Partner Perspectives  Connecting marketers to our tech communities.
10/15/2015
10:25 AM
Ted Gary
Ted Gary
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Asset Segmentation: The Key To Control

Automated asset segmentation and classification helps focus strong security controls where they are needed most.

Segmentation, an established concept, continues to deliver value across multiple disciplines. We are all likely familiar with the concept of market segmentation that is defined in Wikipedia as “a marketing strategy which involves dividing a broad target market into subsets of consumers, businesses, or countries who have, or are perceived to have, common needs, interests, and priorities, and then designing and implementing strategies to target them.”

In IT, network segmentation is well known to increase network performance and security by isolating one network segment (zone) from others. For example, PCI (payment card industry) data within a network must be separated from the rest of the network to limit unauthorized access to credit card data.

When it comes to security and compliance, not all assets pose equal risk. Assets should be segmented into virtual groups based on attributes such as data classification, regulatory requirements, and business criticality. Ideally, multiple criteria can be applicable to the same asset to support specific security policies -- for example, segmenting assets by data classification and geography to meet local data protection regulations such as HIPAA in the United States.

Segmentation Must Inform Security Controls

Determining which security controls should be applied to which assets is a decision that must balance the cost of administering the controls (there is no free lunch) with the need to enable the business (or at least not disable it). For example, a security policy for standard endpoints could require a monthly vulnerability scan, a basic configuration audit that checks for password strength, and remediation of critical vulnerabilities and misconfigurations within 30 days, yet still allow users to install software and write data to USB devices. However, the security policy for endpoints used by finance personnel could require weekly vulnerability scans, strict configuration audits, and remediation of all critical and high vulnerabilities and misconfigurations within seven days. Additionally, when indicators of compromise are discovered that pertain to higher risk assets, higher priority alerts should be triggered to raise the visibility for security monitoring staff.

The benefits of tailoring security controls to specific asset segments include:

  • Risk-based security that applies stronger controls to assets that contain or can access critical data and to assets associated with mission critical services. Hopefully, users of these critical assets will understand and accept the rationale for having their systems “locked down” to protect sensitive data and services.
  • Prioritization of security staff resources. Frequently, security staff resources are spread across implementing and managing preventive controls and across proactive monitoring that demands timely investigation of indicators of weakness. Asset segmentation helps staff focus their time on what matters most.
  • Automated analysis and reporting. Robust segmentation can prioritize weaknesses by grouping assets based on criteria such as regulatory requirements, vulnerability criticality, and the availability of an exploit. This analysis increases staff efficiency by focusing them on high-risk asset groups. Additionally, automated reporting leverages asset segmentation to send information pertaining to specific assets to the responsible parties.

Manual Segmentation Will Fail

Manually assigning assets to segments is doomed to failure because people are notoriously poor at performing classification. Most people don’t like to perform classification, so the unwritten “five-second rule” often applies: If people can’t classify something within five seconds, they tend to resort to the first item in a pick list. When asked to classify assets using multiple criteria such as geography, operating system, and business service, the five-second rule is virtually sure to reduce the quality of the classification. Even with good intentions, people often inaccurately classify items; it is just too easy to make a mistake. The bottom line is that classification must be automated to provide accurate results.

Automated asset segmentation and classification helps focus strong security controls where they are needed most and increases staff efficiency when investigating weaknesses and incidents.

Ted Gary is Tenable's Sr. Product Marketing Manager for Tenable's SecurityCenter Continuous View product. He is responsible for translating the rich features of SecurityCenter into solutions for compelling problems faced by information security professionals. Ted has nearly ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Its family of products includes SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®, the global standard in detecting and assessing network data. Tenable identifies all types of risk on the network — including missing patches, malware and intruders, missing configurations and missing monitoring — so customers can make informed decisions about where they are exposed. Its products reach across cloud, virtual, mobile and traditional IT systems and measure attack vectors in each of these domains. Tenable’s continuous network monitoring solution measures organizations’ compliance in real-time. This ensures that gaps in security coverage and lapses in security programs get detected and prioritized immediately. Tenable is relied upon by many of the world’s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.