Vulnerability Management
Posted by WineFuhMeh_@reddit | sysadmin | View on Reddit | 40 comments
Waddup yall..
Alright so my org is using Rapid 7 for Vulnerability Management, and honestly using this tool has been the death of me.. I’m just not a fan of it for various reasons. What tool do you guys recommend, I member Tenable being really good but what other options are iur there today that is intuitive and easy use?
Ok-Airline-7167@reddit
If you want something more intuitive, Tenable is still the most common move. It tends to have stronger vulnerability coverage and clearer prioritization, while Rapid7 focuses more on dashboards and workflows . That said, Tenable is not magically easier, just different pain points.
Relevant_Life_1578@reddit
I moved from rapid 7 a while back because the interface just never clicked for me. nucleus security is a lot more user friendly and it connects with most tools out there, so you are not locked in. worth a look if you want something less messy than tenable too.
Past-Cantaloupe9141@reddit
Tenable is solid and probably the most direct Rapid7 replacement if scanning and asset coverage is your priority. Qualys is another one worth comparing, especially if you need cloud-native coverage. On the human risk side, KnowBe4 gets used a lot for phishing/training but Riot has been gaining traction as an alternative, mostly because it rolls phishing sims, breach monitoring, and SaaS permission hygiene into one score per employee. Depends on whether you want pure vuln scanning or something that covers the human layer too.
da_lavlamps@reddit
Tenable is solid and probably the most direct Rapid7 replacement if scanning and asset coverage is your priority. Qualys is another one worth comparing, especially if you need cloud-native coverage. On the human risk side, KnowBe4 gets used a lot for phishing/training but Riot has been gaining traction as an alternative, mostly because it rolls phishing sims, breach monitoring, and SaaS permission hygiene into one score per employee. Depends on whether you want pure vuln scanning or something that covers the human layer too.
EndpointWrangler@reddit
Tenable is the go-to alternative and genuinely more intuitive than Rapid7, but Qualys and Wiz (especially if you're cloud-heavy) are also worth a look depending on your environment.
monsieurherrmister@reddit
Block what you can, isolate the service, crank up logging, wait for patch. That’s the playbook. Some teams also try reducing attack surface entirely. RapidFort comes up a lot for that with containers.
sderby@reddit
Run a vuln by asset report scoped by asset groups/tags/sites and just dump a spreadsheet then pivot if you’re not familiar with the r7 tooling.
xxdcmast@reddit
Classic security guy move. Always passing excel docs.
DickStripper@reddit
“Dear Windows Team: PFA is an Excel sheet with 80,000 vulnerabilities. Please do the needful.”
Next month…..
“Dear Windows Team: PFA is an Excel sheet with 80,000 vulnerabilities. Please do the needful.”
Next month…..
“Dear Windows Team: PFA is an Excel sheet with 80,000 vulnerabilities. Please do the needful.”
Next month…..
“Dear Windows Team: PFA is an Excel sheet with 80,000 vulnerabilities. Please do the needful.”
Next month…..
“Dear Windows Team: PFA is an Excel sheet with 80,000 vulnerabilities. Please do the needful.”
lucas_parker2@reddit
And nobody in this email ever asks which of those 80k are actually exploitable or connect to anything worth protecting. You could cut that list to maybe 200 that matter and the windows team might actually fix a few, but that requires knowing what's reachable from each vuln, which the scanner never tells you. So the spreadsheet loops forever and everyone pretends the process is working because the email went out on time :)
graph_worlok@reddit
Obviously those numbers are going to be going up month to month though! 🤣
sderby@reddit
There’s always a bigger spreadsheet.
graph_worlok@reddit
CSV.. the world runs on CSV… “excel docs” feh….
Palmolive@reddit
Tenable has its own problems. What are your issues with R7 I can tell you if tenable does it better.
WineFuhMeh_@reddit (OP)
I'm looking for a easy way If Google Chrome was 54 Hosts, that is has issues tell me the hostnames like with a single click, maybe im asking for too much or it doesnt work that way?
Or i have like High level CVE's i just want to be able to click on the issue list the hosts out with how to fix it.
Palmolive@reddit
It does list out what devices have which vulnerability. For the most part they have solutions (which is usually just patch the thing)
WineFuhMeh_@reddit (OP)
Really, because then im either missing something or slow, because i'm leading a team of engineers, and like everytime we need to go hunting to figure out what it is, i'm being told you have to build a query to get what you need.
gr8bhere@reddit
When I use the cloud console it is very hard to tell which machines are affected. I have to login to the local console web UI to see everything and more. Honestly, I stopped using the cloud version because it was kind of limited.
Also the reports (not cloud reports) are very good at telling you the machines, the remediations, and machines affected in csv or pdf. I have it just send me a few reports every morning to avoid me hunting for info when I want to look at something. Top remediations, top risk scores, trend reports by asset groups.
cgc018@reddit
To be honest, it sounds like you need to just learn more about how to use the InsightVM platform. There are multiple ways to find out what hosts are impacted by a specific CVE.
It’s been a while since I have looked into any of their training offerings but my suggestion would be to just dive into whatever they offer.
WineFuhMeh_@reddit (OP)
Yea i'm going to be honest i do need to learn the product more hands down. But for what it's worth and the demand just trying to figure out if the communicity can direct me or know of a way i could do this better to there advice.
idknemoar@reddit
Do you have self hosted or SaaS delivered? I’ve been using the full suite of r7 for 5 years now.
Wastemastadon@reddit
Either the agents are not working, but if you click on the 54 hosts is lists out the hosts. You can also take the cve and do a search for it. You can also setup the dashboards to say most common cves or newest ones in your environment and when you click the report and the bulb it lists out the hosts.
redyellowblue5031@reddit
I had a feeling your username was old given what it is. Nice.
notta_3d@reddit
Not sure what problems others have with Tenable VM but it's been rock solid for us. Beautiful UI with tons of data. Support is not the best but rarely call them. We switched from AW. Had to be the worst vulnerability tool on the market. They may have purchased something recently but I see no reason not to continue with Tenable VM.
PositiveBubbles@reddit
For us, tenable is good when configured properly and if checking it for accurate information is done properly.
Our cyber team get invalid info from our CMDB and think servers etc are missing agent installs. The way the data was being mapped in the CMDB was the problem because the team responsible for it isn't as technical as that think they are.
Apart from that, we've had to explain that not every appliance or device can have an agent installed and the vendors recommend other ways of scanning such as network, etc.
TLDR; like alot of products, the people who 'own' or 'manage' the product at an organisation need to understand not only how it works, how it interacts or is meant to be integrated or used in environments.
iamtechspence@reddit
Integrate your vuln mgmt tool with an inventory tool or RMM. Many of them have integrations so you can see this data more easily
WineFuhMeh_@reddit (OP)
Any good RMM tool you know off out there today?
iamtechspence@reddit
NinjaOne is super solid. Disclaimer, they sponsors some of my content but even still, I think they have a really great product and a great team.
But there are several others in this space doing cool stuff too
ChromeShavings@reddit
Aw man, Rapid7 is fantastic. It takes some training for sure, but their support is great and their tool is lighting fast at assessments. Yeah… take some courses. They offer free ones. Also take advantage of the free assessment of your environment. They used to offer this after a year of having it spun up. Ask your account manager about this. It’s like a 3-hr health check with an experienced engineer to make everything hum properly. Game changer for us, but they want to make sure that you put in the work and learn the platform before this is offered.
No_Yam9428@reddit
I believe you are looking for a patch management tool for endpoints - where you can find the vuln for each endpoints and solutions as well
excitedsolutions@reddit
In larger orgs, cybersecurity focused roles do this as a separate function and are not responsible for patching. They are responsible for telling the system owner/IT ops that vulnerabilities exist and they need to address them. This is also usually done with a separate scanning tool to have a “independent/non-biased” view of what is vulnerable that is not determined by a patch looking for something that doesn’t have it applied already.
mcflyrdam@reddit
I am a bit fan of DefectDojo but it depends a bit what you are using for vulnerability scanning and vulnerability management.
We use DefectDojo as centralized VulnManagement and we have the reports of i think 9 tools report in there. Integrated into SNOW and JIRA
So if you have a diverse landscape where one vuln scanner is not doing it or software development where you will want to have a better fitting solution this is a great solution.
If you have one tool to scan for vulns then go with that vuln scanner.
A talk on using VulnManagement in general and DefectDojo specifically: https://media.ccc.de/v/38c3-vulnerability-management-with-defectdojo
Winter_Engineer2163@reddit
I’ve worked with Rapid7 before and I get what you mean. The platform is powerful but it can feel pretty heavy and the UI/workflows aren’t always the most intuitive.
Tenable (Nessus / Tenable.io) is probably the most common alternative people move to and in my experience it’s a bit easier to work with day to day, especially when it comes to reporting and general visibility.
Another one I’ve seen some teams adopt recently is Qualys. It’s pretty mature and does a lot more than just vulnerability scanning if you grow into the platform.
If you want something that feels a bit more modern and less “enterprise legacy”, some people also like tools like Greenbone/OpenVAS or even Defender Vulnerability Management if you’re already deep in the Microsoft ecosystem.
Honestly though, a lot of the pain with vulnerability tools ends up being less about the scanner itself and more about how the findings get triaged and integrated into patching workflows.
afahrholz@reddit
if you're not a fan of rapid7, tenable(nessus/io) and qualys are both solid, intuitive alternative with good dashboards and reporting. open vas is a free option, and tools like microsoft defender or palo alto cortex also offers easy to use vulnerability management features.
odubco@reddit
the problem is usually the implementation and not the tool… or the “engineers” using the tool.
plump-lamp@reddit
You def don't know how to use r7. Take some trainings, it's pretty darn easy, especially compared to others. I've demo'd every single major offering, r7 competes with them and works alright. Has its pros and cons.
WineFuhMeh_@reddit (OP)
You right I don’t know how to product properly. I keep going through multiple trainings from the SME in my org doesn’t help. Reached out to rapid 7, they provided some half ass training…
plump-lamp@reddit
Literally your question down below was which hosts have a chrome vulnerability. Click vulnerabilities on the left, find the one you want, it lists all devices with the vuln. You can even export to CSV if need be.
Learn how to make dashboards with widgets you want Learn how to scope dashboards to specific types of devices or vulnerabilities Learn remediation projects. Learn what is in the cloud console vs the local r7 console and how they interact. Learn site creation Learn asset groups and how they work with dashboards and scoping.
This is all vulnerability management 101 and all the major ones work this way, especially tenable and qualys. (The only 3 worth working with)
Hayabusa-Senpai@reddit
Been contemplating the same
singausreanian@reddit
Cybercns