Decommissioned Assets and their Vulnerabilities

Suggestions for addressing assets and their findings identified in previous assessments but have since been removed from the environment.

Due to the ever-changing nature of risk management and IT infrastructure, it is common for users to see assets ingested into their RiskSense platform client under assessments from several months or years in the past but have since been decommissioned or otherwise removed from the environment.

Suppose no action is taken to account for these older applications and hosts. In that case, those assets will remain within the platform, and their open vulnerabilities will continue to impact your RiskSense Security Score. As the decommissioning of assets is certainly a valid risk and threat remediation strategy, this article offers two options for addressing old or stale scan data.

Before we describe the methods for addressing historical assets and finding data, a brief overview of how to identify decommissioned assets may be helpful. Suppose your organization uses asset management or CMDB systems to maintain inventory. In that case, those tools can be an excellent resource for highlighting nodes or applications that are no longer 'live.' The CMDB-derived list can then be checked against assets housed within RiskSense. In situations where the identification of now-decommissioned assets must be performed within RiskSense, the platform's date-based filtering options within the Manage > Applications or Manage > Hosts list views can be leveraged to quickly surface those assets which have not appeared in recent vulnerability assessments. If your criteria for identifying decommissioned assets is as simple as "any host or application which has not been included in a scan uploaded into RiskSense over the past 120 days", a single filter in the Applications or Hosts list views of "Last Ingested On / is not / last X days / 120" will return that dataset.

Decomissioned Assets - Filter

Once the old or stale assets have been identified, the two most common ways forward are either deleting the assets or using a 'Decommissioned' RiskSense group. Users whose platform roles grant the Application Control or Host Control privilege have access to the Delete option found within the More toolbar menu of the Manage > Applications or Manage > Hosts list views. Deleting an asset will remove the asset record itself, along with any scanner finding ever attributed to that host or application. It will be as if that asset never existed within RiskSense.

If you prefer to keep the asset and its scanner findings for historical or audit-related reasons, an alternative to outright deletion would be creating and using a “Decom” group. This option leverages RiskSense groups' function as a security boundary. In simple terms, if a user is not a member of any groups to which an asset is assigned, that asset and its findings will not be visible to the user within any RiskSense dashboards, list views, or filters. Those now 'hidden' assets and findings will have no impact on the overall RS³ calculation for that user.

As the old hosts or applications are identified, any users granted the Group Assignment Control privilege would have the ability to add those hosts to the "Decom" group and then remove them from their original groups using those respective functions located in the Hosts or Applications list view More toolbar menu item. It is essential to both add the assets to the Decom group and remove them from any other groups so that the assets only belong to Decom. This action ensures that the old assets do not appear in the platform or impact users' metrics. The last step in the process is to navigate to the Organize > Groups list view and leverage the Assign to Users toolbar option to remove the user(s) from that Decom group. As long as the assets only belong to the Decom group and your user is not assigned to that group, the assets and their findings are effectively hidden from any views and are not incorporated into any counts or calculations. As more assets are identified as decommissioned over time, users with the Group Assignment Control privilege can temporarily add themselves or others back to the Decom group for asset dispositioning or analysis.

The process of identifying old or stale assets and migrating them to a Decom group can be automated through the RiskSense Playbooks feature.