Wanted to add some things to think about, as well as add to teiva-boy’s post.
External Scans
A CCS VM scan engine can be deployed outside an organizations perimeter so the external facing IP’s can be scanned. There is also a service available to have a scan engine hosted in an external datacenter that you access via a web portal, scan your external IP’s, and have the results shipped back in to your Management Console so it can be viewed with your internal scan results.
Vulnerability Data
Looking at Tenable’s website, they are touting “a world renowned research team” and “the largest vulnerability knowledge base possible”. If you Google “largest vulnerability database”, several other vendors make this same claim(App Security, Hosting Armor, even Google is noted to be one of the largest vulnerability databases in the world).
Symantec’s Global Intelligence Network (GIN) is comprised of 11 Security Response Centers, over 240k threat activity sensors, honeynets, 2.5 Million decoy email accounts, and data from our Managed Security Service enterprise customers and 150Million+ consumer customers. CCS VM, as well as several other solutions take advantage of this data.
CCS VM utilizes the Symantec GIN as well as cross-links dozens of external databases that provide patches, downloads, references and additional information about the security weaknesses in systems including but not limited to CERT, SANS, CVE, Secunia, Telus Security Labs (formerly Assurent) and vendor channels/partnerships such as Microsoft, Oracle and IBM. CCS VM has a dedicated staff of engineers who create new vulnerability definitions from the raw data available through these outlets. To me, this is of huge importance. IMO, the best intel is necessary to result in the best chance at detecting threats.
Additionally, when CCS VM detects a vulnerability that is exploitable, a link to the Metasploit database for detailed description of the exploit.
Cost
I keep seeing that Nessus is much cheaper than CCS VM, but I’m not sure how accurate that is (I’m not in Sales btw). According to Tenable’s website “each Tenable Nessus ProfessionalFeed costs $1,200 per year per Nessus scanner”. CCS VM does not charge for Scan Engines, just for IP’s that you are going to run assessments on.
Integration
A strength of CCS VM over Nessus is that it is a module of a complete IT Governance, Risk and Compliance solution. VA evaluation data is paired with Standards Manger evaluation data to provide a true risk & compliance view of an asset. VA activities can be mapped to multiple regulations, mandates, frameworks, or corporate policies to show adherence to/ coverage of, and put some automation of reporting for those activities.
Market research
The April 2011 Gardner Market Scope rated CCS VM (Rapid7) a Strong Positive over Tenable – rated Positive.