Asset uniqueness in integral for vulnerability correlation to ensure that findings are associated with the correct assets. Having duplicate entries for the same asset can cause difficulties in tracking and managing vulnerabilities.

Resolve has a sophisticated process for determining asset uniqueness, which uses multiple dimensions of information for an asset. This includes various asset identifiers, the source of the asset information, the correlation behavior defined in the import process being used, and the network topology defined.

Asset identifiers

Assets are deemed unique based on these values:
  • IP address
  • Host name
  • DNS name (FQDN)
  • Asset name
  • Asset ID

Uniqueness can be determined based on one of these values or a combination of values. Depending on the asset, not all of these values are populated.

Data sources and importers

Resolve supports a large number of different import data sources. The data source must be defined when importing data, as this specifies which of the asset identifiers will be used and in which order for determining uniqueness. For example:
  • Nessus reports the IP address or DNS name if known for every scan result reported. One of these two fields is considered the primary asset identifier for every Nessus result.
  • Appscan reports the names of the specific application source codes scanned. Source code assets are considered unique entirely within the business unit in which they exist.

Import configuration

Importers have a default configuration for asset correlation based on the expected behavior and data of the scanner. The configuration can be modified to consider more complicated scenarios and to respect environmental considerations unique to your specific network. This could include IP ranges for DHCP zones, host name standards with regex, and metatags with asset information from the scanner.

Network topology and zones

Resolve uses sites and zones to reflect network topology structures. Network topology is important when considering specific data sources where IP addresses, host names, and DNS names might have specific uniqueness restrictions. For instance, in a DHCP zone, IP address would not be considered unique, but host names would if known. In a demilitarized zone (DMZ), IP addresses are likely static. A data center zone would also be considered static.

Zones are used for correlation boundaries based on the characteristics of the zone. Sites are intended to reflect physical boundaries, but may be used purely for authorization segregation. Network topology is used to control authorization to view vulnerability data. Authorization may be allowed for sites and zones based on the data scope for any user group. Correlation rules can also respect the destination data scope for the asset during the import process.

Note: Sites and zones are not currently configurable in the Resolve interface. This functionality is planned for a future release.