Re: Best ROI Combination - Metasploit & Training

[Josh More <jmore () starmind org>]

I don't think Nessus and Nexpose is comparing apples and apples.   The full
Security Center compares more fairly to the full Nexpose line.

Personally, what I like about Nessus is that, when paired with Metasploit
community and a few other tools, I can cover 90% of what Nexpose +
Metasploit Pro gives me for a substantial reduction of the cost.  It takes
a bit more time perhaps, but I find that my understanding of what's truly
going on is greatly improved.  Then, when you add webby tools like
BurpSuite Pro, you can boost your capabilities beyond what Nexpose can do
(at least the last time I checked).

That's not to say, of course, that my way is right for everyone. It's just
that I've found that the advantages that tools like Nexpose and Core give a
team over their open source equivalents are generally useful for
experienced teams.  For inexperienced teams, I've more often found them
used as crutches that hinder the learning process and I think it's an awful
lot of money to pay for a disadvantage.  Given the success of those tools
in the market, it may well be that my experiences are in the minority.

In case it helps anyone else, my paid tools are Nessus, BurpSuite Pro and
Maltego. Everything else I use is free and open source.  This works well
until that approach gives you full coverage (which takes a long time for
smaller / less mature organizations), then the more expensive tools can
accelerate your approach or give you a wider range of coverage.

-Josh More

On Tue, Dec 11, 2012 at 9:10 AM, Arch Angel <arch3angel () gmail com> wrote:

> Honestly Albert, I can't say that I have a legitment "reason" per say.  I
> have found, in my experience, to get the full benefit of Nessus you really
> need Security Center and the other products, but in general that's not a
> real reason, just a personal opinion.  I have just seen NexPose as a better
> product over all, in look, feel, and acurancy.  However, again this is just
> my opinion I really don't have a reason outside personal preference I guess.
>
> I'm not opposed to diving deeper into Nessus and learning the advanatges
> or capabilities though.
>
> Robert
> (arch3angel)
>
> On Tue, Dec 11, 2012 at 9:51 AM, Albert R. Campa <abcampa () gmail com>wrote:
>
> > stand alone Nessus does integrate with Qradar.
> >
> > I really like Nessus as a scanner and also as you say, using audit files.
> >
> > SANS training like 560 or 542 are both good, offsec training is great as
> > well.
> >
> > im interested to know why you dont like Nessus as a vulnerability scanner?
> >
> >
> > On Mon, Dec 10, 2012 at 6:37 PM, Arch Angel <arch3angel () gmail com> wrote:
> >
> > > I would like to thank everyone for the advice and suggestions, it is
> > > truly appreciated and welcomed!
> > >
> > > I cannot go into detail as to the company or the status but I can say
> > > that in my region we are looking to build a ground up program and are under
> > > Visa, MasterCard, Discover, and ISO guidelines / requirements.  We
> > > currently have Nessus, which till I walked in had not even been installed.
> > >  As a matter of fact I asked which machine it was on, the reply was "Well
> > > we couldn't get it licensed because it would have required a firewall
> > > change and that's a hassle so we just never installed it".  Needless to say
> > > it is installed and I'm working through the trials and tribulations of red
> > > tape to get it to do more for us than host discovery.  That being said I
> > > absolutely love Nessus but not as a vulnerability scanner.  I like it
> > > automating configuration checks, custom audit files, checking Active
> > > Directory items, etc..  I prefer NexPose for vulnerability and NexPose
> > > seamlessly integrates with Q1 Labs, QRadar SIEM, which I am not sure Nessus
> > > does.  QRadar is coming down the pipe from corporate before too long.
> > >
> > > I also prefer to invest in good people rather than tools which, as
> > > mention above, have a tendency to sit in the virtual bookshelf collecting
> > > virtual dust if the people don't know how to use them. This may end up
> > > being answered based on $$$ over the 2013 calendar year.  Unfortunately I
> > > was not part of the 2013 budget plans, so it may end up being nothing till
> > > 2014 :-(
> > >
> > > For example, I am in the process of building a wireless auditing program
> > > based on Kismet, and off the shelf hardware.  This is actually working
> > > quite well so far during testing!
> > >
> > > --
> > >
> > > Thank you,
> > >
> > > Robert Miller
> > > http://www.armoredpackets.com
> > >
> > > Twitter: @arch3angel
> > >
> > >
> > > ______________________________**_________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/**cgi-bin/mailman/listinfo/**pauldotcom<http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom>
> > > Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com