High-level overview of the Metric Exclusion feature in RiskSense.
What is Metric Exclusion?
In the RiskSense platform, every asset ingested into your organization’s client receives a RiskSense Security Score (RS³) to quantify its security posture based on the asset’s constituent vulnerabilities. However, there is an exception to this: if an asset is ingested into the platform and it contains exactly zero vulnerabilities (open or closed), it is exempt from receiving an RS³. This is known as Metric Exclusion. When an asset is Metric Excluded, it is assigned an RS³ of N/A in the Hosts or Applications views and has no contribution to your organization’s overall RS³ or to any associated group RS³s.
Note: An asset with zero vulnerabilities on it is distinctly different from a perfectly secure asset. The former is an asset for which RiskSense has no additional information on its vulnerability status, and thus we are unable to properly assess its risk, leading to the lack of score. The latter is an asset that contains only closed vulnerabilities, i.e., vulnerabilities that have all been remediated, risk-accepted, or marked as false-positive; therefore, we can say in confidence that asset poses no risk (aside from any accepted risk) to your organization.
When is an asset Metric Excluded?
Metric Exclusion happens automatically upon ingestion of scan data. When a new set of assets are ingested via manual upload or connector integration, RiskSense identifies all assets to which exactly zero vulnerabilities have been mapped. The property of Metric Exclude RS³ is then applied, with an accompanying Metric Exclude Reason: “No open or closed findings exist for this asset.” Filters are available for both the Metric Exclude and Metric Exclude Reason properties on the Hosts and Applications pages for users to easily identify these assets.
If a future data ingestion associates new findings to a previously Metric Excluded asset, that asset’s status of exclusion is removed, and it automatically receives an RS³ as normal based on the ingested findings.
How do I manually override Metric Exclusion?
Suppose an asset ingested into your organization’s client has been automatically Metric Excluded, but you wish for that asset to be included and receive an RS³ as normal. To achieve this, users with the Host/Application Modify IAM privileges may initiate a Metric Exclude Override action on the chosen asset(s) from the More drop-down menu on the Hosts and Applications pages. This action removes the property of Metric Exclude RS³ and associated Reason from the asset and triggers a standard RS³ calculation for the asset. Note that since such an asset contains exactly zero vulnerabilities, the RS³ scoring engine treats this situation as though the risk from findings is zero and results in a perfect asset RS³ of 850. This score will contribute to your organization’s overall RS³ as well as any associated group RS³s.
When a Metric Exclude Override has occurred on an asset, a set of visual indicators are added to the appropriate row entry in the Hosts or Applications list views. These indicators include an icon beside the asset’s RS³ and information in the detail pane, both of which display the name of the user who initiated the override and the date on which it was completed.
If a user wishes to undo the action of Metric Exclude Override for an asset and revert the status back to its initial state of exclusion, a Metric Exclude Reset action can be initiated on such an asset. This action is also available to users with the Host/Application Modify IAM privilege from the More drop-down menu on the Hosts and Applications pages. When executed, this action resets the Metric Exclude RS³ and Reason properties of the asset to their initial state, and the asset’s RS³ reverts to N/A and no longer contribute to the organizational or group RS³s. In addition, visual indicators like those of the Override action have been added to the respective list views to indicate the initiating user and date of the Reset action.