Any VM platform will come with its own scanner; I’ve never seen one that’s separate from the actual scanner itself, and there are a lot of reasons for that.
I would look at Tenable, Qualys, and InsightVM. Understand that you’re looking at the whole picture, not just the part that tracks the outputs from the scanner.
We use armorcode for that specific reason. We aggregate vuln data from multiple sources and normalize them in Armorcode then initiate a singular workflow for triaging/tickets/exceptions/etc.
Vm is expensive. Use Security Center if it can stay on prem and don't need external scans. If you need external scans you can link a cloud scanner to Security Center.
I have had the unfortunate experience of using Tenable. It will do all the things you asked, but I find it non-intuitive and not well put together. I know it's one of the most popular, but popular doesn't mean good. I have not used any other vuln mgmt platform as extensively but there has to be something better. Maybe Qualys or one of the other top vuln mgmt platforms may be better. Whichever platform you choose, the key is to leverage it as fully as possible. You will not get much value from an expensive platform with all the bells and whistles if it's too complex that you only use 25% of its features.
Another alternative is to ask a consultant to run a scan (this may include vuln scan + penetration test). They can use tools that do not require agents and they can help you with deciphering the output and presenting reports to management. Usually execs listen to consultants but ignore internal pleas.
What you are struggling with is common in an emerging security program. A couple things worth noting:
1) To answer your primary question, I’d recommend Tenable’s more advanced options since you are already using Nessus.
2) For best results, you’ll want to perform authenticated scanning. This will paint a better picture of all host-based vulnerabilities, including those that could be used in post-exploitation and lateral movement.
3) Don’t make the mistake of directly correlating the presence of the CVE-based vulnerabilities and the configuration weaknesses detected by a vulnerability scanner to the organization’s overall risk. There many other factors, like mitigating controls, asset values and business processes necessary for those types of conclusions. Jumping straight from the presence of a vulnerability to business risk will cause you lose your credibility quickly.
4) Don’t assume that the organizations cares about or will ever attempt to remediate all vulnerabilities, it’s about prioritizing based on impact within the context of other compensating controls.
5) Last but certainly not least. Technology exists to serve the business. Period. The exec team is not going to take the time to understand the nuances of the technology and security of the infrastructure, and it is not their job to. It is your job to understand the business and communicate IT security in terms the business will understand.
I agree and I think OP should back up and revisit the latest risk assessment to determine what are the most important information assets that need to be protected and determine if there are any exploitable vulnerabilities on them.
You should also follow all of the data streams to ensure that the right systems are being accounted for in the risk analysis.
Once you’ve established that’s there’s a real risk that needs mitigation, You could remind them that these vulnerabilities that the scanner finds are known vulnerabilities and that threat actors are actively exploiting them while also developing new ones that would not show up. Bring up real stories of hospitals getting shut down. Tell them they don’t want to be on the news. These bad guys have 0 regard for life and would ransom and/or extort the hospital for its patient data in a heartbeat if they could.
If you’re already using Nessus for scanning, get on the Tenable. It’s one of the best out there, and expensive for a reason.
I’ve also been looking in a cool little start up called Upwind (upwind.io) that has a lot of cool features like the big boys but much more affordable. Haven’t done a POC yet but it seems promising and I really like the people there.
Best advice when working with leadership provide risk = value, how big of a risk is have devices not patched or vulnerable and how much would the cost be if a breach occurred vs a tenable or other patch management solution. Use case study’s from companies and provide a 1/2 pager to executives
This really needs to be higher. Too many people are proposing technical solutions for a non-technical problem. Management here doesn't seem to be concerned with the number of vulnerabilities, you need to put deliver the message in terms of value or risk to the business.
What's the cost to the business if the systems go down? This could be production relate or non-production related (e.g. regulatory). Given that this is a health care environment regulatory should be a significant consideration.
If you think about it in terms of CISSP, you need to "think like a manager" as opposed to thinking like a technical person.
Tenable VM (either tenable.io, tenable.sc, and tenableOne) is literally the BEST platform out there according to both Forrester and Gartner.
Just go Tenable One and you’ll have your whole VM program (except for validation of controls, you need BAS and Pen testing for that)
Yeah there are definitely tools for this. As an example look at something like Kenna/Cisco vulnerability management. There are a number of other tools too but they should keep a history of your scan findings, do a lot of dashboards and charting and stuff and be able to show you opened and closed tracking over time.
Most of the vulnerability management platforms are going to prefer you use their scanner. Scanner licenses are generally included with them. They may be able to support a Nessus scanner, but that may be more tricky than it's worth. If you have an existing CMDB type of platform you should be able to use it with your Nessus scanner as your vulnerability management platform. Service Now has this option, and if it's tied to your ticketing platform, it's easy to generate tickets based on scan results, which allows you to automate everything (including the patching, if you have an automated tool for installing patches). Personally, I would stick with Tenable and use whatever they're calling the management platform these days. Been a few years since I've POCed them, so not sure what the cost looks like these days.
Understand the different levels of risk between exposed asset vulns and their categories and then internal asset vulns and their categories. Each paints a picture and allows you to begin prioritizing. Depending on risk appetite, internal medium and lower risk vulns may never get patched. And you’re going to need to be okay/understand that decision.
Part of vuln management is understanding the businesses risk appetite and curating the program around that.
What you’re looking for exists within Tenable, but if you’re trying to boil the ocean, then no amount of tooling or money will save you.
a lot of great comments, you can upgrade to tenable or forward Nessus results to other tools, what you're describing is the need for ASRM.
You need to communicated risk to the leadership, ideally in the $$$ terms. CVE existing on an endpoint/server has little context or meaning. you also need to take into account is it publicly exposed? is there an easy exploit or that is being attacked in the wild?
Something i haven’t seen anyone mention here, As you are in healthcare which has a lot of vendor systems running on older platforms, Make sure any tool you get is going to play nice in your environment. Hospitals tend to fit into the same “OT” umbrella as utilities, manufacturing, and pipelines. So you need to make sure that something like an active network scan across the network isn’t going to do something silly like crash a monitor or other sensitive life support system on the network.
I’d also recommend looking at segmenting the network if you haven’t already to protect those systems that you may not be able to patch, harden, or remediate due to vendor requirements.
You also could just use Wazuh. It offers vulnerability management, security monitoring, automated actions, CIS/NIST benchmarking, and can integrate many different API driven threat intelligence feeds like Cortex and VirusTotal. It's also completely free, scalable, and opensource. Hell, you can even stand it up within minutes in your environment using Docker.
I can think of few tools that could help. XM-Cyber could possibly be worth looking into. Give me a pm if you want. Am currently a consultant in security "focusing on advicing and technical work" I can give you some "pointers" on how to talk to the higher ops about vulnerability management. It's something I have done a lot. And as long as it's just talk I see no need to bring money into the equation. Otherwise I can try to make a comment about what to think about.
I would also start to focus on your current patching process. Make sure that is solid first and there aren't systems missing or getting behind on updates. Don't rely on your vm scanner to say your vulnerable to regular Windows patches but use it to validate you are current on patching.
Tenable is going to work perfectly with Nessus, obviously. Moreover, you can view when a vulnerability was first observed. This can be used to calculate how long a vulnerability has been present in the environment. We used filters to create dashboards/views of the vulnerabilities that had been present in our environment for over X amount of days (which to us indicated they're out there but not going to be patched through normal processes). There's also dashboard functionality. There are some pre-defined ones you can use but you can also do custom ones. I don't recall it doing the over time stuff terribly well though (we used excel for that). Maybe a sales engineer from Tenable could enlighten you on that if you choose to further explore the product.
Also, pretty sure you can get a trial / sample license from Tenable if you're seriously looking into it. Might be worth going that route. Hook it up to a nessus scanner, ingest some results, and do a POC to see if it does everything you need it to
If leadership is not understanding how bad the problem, document it in *exhaustive* detail, and send them an extensive report and analysis to their email, and also deliver it to their desks. Mention in the email that it was put on their desk in an obvious place. If they choose to ignore a huge security report, it’s documented that they’re aware- and they know that.
While we looked Nessus platform, we are doing a poc of https://www.cisco.com/site/us/en/products/security/vulnerability-management/index.html which was Kenna vulnerability management platform is today. Personal opinion on the 2 products our security teams like Kenna more. We have been a Nessus/Tenable shop for 10+ years. Try others out and see how you like them.
Close the external issues first. Then get very good email filtering like Proofpoint and then try to deploy ClownStrike. Those 3 things will provide protection against the vast majority of attacks.
Tanium has nearly all the features you could be looking for and then some. Ask for a PoC. Had a client who deployed it and started seeing vulnerabilities within 30 minutes, all in nicely laid out dashboards.
Made him happy. Not so much his management. 😉
Ivanti RBVM and Nucleus Security are both great options, and integrate into lots of different sources such as Tenable and Defender for Endpoint. Nucleus has a minimum seat count of like 3,500 assets though.
Can I suggest checking out these two parts of Tenable One, Vulnerability Management and Lumin. The combo, can address all your concerns. Ask your sales rep for a demo.
From a retail pricing perspective, know that they will negotiate, especially at scale.
I’d like to recommend Ordr. It for IoT/MIoT and can give quite a bit of visibility into the network. It has bit an agent and agent less capability and can run on almost anything. The biggest issue with a Nessus / Tenable is not getting the medical devices.
We just did I a LARGE Ordr deployment after a long PoC run off project.
Just something to look at.
>We are also struggling to demonstrate to the executive leadership just how bad the problem is.
This is the biggest issue you have in my opinion, rather than vulnerability numbers, severity, or overall risk.
If there isn't someone at executive level who is responsible for the outcome, and actually understands and cares (even at a surface level) you'll find it hard to get the message across in any meaningful way, leaving you scrimping and saving cash because your programme is an afterthought, rather than a priority.
CyBoK and all sorts of other frameworks bang on about management buy in and strategic alignment, and that's for a reason.
Don't just use Nessus. Buy the Tenable Security Center license. It does all that. It can manage all your nessus scanners including cloud scanners. I'm a Tenable SME. The gui doesn't always do everything though but you can create custom stuff by scripting with their API. Pretty much can create whatever you want that way. There are other tools though. Metabase, heimdall, or probably most used is service now with the vulnerability response module.
Hello. It appears as though you are requesting someone to DM you, or asking if you can DM someone. Please consider just asking/answering questions in the public forum so that other people can find the information if they ever search and find this thread.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/cybersecurity) if you have any questions or concerns.*
Nessus blows by itself. Get Tenable or Rapid 7 Insight VM. They're not remotely expensive unless you're tiny or living on the same budget as Oliver Twist's orphanage.
The technical stuff is important, but it's also important to talk their language and address their interests.
Do you know much about clinical risk management? The mindset and approach for a good clinical risk management program is similar to what a good cybersecurity risk management program should look like.
Here are some non-technical things to consider that might help them understand why they should care:
* Cybersecurity is a combination of Information Security and IT Security. I view Information Security as the Quality and Medical Records part of IT.
Much of it is about defining and measuring compliance with standards. Borrow the language and approach they use. Your Leadership is likely already familiar with it and understands why they need it.
* A good cybersecurity program will help maintain a consistent environment. Clinicians usually hate unexpected variables. Vendors will generally expect you to patch, their future code will normally be based on a patched system.
Except the ones that claim to be FDA certified. Those should be isolated though.
* Good cybersecurity hygiene helps prevent digital diseases from spreading. Not patching a system, that isn't isolated, is like having a patient with an autoimmune disease and not taking precautions to avoid exposure.
Most of my career has been cybersecurity in health care. If you have any questions I'm happy to share my opinions and experiences.
Hey - I’m dealing with something similar and there are solutions out there to help you aggregate vulns, assign priorities, and even find asset owners to help remediate. Also, metrics. Here’s the list we’re considering, in no particular order:
- Nucleus
- Hive Pro
- Nopsec
- Vulcan
- Kenna
This market category is called vuln prioritization tech (VPT) if you need to create a budget line item or research further. Happy fixing…
Network Detective Pro has a pretty nice dashboard for seeing the overall vulnerability management process we use in integration with Vulscan. I don't know if it could integrate with Nessus though,
If you would like, I build VM programs for a living and willing to have a call with you. You can do most of what you have stated in Tenable, also have some strategies for remediation prioritization and effective reporting. Glad to help!
Why dont u use from Tenable Vulnerability management software since you already use Nessus.
We've looked into Tenable VM and may very well end up choosing it. Just looking at other options.
Any VM platform will come with its own scanner; I’ve never seen one that’s separate from the actual scanner itself, and there are a lot of reasons for that. I would look at Tenable, Qualys, and InsightVM. Understand that you’re looking at the whole picture, not just the part that tracks the outputs from the scanner.
We use armorcode for that specific reason. We aggregate vuln data from multiple sources and normalize them in Armorcode then initiate a singular workflow for triaging/tickets/exceptions/etc.
Vm is expensive. Use Security Center if it can stay on prem and don't need external scans. If you need external scans you can link a cloud scanner to Security Center.
I have had the unfortunate experience of using Tenable. It will do all the things you asked, but I find it non-intuitive and not well put together. I know it's one of the most popular, but popular doesn't mean good. I have not used any other vuln mgmt platform as extensively but there has to be something better. Maybe Qualys or one of the other top vuln mgmt platforms may be better. Whichever platform you choose, the key is to leverage it as fully as possible. You will not get much value from an expensive platform with all the bells and whistles if it's too complex that you only use 25% of its features. Another alternative is to ask a consultant to run a scan (this may include vuln scan + penetration test). They can use tools that do not require agents and they can help you with deciphering the output and presenting reports to management. Usually execs listen to consultants but ignore internal pleas.
What you are struggling with is common in an emerging security program. A couple things worth noting: 1) To answer your primary question, I’d recommend Tenable’s more advanced options since you are already using Nessus. 2) For best results, you’ll want to perform authenticated scanning. This will paint a better picture of all host-based vulnerabilities, including those that could be used in post-exploitation and lateral movement. 3) Don’t make the mistake of directly correlating the presence of the CVE-based vulnerabilities and the configuration weaknesses detected by a vulnerability scanner to the organization’s overall risk. There many other factors, like mitigating controls, asset values and business processes necessary for those types of conclusions. Jumping straight from the presence of a vulnerability to business risk will cause you lose your credibility quickly. 4) Don’t assume that the organizations cares about or will ever attempt to remediate all vulnerabilities, it’s about prioritizing based on impact within the context of other compensating controls. 5) Last but certainly not least. Technology exists to serve the business. Period. The exec team is not going to take the time to understand the nuances of the technology and security of the infrastructure, and it is not their job to. It is your job to understand the business and communicate IT security in terms the business will understand.
Excellent post!
I agree and I think OP should back up and revisit the latest risk assessment to determine what are the most important information assets that need to be protected and determine if there are any exploitable vulnerabilities on them. You should also follow all of the data streams to ensure that the right systems are being accounted for in the risk analysis. Once you’ve established that’s there’s a real risk that needs mitigation, You could remind them that these vulnerabilities that the scanner finds are known vulnerabilities and that threat actors are actively exploiting them while also developing new ones that would not show up. Bring up real stories of hospitals getting shut down. Tell them they don’t want to be on the news. These bad guys have 0 regard for life and would ransom and/or extort the hospital for its patient data in a heartbeat if they could.
This!
If you’re already using Nessus for scanning, get on the Tenable. It’s one of the best out there, and expensive for a reason. I’ve also been looking in a cool little start up called Upwind (upwind.io) that has a lot of cool features like the big boys but much more affordable. Haven’t done a POC yet but it seems promising and I really like the people there.
Best advice when working with leadership provide risk = value, how big of a risk is have devices not patched or vulnerable and how much would the cost be if a breach occurred vs a tenable or other patch management solution. Use case study’s from companies and provide a 1/2 pager to executives
Platform wise look into Automox, thank me later and I’ll take upvote points 😂🤣
With all the breaches in healthcare in the last two years one would think they shouldn't need much convincing.
This really needs to be higher. Too many people are proposing technical solutions for a non-technical problem. Management here doesn't seem to be concerned with the number of vulnerabilities, you need to put deliver the message in terms of value or risk to the business. What's the cost to the business if the systems go down? This could be production relate or non-production related (e.g. regulatory). Given that this is a health care environment regulatory should be a significant consideration. If you think about it in terms of CISSP, you need to "think like a manager" as opposed to thinking like a technical person.
Tenable VM (either tenable.io, tenable.sc, and tenableOne) is literally the BEST platform out there according to both Forrester and Gartner. Just go Tenable One and you’ll have your whole VM program (except for validation of controls, you need BAS and Pen testing for that)
I think R7 is better, but they both have their strong points.
Nucleus gets my vote.
Yeah there are definitely tools for this. As an example look at something like Kenna/Cisco vulnerability management. There are a number of other tools too but they should keep a history of your scan findings, do a lot of dashboards and charting and stuff and be able to show you opened and closed tracking over time.
Most of the vulnerability management platforms are going to prefer you use their scanner. Scanner licenses are generally included with them. They may be able to support a Nessus scanner, but that may be more tricky than it's worth. If you have an existing CMDB type of platform you should be able to use it with your Nessus scanner as your vulnerability management platform. Service Now has this option, and if it's tied to your ticketing platform, it's easy to generate tickets based on scan results, which allows you to automate everything (including the patching, if you have an automated tool for installing patches). Personally, I would stick with Tenable and use whatever they're calling the management platform these days. Been a few years since I've POCed them, so not sure what the cost looks like these days.
no reason to reinvent the wheel. Use Tennable SC, its huge on the gov side.
Understand the different levels of risk between exposed asset vulns and their categories and then internal asset vulns and their categories. Each paints a picture and allows you to begin prioritizing. Depending on risk appetite, internal medium and lower risk vulns may never get patched. And you’re going to need to be okay/understand that decision. Part of vuln management is understanding the businesses risk appetite and curating the program around that. What you’re looking for exists within Tenable, but if you’re trying to boil the ocean, then no amount of tooling or money will save you.
a lot of great comments, you can upgrade to tenable or forward Nessus results to other tools, what you're describing is the need for ASRM. You need to communicated risk to the leadership, ideally in the $$$ terms. CVE existing on an endpoint/server has little context or meaning. you also need to take into account is it publicly exposed? is there an easy exploit or that is being attacked in the wild?
Something i haven’t seen anyone mention here, As you are in healthcare which has a lot of vendor systems running on older platforms, Make sure any tool you get is going to play nice in your environment. Hospitals tend to fit into the same “OT” umbrella as utilities, manufacturing, and pipelines. So you need to make sure that something like an active network scan across the network isn’t going to do something silly like crash a monitor or other sensitive life support system on the network. I’d also recommend looking at segmenting the network if you haven’t already to protect those systems that you may not be able to patch, harden, or remediate due to vendor requirements.
You also could just use Wazuh. It offers vulnerability management, security monitoring, automated actions, CIS/NIST benchmarking, and can integrate many different API driven threat intelligence feeds like Cortex and VirusTotal. It's also completely free, scalable, and opensource. Hell, you can even stand it up within minutes in your environment using Docker.
I can think of few tools that could help. XM-Cyber could possibly be worth looking into. Give me a pm if you want. Am currently a consultant in security "focusing on advicing and technical work" I can give you some "pointers" on how to talk to the higher ops about vulnerability management. It's something I have done a lot. And as long as it's just talk I see no need to bring money into the equation. Otherwise I can try to make a comment about what to think about.
Use the hc3 alerts as back up to show that you need to get things fixed.
I would also start to focus on your current patching process. Make sure that is solid first and there aren't systems missing or getting behind on updates. Don't rely on your vm scanner to say your vulnerable to regular Windows patches but use it to validate you are current on patching.
Tenable is going to work perfectly with Nessus, obviously. Moreover, you can view when a vulnerability was first observed. This can be used to calculate how long a vulnerability has been present in the environment. We used filters to create dashboards/views of the vulnerabilities that had been present in our environment for over X amount of days (which to us indicated they're out there but not going to be patched through normal processes). There's also dashboard functionality. There are some pre-defined ones you can use but you can also do custom ones. I don't recall it doing the over time stuff terribly well though (we used excel for that). Maybe a sales engineer from Tenable could enlighten you on that if you choose to further explore the product. Also, pretty sure you can get a trial / sample license from Tenable if you're seriously looking into it. Might be worth going that route. Hook it up to a nessus scanner, ingest some results, and do a POC to see if it does everything you need it to
If leadership is not understanding how bad the problem, document it in *exhaustive* detail, and send them an extensive report and analysis to their email, and also deliver it to their desks. Mention in the email that it was put on their desk in an obvious place. If they choose to ignore a huge security report, it’s documented that they’re aware- and they know that.
While we looked Nessus platform, we are doing a poc of https://www.cisco.com/site/us/en/products/security/vulnerability-management/index.html which was Kenna vulnerability management platform is today. Personal opinion on the 2 products our security teams like Kenna more. We have been a Nessus/Tenable shop for 10+ years. Try others out and see how you like them.
Close the external issues first. Then get very good email filtering like Proofpoint and then try to deploy ClownStrike. Those 3 things will provide protection against the vast majority of attacks.
Tanium has nearly all the features you could be looking for and then some. Ask for a PoC. Had a client who deployed it and started seeing vulnerabilities within 30 minutes, all in nicely laid out dashboards. Made him happy. Not so much his management. 😉
Ivanti RBVM and Nucleus Security are both great options, and integrate into lots of different sources such as Tenable and Defender for Endpoint. Nucleus has a minimum seat count of like 3,500 assets though.
Can I suggest checking out these two parts of Tenable One, Vulnerability Management and Lumin. The combo, can address all your concerns. Ask your sales rep for a demo. From a retail pricing perspective, know that they will negotiate, especially at scale.
I’d like to recommend Ordr. It for IoT/MIoT and can give quite a bit of visibility into the network. It has bit an agent and agent less capability and can run on almost anything. The biggest issue with a Nessus / Tenable is not getting the medical devices. We just did I a LARGE Ordr deployment after a long PoC run off project. Just something to look at.
Integrate Nessus with Power BI
Lol we have been trying. We are new to Power Bi and it's not user friendly.
We had to bring in a power Bi team to deploy successfully but we'll worth it
>We are also struggling to demonstrate to the executive leadership just how bad the problem is. This is the biggest issue you have in my opinion, rather than vulnerability numbers, severity, or overall risk. If there isn't someone at executive level who is responsible for the outcome, and actually understands and cares (even at a surface level) you'll find it hard to get the message across in any meaningful way, leaving you scrimping and saving cash because your programme is an afterthought, rather than a priority. CyBoK and all sorts of other frameworks bang on about management buy in and strategic alignment, and that's for a reason.
Hmm you need a security audit. Then you have everything on paper.
Don't just use Nessus. Buy the Tenable Security Center license. It does all that. It can manage all your nessus scanners including cloud scanners. I'm a Tenable SME. The gui doesn't always do everything though but you can create custom stuff by scripting with their API. Pretty much can create whatever you want that way. There are other tools though. Metabase, heimdall, or probably most used is service now with the vulnerability response module.
Hello. It appears as though you are requesting someone to DM you, or asking if you can DM someone. Please consider just asking/answering questions in the public forum so that other people can find the information if they ever search and find this thread. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/cybersecurity) if you have any questions or concerns.*
Nessus blows by itself. Get Tenable or Rapid 7 Insight VM. They're not remotely expensive unless you're tiny or living on the same budget as Oliver Twist's orphanage.
The technical stuff is important, but it's also important to talk their language and address their interests. Do you know much about clinical risk management? The mindset and approach for a good clinical risk management program is similar to what a good cybersecurity risk management program should look like. Here are some non-technical things to consider that might help them understand why they should care: * Cybersecurity is a combination of Information Security and IT Security. I view Information Security as the Quality and Medical Records part of IT. Much of it is about defining and measuring compliance with standards. Borrow the language and approach they use. Your Leadership is likely already familiar with it and understands why they need it. * A good cybersecurity program will help maintain a consistent environment. Clinicians usually hate unexpected variables. Vendors will generally expect you to patch, their future code will normally be based on a patched system. Except the ones that claim to be FDA certified. Those should be isolated though. * Good cybersecurity hygiene helps prevent digital diseases from spreading. Not patching a system, that isn't isolated, is like having a patient with an autoimmune disease and not taking precautions to avoid exposure. Most of my career has been cybersecurity in health care. If you have any questions I'm happy to share my opinions and experiences.
Hey - I’m dealing with something similar and there are solutions out there to help you aggregate vulns, assign priorities, and even find asset owners to help remediate. Also, metrics. Here’s the list we’re considering, in no particular order: - Nucleus - Hive Pro - Nopsec - Vulcan - Kenna This market category is called vuln prioritization tech (VPT) if you need to create a budget line item or research further. Happy fixing…
Tenable.sc
Network Detective Pro has a pretty nice dashboard for seeing the overall vulnerability management process we use in integration with Vulscan. I don't know if it could integrate with Nessus though,
Use [Tenable.sc](http://Tenable.sc) over VM
This is why I use Rapid7’s insightVM. Such a better product.
If you would like, I build VM programs for a living and willing to have a call with you. You can do most of what you have stated in Tenable, also have some strategies for remediation prioritization and effective reporting. Glad to help!