Asset Identification for Deduplication

A high-level overview of asset identification for deduplication within RiskSense.

Overview

With cloud- and agent-based scanning terminologies growing, assets will no longer be unique based on IP addresses or hostnames. There are other sets of parameters or attributes that uniquely identify an asset.

Currently, RiskSense has IP- and host-based networks for achieving an asset's uniqueness based on IP addresses and hostnames, respectively. To accommodate other attributes such as cloud identifiers, MAC address, and other scanner-specific fields, a new set of rules or order of precedence has been introduced along with a new MIXED network type. Using this network type, users can choose their custom order for de-duplication and identifying an asset.

Default Asset Identification Order for De-Duplication

In the MIXED network mode, users have privileges to choose the asset identification order and can decide which field will uniquely identify an asset. The MIXED network mode solves most asset duplication issues.

Below is the default order of preference (high to low) given to the asset identifier to assess if an asset already exists in the environment.

Hosts

The following is the default order of precedence for hosts:

  1. EC2 Identifier
  2. NetBIOS
  3. IP Address
  4. Hostname
  5. FQDN
  6. DNS
  7. MAC Address
  8. Scanner Specific Fields (e.g., Qualys Asset Id, Tenable UUID, etc. These fields are specific to each scanner.)

Applications

The following is the default order of precedence for applications:

  1. Application URL
  2. Asset Name
  3. Scanner Specific Fields

When assets are processed, RiskSense will start at the top of the list with item number one. If there is a value in that field, it will compare it to all existing assets in RiskSense within the network. If it finds a match, it will merge the assets and show information related to both of them. If a match is not found, then RiskSense will create a new asset. However, if it finds a match for the first field, it will use that field for asset identification; other fields will still be captured and displayed as asset Information.

How to Change Default Order to Custom Order Asset identification

Users can change the order of precedence on an as-needed basis. Any modifications to the existing precedence must be done by contacting RiskSense support.

Customers can have three levels of custom order precedence:

  • Scanner Level: The user can choose custom precedence for scanners across their uploads.
  • Client Level: The user can choose custom precedence across their clients or make it unique for each client.
  • Network Level: The user can choose to customize the precedence even at the network level. For example, if a client would have to maintain two different order of precedence for the same scanner and same client but different networks that are possible too.

All of these changes must be done by contacting RiskSense support. Don't hesitate to get in touch with us for more information on customization and order of precedence.

Asset Identifier Visualization in RiskSense

Custom columns have been introduced in both the Hosts and Applications list views. To enable these columns, navigate to the list view settings.

On both the Hosts and Applications pages, custom columns have been introduced. Navigate to the list view’s setting and enable the Asset Identifier and Asset Identified By columns.

Deduplication - New Columns

These columns are defined below.

  • Asset Identified By: The identifier field that makes an asset unique or the field used for asset identification based on precedence order.
  • Asset Identifier: The value of the field identified.

Deduplication - New Columns in List View

Note: The list view will always show the first identified values for Asset Identifier and Asset Identified By. The latest information on the identification is available in the detail pane. In this example, the asset is identified by NETBIOS. The other asset identifiers are available in the detail pane under the Scanner Specific Information > Asset Identification section.

The Scanner Specific Information section in the detail pane displays the list of attributes that uniquely identify an asset.

Deduplication - Host Detail Pane

If an asset has been identified by more than one scanner, this section show details related to the other scanners.