About Classic Asset Counting

This topic describes how assets are discovered and counted for licensing purposes in the classic asset-based counting model.

While most Stellar Cyber Platforms use the entity-based asset counting model described in Understanding Asset-Based Licensing , under certain circumstances, your platform may still use the classic approach.

Refer to the following topics for details:

Classic Asset Counting vs. Entity-Based Asset Counting
Classic Asset Licensing Described

Classic Asset Counting vs. Entity-Based Asset Counting

The 6.2.0 Stellar Cyber Platform uses one of the following asset counting models for licensing purposes:

Entity-based asset counting is a simplified asset counting model that relies on a combination of unique discovered IP addresses and email addresses. It has been in use with all new platforms since the 5.3.0 release.
- If your Stellar Cyber platform was new in 5.3.0 or later, it automatically uses the entity-based asset counting model.
- For most deployments, the entity-based asset counting model results in more accurate asset counts. You can convert to the entity-based asset counting model using the instructions below.
  
  Testing has shown that there is typically no more than a 5-10% difference in the assets counted by the two models, depending on your deployment.
Classic asset counting is based on a combination of MAC and IP addresses learned from a wide variety of sources, together with imported asset lists. If your platform was upgraded release-over-release from a pre-5.3.0 release, in most cases, it will still be using classic asset counting. The exception is if you worked with Stellar Cyber Customer Success in the 5.2.0 release to try out the new entity-based asset counting model, in which case that model is still in use after the upgrade to 5.3.0 and later.

Switching to Entity-Based Asset Counting

If you are on the classic asset counting model and would like to switch to the entity-based implementation, contact the Stellar Cyber Customer Success team for assistance.

After switching from the classic model to the entity-based model, make sure to refresh the table content in the System | ORGANIZATION MANAGEMENT | Licensing | Asset Usage tab's Daily Asset Count By Tenant table so that it reflects the field names and data for the entity-based model.

Classic Asset Licensing Described

This section describes the classic Asset Licensing implementation used in pre-5.3.0 versions of Stellar Cyber. This implementation is still in use for customers who arrived at Version 6.2.0 by upgrading release-over-release from a pre-5.3.0 version and have not explicitly converted to entity-based asset counting.

Classic Asset Licensing Overview

Asset licensing is based on the following processes:

Asset Discovery – The discovery of assets based on all available data sources
Asset Management – The continuous management of assets seen in a deployment
Asset Licensing Counting – Daily counts of active assets for purposes of comparing to license limits

Asset Discovery and Asset Management are the same processes that build data shown under Assets | Asset Analytics, in addition to supporting license counting.

Classic Asset Discovery

Stellar Cyber uses a passive discovery service to identify assets from observed data. Assets can be discovered via data collected by any of the following:

Network Sensors
Log Forwarders
Linux and Windows Server Sensors
Connectors (some)
Manually imported assets

At a high level, any device with an observed MAC address or internal IP address is identified and tracked as an asset. The discovery service uses data extracted from Dynamic Host Configuration Protocol (DHCP) and Domain Name Service (DNS) traffic to keep its running list of assets up to date, as well as to eliminate any duplicates when an asset has multiple MAC or IP addresses.

To improve the accuracy of asset counting, the discovery process does not count destination IP addresses that have not sent packets. This prevents the counting of, for example, IP addresses that were sent SNMP or ICMP requests but did not respond.

Classic Asset Management

The asset discovery process results in a list of assets tracked with the following data:

MAC Addresses
IP Addresses
Hostnames

How Stellar Cyber Uses Incoming Asset Data to Create and Updates Assets (Classic)

Different data sources provide different asset information, often reporting more than one value for a given field. For example, an EDR agent may report that a server has one MAC Address, two IP Addresses, and one Hostname while network traffic may show only one IP address and no associated MAC Addresses or Hostnames.

Stellar Cyber tries to define an asset as a single device, making logical sense of the different addresses and hostnames received in asset data from different sources. However, because of differences in infrastructure and networking, there are always corner cases and seeing those corner cases in the data is expected.

In general, Stellar Cyber uses the following logic to determine whether incoming asset discovery data is used to update an existing asset or create a new one:

If incoming asset discovery data shows a MAC Address that is already in Asset Management, use the asset discovery data to update its associated IP Addresses and Hostnames, if available.
Else if the asset discovery data shows a Hostname that is already in Asset Management, use the asset discovery data to update its associated IP Addresses, if available.
Else if the asset discovery data shows an IP address that is already in Asset Management, use the asset discovery data to update other linked IP Addresses, if available.
Else, add the asset discovery record to Asset Management.

Example

Consider an existing Asset Management record with the following data:

<MAC Addresses: [ABC], IP Addresses: [123], Hostname: []>

In this case, if newly received asset discovery data shows the same MAC address associated with IP Address 456 and Hostname XYX, Stellar Cyber uses Rule 1 in the previous section to update the record as follows, adding the newly discovered IP address and hostname:

<MAC Addresses: [ABC], IP Addresses: [456, 123], Hostname: [XYZ]>

Router Identification

In addition to tracking IP addresses, MAC addresses, and hostnames, Stellar Cyber also looks for situations where a high number of IP addresses are associated with only a few MAC addresses and classifies such assets as routers.

Pruning Dormant IP Addresses

Because of the dynamic nature of IP address assignment through mechanisms such as DHCP, Stellar Cyber phases IP addresses without associated MAC addresses or hostnames out of Asset Management after three days of inactivity (default value; configurable). This is the only scenario where Stellar Cyber phases an asset out. You can prevent IP address assets from being phased out by marking them as static in the Assets | Asset Analytics | IP Identified Assets page.

You can tell which assets are subject to pruning in the Assets | Asset Analytics page's primary views:

MAC Identified Assets – These assets have a MAC Address tracked and are not deleted after discovery.
IP Identified Assets – These assets do not have a MAC Address tracked and are phased out after a specified number of days of inactivity (three, by default) if not marked as static.

Classic Asset License Counting

Every day, Stellar Cyber takes a snapshot of the assets that were active during the previous day and reports the results in the System | ORGANIZATION MANAGEMENT | Licensing | Asset Usage page. An asset is considered active if it was seen in one or more data sources during the previous day.

Keep in mind that the total number of assets reported in the System | ORGANIZATION MANAGEMENT | Licensing | Asset Usage page is typically less than the sum of the assets shown in the MAC Identified Assets and IP Identified Assets pages. This is because the Asset Usage page reports only those assets that were active the previous day, while the MAC Identified Assets and IP Identified Assets pages report both active assets and ones that were seen previously but were not active during the previous day. Only those assets that were active the previous day count against your licensed total.

Asset license violations are reported as follows:

Stellar Cyber reports a violation of the asset license if the count of active assets during a given day exceeds the license limit by 10% or more.
Stellar Cyber reports a more serious violation if the count of active assets exceeds the license limit by 10% or more for five days in a row.
Stellar Cyber reports a monthly violation if the count of active assets exceeds the license limit by 10% or more for 10 or more days in a given month (not necessarily consecutive days).

Frequently Asked Questions on Classic Asset Licensing

How can assets be filtered out to prevent them from being counted against my licensed total?

The only way to filter out an asset to prevent it from counting against your licensed total, is to set filters to remove that asset before ingestion for each data source where it could be discovered. Because only active assets are counted towards your licensed total on any given day, rarely-discovered assets won’t have a major effect on average daily counts.

Filtering Assets Out

How can assets be filtered out to prevent them from being counted against my licensed total?

The only way to filter out an asset to prevent it from counting against your licensed total, is to set traffic filters or pre-DPI filters to remove that asset before ingestion for each data source where it could be discovered. Because only active assets are counted towards your licensed total on any given day, rarely-discovered assets won’t have a major effect on average daily counts.