Asset groups provide different ways for members of your organization to grant access to, view, scan, and report on asset information. Asset groups allow you to create logical groupings that you can configure to dynamically incorporate new assets that meet specific criteria. You can define an asset group within a site in order to scan based on these groupings.
One use case illustrates how asset groups can “spin off” organically from sites. A bank purchases Nexpose with a fixed-number IP address license. The network topology includes one head office and 15 branches, all with similar “cookie-cutter” IP address schemes. The IP addresses in the first branch are all 10.1.1.x.; the addresses in the second branch are 10.1.2.x; and so on. For each branch, whatever integer equals .x is a certain type of asset. For example .5 is always a server.
The security team scans each site and then “chunks” the information in various ways by creating reports for specific asset groups. It creates one set of asset groups based on locations so that branch managers can view vulnerability trends and high-level data. The team creates another set of asset groups based on that last integer in the IP address. The users in charge of remediating server vulnerabilities will only see “.5” assets. If the “x” integer is subject to more granular divisions, the security team can create more finally specialized asset groups. For example .51 may correspond to file servers, and .52 may correspond to database servers.
Another approach to creating asset groups is categorizing them according to membership. For example, you can have an “Executive” asset group for senior company officers who see high-level business-sensitive reports about all the assets within your enterprise. You can have more technical asset groups for different members of your security team, who are responsible for remediating vulnerabilities on specific types of assets, such as databases, workstations, or Web servers.
The page for an asset group displays charts so you can track your risk or number of vulnerabilities in relation to the assets in that group.
Asset Risk and Vulnerabilites Over Time
The Assets by Risk and Vulnerabilities chart to the right of the Asset Risk and Vulnerabilites Over Time line graph appears as a scatter chart, unless you have 7,000 assets or more in the asset group. In that case, it appears as a bubble chart, and you can click on a bubble to see a scatter chart of a specific group of assets.
Assets by Risk and Vulnerabilities
On the scatter chart, each dot represents an asset. Hover over the dot to see information about the asset. Click it to go to the page for that asset.
One way to think of an asset group is as a snapshot of your environment.
This snapshot provides important information about your assets and the security issues affecting them:
With Nexpose, you can create two different kinds of “snapshots.” The dynamic asset group is a snapshot that potentially changes with every scan; and the static asset group is an unchanging snapshot. Each type of asset group can be useful depending on your needs.
A dynamic asset group contains scanned assets that meet a specific set of search criteria. You define these criteria with asset search filters, such as IP address range or hosted operating systems. The list of assets in a dynamic group is subject to change with every scan. In this regard, a dynamic asset group differs from a static asset group. See How are sites different from asset groups?. Assets that no longer meet the group’s Asset Filter criteria after a scan will be removed from the list. Newly discovered assets that meet the criteria will be added to the list.
Note that the list does not change immediately, but after the application completes a scan and integrates the new asset information in the database.
An ever-evolving snapshot of your environment, a dynamic asset group allows you to track changes to your live asset inventory and security posture at a quick glance, and to create reports based on the most current data. For example, you can create a dynamic asset group of assets with a vulnerability that was included in a Patch Tuesday bulletin. Then, after applying the patch for the vulnerability, you can scan the dynamic asset group to determine if any assets still have this vulnerability. If the patch application was successful, the group theoretically should not include any assets.
You can create dynamic asset groups using the filtered asset search. See Performing filtered asset searches.
You grant user access to dynamic asset groups through the User Configuration panel.
A user with access to a dynamic asset group will have access to newly discovered assets that meet group criteria regardless of whether or not those assets belong to a site to which the user does not have access. For example, you have created a dynamic asset group of Windows XP workstations. You grant two users, Joe and Beth, access to this dynamic asset group. You scan a site to which Beth has access and Joe does not. The scan discovers 50 new Windows XP workstations. Joe and Beth will both be able to see the 50 new Windows XP workstations in the dynamic asset group list and include them in reports, even though Joe does not have access to the site that contains these same assets. When managing user access to dynamic asset groups, you need to assess how these groups will affect site permissions. To ensure that a dynamic asset group does not include any assets from a given site, use the site filter. See Locating assets by sites.
Note: Dynamic Asset Groups do not gather retroactive or historical data. In order to report on historical data at the asset level, add assets into the report scope as a list of assets (i.e. using Static Asset Group).
A static asset group contains assets that meet a set of criteria that you define according to your organization’s needs. Unlike with a dynamic asset group, the list of assets in a static group does not change unless you alter it manually.
Static asset groups provide useful time-frozen views of your environment that you can use for reference or comparison. For example, you may find it useful to create a static asset group of Windows servers and create a report to capture all of their vulnerabilities. Then, after applying patches and running a scan for patch verification, you can create a baseline report to compare vulnerabilities on those same assets before and after the scan.
You can create static asset groups through any of three options:
Note: Only Global Administrators can create asset groups.
Manually selecting assets is one of three ways to create a static asset group. This manual method is ideal for environments that have small numbers of assets. For an approach that is ideal for large numbers of assets, see Creating a dynamic or static asset group from asset searches.
Start a static asset group configuration:
Click the Assets icon to go to the Assets page, and then click view next to Groups.
OR
Click the Create tab at the top of the page and then select Asset Group from the drop-down list.
OR
Click the Administration icon to go to the Administration page, and then click manage next to Groups.
The Asset Group Configuration panel appears.
Note: You can only create an asset group after running an initial scan of assets that you wish to include in that group.
Creating a new static asset group
OR
Click Create below Asset Groups on the Administration page.
The console displays the General page of the Asset Group Configuration panel.
Adding assets to the static asset group:
The console displays a page with search filters.
For example, you can select all of the assets within an IP address range that run on a particular operating system.
Selecting assets for a static asset group
OR
Note: There may be a delay if the search returns a very large number of assets.
The assets appear on the Assets page.
When you use this asset selection feature to create a new asset group, you will not see any assets displayed. When you use this asset selection feature to edit an existing report, you will see the list of assets that you selected when you created, or most recently edited, the report.
You can repeat the asset search to include multiple sets of search results in an asset group. You will need to save a set of results before proceeding to the next results. If you do not save a set of selected search results, the next search will clear that set.
You can create a new dynamic or static group by copying an existing one. This method is useful when you want to create an asset group that is similar to an existing one, but with some differences.
To copy an asset group:
1. From the Home page, in the Asset Groups listing, select the Copy icon for the asset group you want to copy.
OR
From the asset group details, select Copy Asset Group.
Copying an asset group from the asset group details page
Note: By default, Copy will be appended to the original name. Additional copies of the original group will have a number appended (for example, Copy 2 and so on).