RE: Tenable's license changes (and why the license changed)

[Ron Gula <rgula_at_tenablesecurity.com>]

Renaud responded to some of this already.

At 03:50 AM 1/23/2005, Robert Keith wrote:

> >So now, having seen a slightly larger part of the pictures, please, oh
> >please, give me your magical recipe to continue improving Nessus and
> >writing better plugins while :
> >
> > - not helping these guys as much as a full GPL feed would  ;
> > - avoiding to hurt most of the Nessus users ;
> > - making sure this developement makes sense for us commercially ;
>
> I am reticent to question Tenable's business model or even give advice,
> being an outsider, but I will give it a shot anyway.
>
> The current plugin model (as described on this email thread and the licenses
> published), does not allow for reselling Tenable's plugin feed.

This is on purpose. We do not want to enable someone to package a Nessus
based solution, including a direct feed and then present this complete
solutions as a 'product'.  There is a big difference between reselling
something and an for formal product relationship named "OEM".

> I am a consultant, and do install Nessus at client locations.

Great. They can use the registered feed for free. If they choose to buy
a direct feed for $1200, that is up to them. If the issue is that you
wish you could make a percentage on the sale of Nessus, then a) you are
not a consultant, you are a reseller, and b) you could probably make more
money reselling Tenable products, especially NeWT Pro (only $6000 for an
unlimited licenses) and NeVO (compatible with Nessus reports, and produces
the same results but the data is obtained through sniffing).

> Tenable's new
> requirement of paying for the plugin feed would  work well for me, since
> this would allow me to provide a higher level, guaranteed service by  a
> professional firm (Tenable) instead of relying on a GPL feed.

This is accurate. If you purchase a feed, you can take it anywhere with
you to do your job.

> I have always
> told clients that Nessus was the system under the hood - though most
> corporations do not know of Nessus; they just rely on my competance.

There is no requirement to tell people you use Nessus. If your clients are
not that security/unix savvy, I would highly recommend them to check out
the NeWT scanner.

>    Unfortunately, as I understand the current license, if I were to install
> Nessus, and  desire the up-to-date feed, I will have to have the client
> order the feed directly from  Tenable.

This is accurate.

> This is an unnecessary complexity,
> and hampers propegating the Tenable plugin feed  product.

If my assumption is that you are a reseller, and not a consultant, then,
depending on the discount, you may make a few hundred dollars off of a
transaction like this.

If you are selling an appliance with Nessus configured by your services,
then this is actually a product and is *exactly* why we don't resell the
direct feed.

And lastly, purchasing a $1200 item is not complex. We accept credit
cards, checks, .etc.

> I would rather
> order the feed from Tenable, then provide this to clients directly, paying
> Tenable a fee for every Nessus implementation.

You could do this with Lightning or NeWT. Each of those products comes
with the latest updates of the plugins (the direct feed). If the customers
are really dieing to get their hands on the direct plugn feed, they can
purchase it for $1200.

We have also looked at selling a commercial version of Nessus, perhaps
software, perhaps hardware, but the end cost would be more in line with
NeWT and and $1200.

>    If I am wrong on this restriction, please let me know, but Tenable have
> said this is how  the license works.

I may have misinterpreted some of the items you have raised, but judging
from the off-line emails we've received, most folks on the list are enjoying
this exchange.

> About trying to stop competitors from using Nessus and the Tenable plugins,
> I do not  understand why these competitors are a problem.

Some of these companies have had a 2-3 year head start on Tenable and have
also spent considerable amounts of dollars on marketing.

> Why not charge
> each of these security  vendors $1200.00/year for each product they sell.

They won't pay, we've tried.

> The potential market for Vulnerability  Assessment is HUGE.  Every company
> (small and large) SHOULD be using a VA product.   Companies not running VA
> are seriously vulnerable and inept.

It is much more complex than that. Consider Still Secure's cheapest product
which comes in around ~$2000. Asking them to pay $1200 hurts their business
model.

Some many people have taken Nessus and charged for scans, scanners, users,
updates, different horsepower appliances, .etc that we can't have a consistent
way to charge for this.

> If there are really 1000s of companies using Nessus under the hood, this is
> an incredibly  large market.  If PreditorWatch.com sells 100 boxes, this
> would be $120,000.00 revenue for  Tenable each and every year.

Unfortunately, PredatorWatch's cheapest box is around $1000.

> If
> PreditorWatch is successful, and has a sells 100 units each  year,  the
> revenue for Tenable is $600,000.00/year in five years.

Your math is correct, but the money is not there on the side of these smaller
companies.

> I doubt that there are 1000s of substantial companies with Nessus enbedded,
> but it only  takes a dozen or two to make real revenue.

We feel there are about 50 companies that use Nessus in their *products* that
are major, "you've seen them at SANS" or they have been reviewed in a 
magazine.

There are several hundred MSPs which sell an 'appliance' based on Nessus which
is part of the service.

There are several SIM vendors that are about to ship Nessus in their products.

There are at least 10 vendors which use Nessus to pre-scan a host before
allowing it to connect to the network.

The list goes on.


> Tenable seems to want to eliminate this competition.  I am guessing that
> Tenable does not  see this plugin subscription revenue as substantial, and
> will make more revenue selling  their commercial products directly to the
> enterprise marketplace.  This assumes that the  revenue that Tenable would
> miss, which would go to a Nessus knockoff competitor (minus the  Tenable
> plugin fee), is greater than the subscript fees from hundreds of Nessus
> knockoff  products.  Tenable probably knows best here, but...

Yeah, we can't comment here. I will comment on MySQL though. They sell
a commercial database product. However, very large companies spend millions
with them for a commercial license. My guess is that it is more efficient for
MySQL to engage larger vendors who can afford a license rather than dealing
with 1000s of $500 customers. Since we just made the change this month,
any comments I make about the revenue are

> In my limited experience selling to the enterprise market, each sale
> requires effort.  Sales  people have to get through the door, they have to
> educate the enterprise that VA is a good  thing, then talk them into a
> product which has a tendancy to increase the IT staff's  efforts, since
> knowledge of vunerabilities adds to their work since they are then required
> to fix their problems.  (Ignorance is bliss to many IT departments).   Is
> Tenable really  going to be able to completely cover the entire world with
> sales people, and beat out the  well established companies in this market?

Our business model is much more than vulnerability scanning. We have a lot
of people using NeWT for free right now. We could charge for it, but we're
not focused on commodity products. We're an enterprise security company.

> (Symantec,  ISS,  FoundStone,  Qualys, ...)
>    Tenable does have a chance if they were to encourage embedding
> Nessus/Tenable  technologies into other products.  This would be a world
> wide opportunity.

There's 100s of paths we could take. I'm really comfortable with the one
we are on.

>    Imagion hundreds of companies, each running embedded Tenable technology,
> each with their  own market focus, each with different implementations which
> appeal to different audiences.

Yeah. This is an OEM model much like Kaspersky. There is a difference between
building brand and trying to be everything to everyone.

> Can Tenable really create Newt/Lighting like products which work well with
> (for example):
>   - Medical communities

Tenable has lots of university, health care & R&D companies that use our
products, and Nessus is used in more wider communities.

>   - Small enterprises with no IT support (law offices, credit unions, ...)

This is why we did NeWT and don't charge for it.

>   - Foreign markets

We have an OEM strategy that is not publicized.

>   - Government agencies

Yep, we have lots of government customers too.

>   - Appliance applications (large and small)

We have chosen not to OEM or resell Tenable's software to appliance vendors
at this time. We may act on those opportunities.

>   - Managed Service Providers

Yep, we have lots of those to.

>   - Consulting firms (KPMG, Price Waterhouse, small guys, ...)

We're building relations with those types of guys now. A lot of
those folks already use Nessus, but once they discovered NeWT and
NeVO they were more interested in using those techonologies.

>   - Integrate with HP Openview, Tivoli, eSecurity, Trouble Ticketing
> systems, etc.

Integration means lots of things. Most of this will come from our
Lightning Console and not Nessus.

> It seems to me that partnering with the product vendors, which create a
> Nessus+ product,  would scale very well, and would be an excellent business
> model.  Each of these business  partners would handle the burden of creating
> web sites, supporting sales teams around the  world, build and support
> product user communities.  This burden is quite expensive, but the  Tenable
> portion of supplying the embedded technology would be the same burden for
> Tenable as  is already being provided - at no cost.

Thanks for your thoughts here, we do this sort of thing at Tenable right
now.

> As for competition for the commercial Tenable products, Tenable products
> should compete based  on product and business competance.  This will be the
> case with or without Nessus knockoff  competitors.  Newt/Lightning Console
> may beat out the competition in their particular  market, but there are
> other markets, and if these are not covered by Tenable and the  commercial
> plugin feed, these markets will be covered by other companies, and Tenable
> will be left out of these market opportunities.  Tenable would be leaving
> money on the table.

Sure. This is the case no matter what business model you chose. We've had
a lot of folks come to us and say, how about a version of Lightning that
does this? or runs on Solaris? or only checks for access control violations?
My response has always been, if there is a business case for it, lets do it.

*However* there is a business case for Tenable offering managed services and
consulting. Clearly there are 1000s of folks in your situation so there must
be some money in it. Tenable is leaving considerable amounts of money 'on
the table" as you say by not offering scanning or consulting. The argument
that we should make money in all possible business practices is not a valid
one.

> My best case scenerio is a healthy Tenable/Nessus, providing the excellent
> service they  already provide, while paying the Tenable staff so much that
> they never leave.

I'd like to think this is the case now. Previous to Tenable becoming involved
with Nessus though, there was not to much concern for the future of Nessus.

> OK, so my magical recipe for
> > - not helping these guys as much as a full GPL feed would  ;
> > - avoiding to hurt most of the Nessus users ;
> > - making sure this developement makes sense for us commercially ;
>
> 1.  Encourage these knockoff guys with a special license ($1200/mo.?) for
> every product they  sell.  Get Nessus/Tenable technologies embedded
> everywhere.  Tenables real competition is  the big guys recently entering
> this market (Symantec, etc.).  Reserve the right to audit these partnerships
> to guarantee compliance.

They don't sell enough to warrant a license and Tenable's technology
competes directly with the products these guys have developed.

> 2.  Provide the feed (minus 7 days) to everyone else (as you have already
> done), but make  this license for end-users of Nessus only.  Nessus+
> knockoffs have to use #1.

This is what we have done.

> 3.  Consider a free up-to-date feed to non-commercial use, education,
> non-profit, etc.  This is a  good-will and further propegates Nessus/Tenable
> products.  A common practice today.

This is very difficult to enforce. We've basically said that if you are
a non-profit, educational or what ever (i.e. NO BUDGET) we are giving you
the following things FOR FREE:

- easy to use windows based scanner for 'class c' networks that is 7
  days behind the 'latest' vulnerabilities.
- UNIX based, compile yourself unlimited scanners that is also 7 days
  behind the 'latest' vulnerabilities.

For several 1000s of organizations, this free offering is entirely
acceptable and the cost of $1200 to upgrade to the latest vulns is
also very acceptable to many others.

Ron Gula, CTO
Tenable Network Security