High-level overview of assessments in RiskSense.
Assessments in RiskSense provide the time-based component to many of the platform’s features. Assessments can be thought of as representing a scan window, snapshot, or cadence. For example, let us say that you conduct vulnerability scans of your infrastructure on a monthly basis, and it takes six separate scans to cover all nodes and subnets of the environment each month. In that scenario, a single monthly assessment would be created, into which the six scans from that month would be uploaded.
This set of monthly assessment containers then allow for easy identification of assets and scanner findings that did or did not appear in that month (or day/week/quarter, depending on your typical scanning cadence) by filtering against assessments. RiskSense provides both inclusion and exclusion-based filtering, allowing for not just filtered results showing all vulnerabilities which were picked up in last month’s assessment but for notable datasets such as identifying all assets that have not appeared in any assessments from 2020 as well.
Because applying filters based on assessments can address many use cases, it is recommended that a standard, descriptive assessment naming convention be used. An assessment named “July 2020 Internal and DMZ credentialed scans” may give greater insight into what was scanned during that period as compared to assessments named “workstations” or “January”.
Along with providing time-based analytics, assessments also facilitate Update Remediation by Assessment (URbA). URbA compares the last two assessments in which a given asset has been fingerprinted by a scanner. If a vulnerability was found in an earlier assessment containing record of the given asset and a subsequent assessment no longer shows that vulnerability on the asset, URbA marks that vulnerability as Closed. Likewise, if a vulnerability was manually marked as Closed by a user via the RiskSense Remediation Workflows feature or by a previous Update Remediation by Assessment invocation but is found by the scanner under a newer assessment, URbA will re-work the vulnerability and move it back to an Open status.
Because the URbA comparison is made at the assessment level, it is suggested that new assessments be created and used whenever updated scan results are ready to be ingested into RiskSense. Taking a new scan and uploading it into an older assessment gives URbA no new results to compare against, preventing the Platform from displaying quick and easy credit for your team’s remediation efforts.