Ephemeral Assets and Agent Count

Anyone have a solution for asset counts revolving around ephemeral assets?

We run two different scans, external and internal (scan engine and agent). The internal scan we can manually keep track and delete assets that are retired, for the external we are about to run into a larger issue. Since the agent reports and scans in real time, we can be certain the existing vulnerabilities still exist in the net new assets, and therefore can delete the old assets that are no longer active.

With external scanning it’s a little different. We cannot just delete these assets due to keeping track of vulnerability of the IP scanned at that time. However the issue lies with not deleting these assets as quickly with assets that have a live or stale agent, which increases our asset count for that specific site to be over 400% in a course of 14 days or so, when in reality they are the same asset just being duplicated several times over. Has anyone ran into this issue and found a solution to work around this? Any suggestions are welcome.

One option that might work is to split your license and separate the external and internal scans into separate consoles.

https://docs.rapid7.com/insightvm/deploy-additional-consoles/

With InsightVM, you can split the license up to two times for a total of three. If you were to split off some IP’s for external scanning your agents would not apply to that console and you would essentially have full control over your external assets. Since it would be a separate console you could also implement the PCI ASV risk score if you wanted (Risk Strategies | InsightVM Documentation). The only real downside is the external IPs would essentially count as two IP’s, one for the internal NIC and one for the External NIC in their respective console, but would provide cleaner external scanning results. It would also require additional hardware.

That’s a pretty good idea which would solve something completely different. When having a different console, would that mean a separate InsightVM platform (cloud) as well?

Assuming that these ephemeral assets are in AWS, IVM provides option to create dynamic discovery connection using which AWS EC2 ephemeral assets can be dynamically discovered and updated in a site created in IVM. If it is a multi-account AWS environment, then creating one site per AWS account can help to create dashboard & queries specific to the site and can track agent deployments on the assets.

If you are looking to automatically delete your assets that no longer exist you can set up the data retention to remove ‘stale’ assets after a given period of time. This detection is based on number of days since a scan was conducted. We use this method to remove AWS instances which had the insightAgent deployed at build time, but as they get recycled they no longer exist. If you set the retention period slightly larger than your scan interval, all assets which don’t get scanned will get removed as the retention period expires.

https://docs.rapid7.com/insightvm/database-backuprestore-and-data-retention/#configure-data-retention-settings

But does this then remove the assets that are no longer in existence? Each asset that is spun up is unique

This might be interesting to you as well:

“Delete Assets” workflows for InsightConnect