Regardless the size of the company, digital security is nowadays one of its most important issues. Small, medium and large companies estimate and allocate investments for digital to ensure and protect their assets. In this post our Specialist in Security, Daniel González, delves into the installation and deployment of three of the strongest and most preferred tools in digital environments: Tenable.io vs. Qualysguard vs. Rapid7; so to test their real scope and bounties. Like this, Daniel deliver us a comparative analysis that helps us to choose the best option for our companies. Here his comments and results.
Available on the Vulnerability Management market, all of them focus on business services to ensure digital security. Although all of them offer a different range of products, Daniel makes a broad spectrum comparison of services by dividing the analysis as follows:
In this sense, we measured these indicators to each one of these aspects:
- GUI and Vulnerability Scans
- Service Components
Taking into consideration that each indicator compiles 4 different and specific aspects (further detailed in the chart General Features Tenable.io vs. Qualysguard vs. Rapid7); it reports a maximum score of +16 for each indicator; while on the other hand at its narrowest scale, it reports up to -16.
Then, let’s delve into Daniel’s analysis.
QualysGuard sells itself as a fully Cloud-based solution for digital security. The intention behind this promotion is preventing the user from installing the tool. However, this is partially true because, although QualysGuard operates in the Cloud; it needs a virtualization service as liaison between local networks and tool. Score: +2
Either way, it’s understandable that QualysGuard be partially Cloud: If you need to perform a vulnerability scan your internal network, you need somehow to connect your network to the Cloud. Score: +2
This is done by installing a local scanner on your network, and this is where QualysGuard loses points: The only means that Qualys proposes installation on your network are:
- Through a virtual machine provided by the Qualys’ team; and
- Purchasing an QualysGuard applicative that you must load in your network. Score: +1
This certainly affects companies that do not have virtualization services; and/or limited budgets that leave out such extra expense.
Nonetheless, if you overcome these pitfalls or if they represent a minor problem; installation is quite simple and once installed the applicative; Qualysguard automatically associates with the Cloud via internal token. This allows updating security plugins. Score: +2
Overall score: +7
Rapid7 stands out for many things; however, its Cloud operation is not among them. For instance, installation becomes complicated because it consumes considerable resources. Score: -1
By the same token, Daniel points out that the related documentation recommends using a machine with 8 GB of RAM as minimum requirement for installation; which is a bit high compared to other similar solutions available on the market.
Anyway, Daniel tried a virtual machine with 5 GB of RAM just to test how the tool responded. It was impossible to do it: Whenever the service started, it took over all the RAM and the machine just hung. So, what’s the moral? Follow the manufacturer’s recommendations.
After the failed experiment, Daniel carried out the installation with sufficient resources and corroborated that it’s fairly straightforward. However, it requests irrelevant data for installation. We mean, why is it worthy filling out the company’s name and the person installing the software? Score: -1
In addition, the service takes too long to start (about 40 minutes) which adds negative points to the tool. Score: -1
Overall score: -5
Tenable.io’s installation process is quite similar to QualysGuard’s. In other words, it’s a Cloud-based tool that requires virtualization for scanning networks. However, with Tenable.io we additionally have Agents and local Scanners that QualysGuard doesn’t have. Score: +2
Also, local Tenable.io scanners go hand in hand with Windows, Linux and Mac OS. Once the application runs in the software, you do synchronization with the Cloud via Tenable.io internal token. Score: +3
On the other hand; Agents are very useful for working with mobile devices thatconstantly changing IP address, making it difficult to work scanning device. Score: +4
This is avoided with Tenable.io Agents, always ready to perform scans and it runs internally on the device. Once the device connects to the Cloud; results are charged to Tenable.io. Score: + 3
Overal Score: +12
In short, we appreciate the behavior of Tenable.io vs. Qualysguard vs. Rapid7 regarding their installation process like this:
GUI and Vulnerability Scans
QualysGuard interface is somewhat obsolete: Too many emerging windows that make use difficult, and uncomfortable. In other words, Daniel reports a bizarre feeling of being 10 or 15 years back when using this GUI. Score: -4
Windows also hinder the use because you have to set up all the scanner first, and doing it separately. This means that you need to configure a separate tab for policies; another one for credentials; and same for assets. And you will be able to program scans only when you have finished settings. Score -2
Additionally, if we sum that for each additional setting a new window opens up, the all process becomes quite tedious. Also, there are some design issues that hinder even more the process: Within the scan settings you cannot place DNS addresses but IP addresses; which makes very difficult scanning services that constantly change IP addresses. Score: -2
Besides, neither it has default policies or web application policies for analysis. Score: -2
Overall Score: -10
Nexpose has implemented a new interface for Rapid7 with unintuitive dashboards that, according to Daniel, has complicated its use: Creating a scan took him about 40 minutes. Score: -4
In detail, we first need to create a “site” to start scanning; which seems not to have any relation with scanning itself. Score: -2
Also, we need to separately create policies and credentials. Thus, there is no way to run scans quickly. In other words, Rapid7 repeats the disadvantages QualysGuard without windows and sub-windows. Score: -4
Also, the scan duration was quite long: About two hours to complete a scan for a network with 255 hosts. Score: -2
Finally, integration with its new Cloud service is partial: Dashboards are the only thing loaded in the Cloud. Score: -2
Overal Score: -14
Tenable.io counts on Nessus engine which is fast, and has many plugins to perform vulnerability scans. The interface appears the easiest of all of them (simple, specific and use-oriented). Score: +3
When loggin in, the first thing we see are dashboards that display all the relevant data at once. In other words, we don’t need to prior define anything to run scans. However, we can always create policies from scan settings, or save previously created policies if wanted. Score: +3
In addition, you can create credentials within policies; so definition process is much easier than in any other vulnerability scanning services. Also it has agents for scanning devices that constantly change IP address as tablets, cell phones and laptops; which simplifies a lot the job of security analyst. Score: +3
Currently, our friends in Nessus are innovating in this area with the Container Security services and Web Application Scanning. The first performs analysis and vulnerability management in virtualization containers (eg Docker.); and the second carries out vulnerability analysis in web applications (eg. OWASP top 10).
This new service has just been released earlier this year, but it promises a lot thanks to its previous experience with Tenable Nessus and Nessus Cloud.
Overall Score: +9
Regarding GUI and Vulnerability Scan for Tenable.io vs. Qualysguard vs. Rapid7, we have:
QualysGuard is a partially Cloud-based tool that has an Agent for your scans. Score: +1. However, such Agent is fully configured from the Cloud, which consumes a lot of bandwidth. Score: +1
On the other hand, QualysGuard is a SaaS solution, so companies that want on-premise solution must choose another tool. Score: +1. Although the company’s trend is migrating to the Cloud, Qualys is leaving a large portion of this market out. Additionally, QualysGuard lacks of options for running vulnerability scanning through MDM (eg MobileIron). Score: -1
Overall Score: +2
Currently, Nexpose has just launched an Agent for continuous monitoring; integrating just recently what companies like Tenable and Qualys have some time doing. Significantly, this technology greatly simplifies the work of managers and staff in charge of Vulnerability Management. Score: +3
Also, when you try to create audit policies, configuration is much more limited when compared to Tenable.io, which takes off enough points to Rapid7. Score: -2. Besides, Daniel also pointed out that he didn’t found any support or documentation of this tool for detecting malware. Score: +1
Additionally, Rapid7 runs active scans, which keeps high visibility on your network: Score: +2
Overall Score: +4
While Tenable.io’s interface can be a bit heavy to load when starting, mobility within the application compensates the waiting when all elements are fully loaded into cache.
With Tenable.io, you count on vulnerability analysis through MDM (Score: +4); and also, you count on Agents to be installed on mobile devices. Score: +3. Tenable also possess pre-defined policy templates based on SCADA.
Further; you count on policies for malware analysis which altogether with your antivirus, can be a very effective protection against malware. Score: +4. Also, you can also integrate your Tenable.io with PVS service, which is a passive scanner vulnerabilities to streghten even more the security in your network. Score: +4
Overall Score: +15
In summary, we have for Service Components for Tenable.io vs. Qualysguard vs. Rapid7:
Tenable.io vs. Qualysguard vs. Rapid7
Tenable.io vs. Qualysguard vs. Rapid7 in Graphics
In short, after conducting actual tests of the three tools, Daniel had these impressions:
- Qualysguard and Tenable.io share positive characteristics regarding the use of agents and pre-loaded applications that makes easier local installation of the tool in your network.
- Rapid7 and Qualysguard share negative characteristics regarding tool pre-setting for the use of scanners, and time spent for each scan.
- Tenable.io and Qualysguard consume considerable bandwidth to start scanning. However, Tenable.io easily overcomes this obstacle when compared with the other two tools described in this analysis.
- Qualysguard and Rapid7 offer unfriendly and unattractive interfaces that hinder start scanning processes.
- Tenable.io is the only one of the three tools that offers active protection in real time also integrates any of themost popular OS; and can alsosupplemented by passive protection scanners.
Comparative Tenable.io vs. Qualysguard vs. Rapid7
We hope that this detailed analysis designed to compare Vulnerability Management tools (Tenable.io vs. Qualysguard vs. Rapid7) to protect your company serves you as guide; and helps you to choose the best option. And if you want to save time in implementation and commissioning, we can offer you our experience.