Have you ever asked yourself why vulnerability management products are still licensed according to the quantity of scanned IP addresses? Maybe you have learned to accept it. Vendors have done it this way for years. This is how it works. So what is the problem?
The IP-based licensing issue
An IP address no longer uniquely identifies an asset ... a single asset can consume multiple licenses
The problem is that with virtual infrastructure and mobile laptops, tablets and phones, an IP address no longer uniquely identifies an asset. My laptop’s IP address changes as it moves from my home office to the corporate office and then to a hotel. Vulnerability scans performed when my laptop is at these different locations will identify my laptop as three different devices and will create a separate record for each identified device. IP-based licensing isn’t just a problem for laptops. Many servers have multiple network interfaces - one for production, one for administration, and one for backup - each with a different IP address. The result: a single asset can consume multiple vulnerability management licenses.
Customers and vulnerability management vendors all recognize the problem and negotiate workable compromises. For example, a customer knows they have 10,000 assets, but the VM product identifies 12,000 IPs. The customer negotiates a discount based on the discrepancy and life goes on. No problem, correct?
Corrupted IP-based metrics
A more significant problem is corrupted vulnerability management metrics
Unfortunately, license negotiation is only the tip of the iceberg. Arguably, a more significant problem is corrupted vulnerability management metrics. Let’s take another look at the example of a laptop having been scanned as three different IPs. Let’s assume that three critical vulnerabilities were discovered by each scan. The security team’s vulnerability reports include three entries for the laptop, each with three critical vulnerabilities. IT operations connects to the laptop and remediates the ten critical vulnerabilities. They then run a verification scan against the current IP address to confirm the vulnerabilities have been remediated. However, the remediation scan won’t update the vulnerability status for the prior IP addresses. This makes the IT operations team look ineffective and causes them to chase their tail, pursuing non-existent assets. In turn, this creates unnecessary friction between the security and operations teams.
Elastic Asset Licensing
Tenable.io Vulnerability Management tackles this problem head on with Elastic Asset Licensing, which uses an advanced asset identification approach. A single asset may have multiple attributes that Tenable.io can use to positively identify it as a specific asset. Some example attributes in addition to IP address are:
- Tenable UUID
- BIOS UUID that is found in its firmware
- MAC address that is stored in it networking hardware
- NetBIOS name
- Fully qualified domain name (FQDN)
An authoritative identifier eliminates double and triple asset counting
The Tenable UUID may have caught your eye. Tenable.io agents and authenticated scans on supported platforms can assign a Tenable universally unique ID to an asset. This authoritative identifier eliminates double and triple asset counting, and greatly improves the accuracy of vulnerability management metrics. At last, security and operations can have a fact-based dialogue about the state of assets and their vulnerabilities.
So far, I have talked about the problem of IP-based licensing. Now, consider the problem of decommissioning assets. First, some background. Today’s on-demand IT environments are highly elastic. For example, virtual machines can be spun up, scanned, spun down - all within a few hours - and then never seen again. Additionally, physical assets are typically decommissioned after 3-5 years, resulting in a 20-33% annual decommission rate.
With most vulnerability management products, these “absent-without-leave” (AWOL) assets consume licenses unless and until a manual reclamation project frees the licenses - and who really wants to be assigned to a digital archeology project like that?
Tenable.io Elastic Asset Licensing automatically reclaims licenses from assets that have not been scanned for 90 days
Tenable.io Elastic Asset Licensing solves the “AWOL problem” by automatically reclaiming licenses from assets that have not been scanned for 90 days, without requiring resources to conduct a manual digital archeology project. Although the licenses are reclaimed after 90 days, the asset and vulnerability data is not deleted. It remains for fifteen months. So if the AWOL asset reappears, the new asset and scan data will be appended to the existing data to deliver an accurate picture of the asset and its vulnerabilities.
Rigid IP-based licensing had a good run, but the time has come for it to be replaced by Elastic Asset Licensing with its greatly improved asset identification and automatic license reclamation.