wide-ranging results on a enterprise. Attackers can abuse privileges on the area and impose monetary or reputational damages on the group.
With Upguard’s Vendor Threat Platform, you possibly can robotically monitor and price distributors’ safety efficiency. You possibly can automate safety questionnaires and monitor distributors utilizing our immediate vendor search. The platform enables you to monitor adjustments within the safety efficiency of your distributors over time. Together with vendor safety scores, you even have entry to {industry} benchmarks to raised perceive vendor efficiency.
4. Group Assist
Qualys hosts an lively group off its company web site, as does Tenable—on this case, the latter takes the cake for its sturdy dialogue discussion board. Moreover, Nessus—initially an open-source venture—instructions a legion of loyal followers as probably the most widespread and succesful vulnerability scanners.
The Tenable Group Discussion board is an effective place to work together with the group and seek for Tenable information on all attainable matters. You may also ask the group a brand new query in case you might be operating into points with Tenable and your workforce can’t troubleshoot them.
You possibly can learn Tenable Docs within the Tenable Documentation Heart. This has docs for Tenable.sc in addition to Tenable.io (the cloud model of Tenable.sc), Nessus, and associated merchandise.
Qualys has a number of on-line communities, every one devoted to a selected space of Qualys performance. These embrace:
Vulnerability ManagementPolicy CompliancePCI ComplianceWeb App ScanningWeb App FirewallContinuous MonitoringSecurity Evaluation QuestionnaireThreat ProtectionAsset Stock
The Qualys Group dialogue web site hosts dialogue on matters starting from asset administration to internet app safety and the Qualys developer API. The wide selection of sources means you could get assist or insights for fixing even difficult hurdles which may come up in your Qualys implementation.
5. Launch Charge
Tenable.sc is presently on model 5.13.0 and has been present process common releases since its inception. Nessus (presently at model 8.10.0)—at one level thought-about the most well-liked vulnerability scanner on the planet, forward of pen testing alternate options like Nexpose, InsightVm and Metasploit — was launched in 1998 and sees full model updates roughly each 2 years. Qualys’ vulnerability scanner and cloud-based safety platform have additionally undergone common updates through the years, regardless of a number of complicated rebranding and product consolidation efforts.
Tenable has seen important improvements over the previous couple of years. Along with the rebranding of Tenable SecurityCenter to Tenable.sc in November 2018, there have been a collection of improvements within the product. These embrace integration with Tenable Lumin to allow superior cyber publicity analytics and visualization. The most recent launch of Tenable, Tenable.sc 5.13.0, added the power to synchronize information from Tenable.sc to Lumin for evaluation, in addition to quite a few bug fixes for points like misplaced scan chunks when the scanner they have been on crashed.
In its newest releases, variations 3.0 (Qualys Cloud Platform) and 10.0 (Qualys Cloud Suite), Qualys added a brand new, game-changing VMDR (Vulnerability Administration, Detection, and Response) resolution. This built-in device allows vulnerability remediation prioritized primarily based on context, together with complete visibility.
6. Pricing and Assist
As a SaaS-based providing, Qualys Enterprise is offered on an annual subscription foundation; pricing previously has ranged from $295 for small companies to $1,995 for bigger enterprises, relying on the variety of endpoints monitored. Tenable.sc prices upwards of $20,000 plus annual upkeep—a substantial funding for budget-conscious organizations.
Each distributors provide premium cellphone, internet, and onsite help choices, in addition to a variety {of professional} companies as well. You probably have a help plan, you may get technical help from Tenable’s Technical Assist Engineers. A Technical Assist Information is accessible that will help you navigate the method. You probably have bought or subscribed to Tenable.sc, Tenable.io, in addition to Tenable.sc Steady View, you get an included Superior Assist plan.
Qualys gives free help to all clients. Qualys clients get free phone help, which supplies entry to Qualys Safety Engineers for fixing any community safety issues.
As well as, you can too get on-line help from Qualys. That is within the type of on-line technical help, in addition to self-service documentation and troubleshooting supplies.
7. API and Extensibility
The Qualys API is a non-REST, XML-based interface for integrating customized functions with Qualys Cloud safety and compliance options. In distinction, Tenable.sc gives a extra fashionable REST API for integrating with different functions or hooking scripting interactions into the Tenable.sc server.
The Tenable API makes use of JSON format and is developed utilizing open requirements. Because of this you should use any programming language you need for interacting with the API. The ubiquity of JSON utilization ought to make it simpler for groups that wish to combine Tenable.sc into their internet functions or different software program, in addition to system directors who wish to automate sure workflows.
The Qualys API is simply as sturdy and highly effective because the Tenable one, and this can allow your workforce to automate Qualys workflows. The API means that you can accomplish duties like:
launch VM scanslaunch compliance scansconfigure scansmanage assetslaunch reportsmanage reportsdownload reports8. third Social gathering Integrations
Each options function a broad vary of third get together integrations and know-how companions. Qualys integrates with ServiceNow, BMC, ForeScout, and Splunk, amongst others, whereas Tenable’s myriad of integrations—together with distributors like Cisco, Salesforce. and Airwatch—permit clients to get essentially the most out of their safety platform investments. Tenable has created an unlimited Cyber Publicity ecosystem, in partnership with quite a few Safety and IT Operations organizations. This ecosystem allows clients to get a broad set of cyber publicity datasets so as to analyze and cut back their threat.
Qualys has integrations with public cloud suppliers to make sure visibility and safety compliance of your cloud and hybrid IT deployments. These embrace native integrations with the most important cloud suppliers, particularly, AWS, Google Cloud, and Microsoft Azure.
As well as, Qualys gives a free cloud-based service, Qualys CloudView, that permits you to view and combination, on one management panel, all of the details about your property throughout completely different cloud suppliers.
9. Firms that Use It
Each safety options are in use by lots of the world’s most outstanding enterprises. Tenable purportedly has multiple million customers and over 20,000 enterprise clients worldwide, together with the U.S. Division of Protection, Deloitte, Visa, BMW, Adidas, and Microsoft. In line with Qualys, greater than 60% of the Forbes World 50 depend on its steady safety options, together with the likes of Cisco, DuPont, Microsoft, Sabre, and Sony Community Leisure.
As their spectacular buyer lists present, if you’re a big enterprise, both of those merchandise ought to be capable of meet your wants. It additionally pays to see what present and previous clients say about their expertise. For Tenable, clients like Sentara Healthcare, and others, have discovered that the Predictive Prioritization options in Tenable.sc and Tenable.io can vastly enhance your potential to unravel essentially the most imminent cyber threats first.
In the meantime, Qualys clients like that Qualys scales higher, and your group can add or take away IP addresses simply as required. The SaaS mannequin Qualys gives, with pay-as-you-go choices, makes it extra versatile, whether or not you’re a giant Fortune 500 company or a small workforce.
10. Studying Curve
Each steady safety platforms are comparatively straightforward to be taught, largely because of the options’ streamlined internet interfaces and detailed product documentation. For product studying and coaching, Tenable clients have free entry to the 24/7, on-line, Tenable College. The self-serve programs present complete information for Tenable’s complete product catalog, together with Tenable.sc, Tenable.io, and Nessus. Matters vary from Vulnerability Evaluation to Auditing.
Learn our full submit on vulnerability evaluation.
To not be outdone, Qualys additionally gives a complete suite of free, self-paced coaching programs. Like Tenable, Qualys gives instructor-led certification programs that permit safety engineers to get licensed on completely different matters. Certification programs accessible from Qualys vary from PCI Compliance to Qualys API Fundamentals.
Scoreboard and Abstract
Tenable
Qualys
Functionality set
5/5
5/5
Ease of use
4/5
4/5
Safety score
4/5
4/5
Group help
5/5
4/5
Launch price
5/5
4/5
Pricing and help
1/5
2/5
API and extensibility
5/5
5/5
third get together integrations
5/5
5/5
Firms that use it
5/5
5/5
Studying curve
4/5
4/5
Whole
4.3
4.2
Each Qualys Enterprise and Tenable.sc provide steady cyber safety by means of an array of layered safety instruments and companies. Qualys sports activities some spectacular asset administration capabilities, whereas Tenable gives superior safety analytics and an industry-leading vulnerability scanner. That mentioned, Tenable could be a problem for small to mid-range organizations to amass; as such, budget-sensitive companies will definitely discover Qualys extra manageable from a price perspective.
