The struggle is real…
All of the major scanning vendors have particular strengths, but asset tracking isn’t one of them. There are workarounds in some cases — but if you’re using any of the three most popular network vulnerability scanning tools, there’s a good chance you struggle with asset tracking.
Why Merging is Hard
Computers move around a lot on the network. Laptops have both wired and wireless network interfaces, so that’s at least two IP addresses. Servers often have multiple network cards, for various reasons, and each network card has its own IP address. Network devices often have a multitude of IP addresses as well.
For just these two reasons alone, you can get a lot of asset duplication on your network.
Making matters worse, many organizations run both agent and network scans – and may even do both an authenticated and unauthenticated network scan – to get every possible perspective. Auditors sometimes insist on this. The scanners’ asset tracking depends on authentication. Generally the scanner writes a UUID to each system the first time they find it, and then reads the UUID back on each subsequent scan. This gets around the multiple IP address problem. But if the scanner doesn’t authenticate, it doesn’t see the UUID.
And if you rebuild a system, you lose the scanner-assigned UUID, which creates another duplicate asset. Or worse yet, another set of duplicate assets. Your infrastructure team can avoid this by saving and restoring the registry key or file where your scanner stores its UUID, but the team has to remember to do this. If they rebuild systems every month in lieu of patching, it’s easy to forget one or more systems, and they only have to make the mistake once.
The perception problem is huge. There’s a question of how many times each vulnerability gets counted, and how many of those duplicates get closed. No matter who made the mistake that led to the miscount, the VM team is expected to figure it out.
If you only ever run authenticated scans and you configure your scanners to be allowed to use tracking UUIDs, you can mostly solve this issue. But if you have a contractual or regulatory requirement for both authenticated and unauthenticated scans, it’s virtually impossible to eliminate the duplication in your scanner. Even if you don’t intentionally perform unauthenticated scans, sometimes your network-based authentication fails. In that case, you get unauthenticated results even when you don’t want them. And then you get duplicate assets you don’t want. In large enterprises, a 95% authentication success rate is rather good. But that means five percent of your assets could be duplicates.
The result is that even when everything works as well as it can, you’ll very easily end up arguing about math instead of talking about fixing vulnerabilities.
This is where Nucleus can help.
Multiple Options for Asset Merging in Nucleus
Nucleus was by no means the first company to try to solve this problem. But there is no one-size-fits-all solution. Nucleus will always use the scanner-assigned asset UUID for matching as its first criteria. This works extremely well. But when there’s no UUID available to use, Nucleus can substitute other options.
If you want an easy button, you can set your Nucleus project to track by hostname. This works well in many environments.
If that doesn’t fully solve your problem, our asset removal rules can help both this and the related issue of decommissioned assets. You can set up rules to either deactivate assets (recommended, as this preserves the history if the asset ever comes back) or remove them entirely. In either case, vulnerabilities associated with either a removed or deactivated asset no longer count toward your total or your risk score.
And if you still have the occasional stray asset after setting those rules up, we give you the option to clean them up by hand. This is a feature most vulnerability management tools lack. To merge assets manually, just check the assets you want to merge and pick the merge assets option from the Actions menu. For more information, visit this help page.
It’s possible in large enterprises for the DNS servers to not be fully in sync, which can cause inconsistent asset names during scans, especially unauthenticated scans where the scanner has to rely on DNS rather than asking the host directly for its name. This is an unusual condition and it’s probably not possible to write asset processing rules to handle it, so Nucleus gives you a way to fix it by hand.
Why Asset Merging is Important
Asset merging is critical to your vulnerability management program’s success because it eliminates the double counting of vulnerabilities. If you’re overstating your vulnerability count, you’re also overstating your risk. And nothing is worse for cross-team collaboration than the perception that one of the parties is overstating the problem they need to solve.
By merging and deduplicating your assets and their associated vulnerabilities, Nucleus helps you get a true count of the number of vulnerabilities and their associated risk over time. Our scanning partners do a good job of identifying the vulnerabilities in your network, but when the counts are inflated, the trends on their dashboards and reports will be wrong. That leads to a perception that the data is inaccurate, and nothing paralyzes a VM program faster than perceived inaccuracy.
You can overcome this by only showing the authenticated scan results on your dashboard or reports and deleting assets that haven’t been seen after some agreed-upon period of time, but not every vulnerability scanner has this capability.
By eliminating the double counts, you can overcome the objection, cut down on the noise, and then your remediation teams can work more effectively knowing their efforts are being measured with fairness and accuracy. Auditors like this too, since the rules are right there in the open where you can show them, rather than being hidden in the background.