Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Elastic Infrastructure Demands Elastic Asset Licensing

Have you ever asked yourself why vulnerability management products are still licensed according to the quantity of scanned IP addresses? Maybe you have learned to accept it. Vendors have done it this way for years. This is how it works. So what is the problem?

The IP-based licensing issue

An IP address no longer uniquely identifies an asset ... a single asset can consume multiple licenses

The problem is that with virtual infrastructure and mobile laptops, tablets and phones, an IP address no longer uniquely identifies an asset. My laptop’s IP address changes as it moves from my home office to the corporate office and then to a hotel. Vulnerability scans performed when my laptop is at these different locations will identify my laptop as three different devices and will create a separate record for each identified device. IP-based licensing isn’t just a problem for laptops. Many servers have multiple network interfaces - one for production, one for administration, and one for backup - each with a different IP address. The result: a single asset can consume multiple vulnerability management licenses.

Customers and vulnerability management vendors all recognize the problem and negotiate workable compromises. For example, a customer knows they have 10,000 assets, but the VM product identifies 12,000 IPs. The customer negotiates a discount based on the discrepancy and life goes on. No problem, correct?

Corrupted IP-based metrics

A more significant problem is corrupted vulnerability management metrics

Unfortunately, license negotiation is only the tip of the iceberg. Arguably, a more significant problem is corrupted vulnerability management metrics. Let’s take another look at the example of a laptop having been scanned as three different IPs. Let’s assume that three critical vulnerabilities were discovered by each scan. The security team’s vulnerability reports include three entries for the laptop, each with three critical vulnerabilities. IT operations connects to the laptop and remediates the ten critical vulnerabilities. They then run a verification scan against the current IP address to confirm the vulnerabilities have been remediated. However, the remediation scan won’t update the vulnerability status for the prior IP addresses. This makes the IT operations team look ineffective and causes them to chase their tail, pursuing non-existent assets. In turn, this creates unnecessary friction between the security and operations teams.

Elastic Asset Licensing

Tenable.io Vulnerability Management tackles this problem head on with Elastic Asset Licensing, which uses an advanced asset identification approach. A single asset may have multiple attributes that Tenable.io can use to positively identify it as a specific asset. Some example attributes in addition to IP address are:

  • Tenable UUID
  • BIOS UUID that is found in its firmware
  • MAC address that is stored in it networking hardware
  • NetBIOS name
  • Fully qualified domain name (FQDN)

An authoritative identifier eliminates double and triple asset counting

The Tenable UUID may have caught your eye. Tenable.io agents and authenticated scans on supported platforms can assign a Tenable universally unique ID to an asset. This authoritative identifier eliminates double and triple asset counting, and greatly improves the accuracy of vulnerability management metrics. At last, security and operations can have a fact-based dialogue about the state of assets and their vulnerabilities.

 

Tenable.io tracks specific assets
Tenable.io can track a specific asset, even when its attributes like FQDN, IPv4 and MAC address are changing

 

Decommissioning assets

So far, I have talked about the problem of IP-based licensing. Now, consider the problem of decommissioning assets. First, some background. Today’s on-demand IT environments are highly elastic. For example, virtual machines can be spun up, scanned, spun down - all within a few hours - and then never seen again. Additionally, physical assets are typically decommissioned after 3-5 years, resulting in a 20-33% annual decommission rate.

With most vulnerability management products, these “absent-without-leave” (AWOL) assets consume licenses unless and until a manual reclamation project frees the licenses - and who really wants to be assigned to a digital archeology project like that?

Tenable.io Elastic Asset Licensing automatically reclaims licenses from assets that have not been scanned for 90 days

Tenable.io Elastic Asset Licensing solves the “AWOL problem” by automatically reclaiming licenses from assets that have not been scanned for 90 days, without requiring resources to conduct a manual digital archeology project. Although the licenses are reclaimed after 90 days, the asset and vulnerability data is not deleted. It remains for fifteen months. So if the AWOL asset reappears, the new asset and scan data will be appended to the existing data to deliver an accurate picture of the asset and its vulnerabilities.

Summary

Rigid IP-based licensing had a good run, but the time has come for it to be replaced by Elastic Asset Licensing with its greatly improved asset identification and automatic license reclamation.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training