Partner Perspectives  Connecting marketers to our tech communities.
10/15/2015
10:25 AM
Ted Gary
Ted Gary
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Asset Segmentation: The Key To Control

Automated asset segmentation and classification helps focus strong security controls where they are needed most.

Segmentation, an established concept, continues to deliver value across multiple disciplines. We are all likely familiar with the concept of market segmentation that is defined in Wikipedia as “a marketing strategy which involves dividing a broad target market into subsets of consumers, businesses, or countries who have, or are perceived to have, common needs, interests, and priorities, and then designing and implementing strategies to target them.”

In IT, network segmentation is well known to increase network performance and security by isolating one network segment (zone) from others. For example, PCI (payment card industry) data within a network must be separated from the rest of the network to limit unauthorized access to credit card data.

When it comes to security and compliance, not all assets pose equal risk. Assets should be segmented into virtual groups based on attributes such as data classification, regulatory requirements, and business criticality. Ideally, multiple criteria can be applicable to the same asset to support specific security policies -- for example, segmenting assets by data classification and geography to meet local data protection regulations such as HIPAA in the United States.

Segmentation Must Inform Security Controls

Determining which security controls should be applied to which assets is a decision that must balance the cost of administering the controls (there is no free lunch) with the need to enable the business (or at least not disable it). For example, a security policy for standard endpoints could require a monthly vulnerability scan, a basic configuration audit that checks for password strength, and remediation of critical vulnerabilities and misconfigurations within 30 days, yet still allow users to install software and write data to USB devices. However, the security policy for endpoints used by finance personnel could require weekly vulnerability scans, strict configuration audits, and remediation of all critical and high vulnerabilities and misconfigurations within seven days. Additionally, when indicators of compromise are discovered that pertain to higher risk assets, higher priority alerts should be triggered to raise the visibility for security monitoring staff.

The benefits of tailoring security controls to specific asset segments include:

  • Risk-based security that applies stronger controls to assets that contain or can access critical data and to assets associated with mission critical services. Hopefully, users of these critical assets will understand and accept the rationale for having their systems “locked down” to protect sensitive data and services.
  • Prioritization of security staff resources. Frequently, security staff resources are spread across implementing and managing preventive controls and across proactive monitoring that demands timely investigation of indicators of weakness. Asset segmentation helps staff focus their time on what matters most.
  • Automated analysis and reporting. Robust segmentation can prioritize weaknesses by grouping assets based on criteria such as regulatory requirements, vulnerability criticality, and the availability of an exploit. This analysis increases staff efficiency by focusing them on high-risk asset groups. Additionally, automated reporting leverages asset segmentation to send information pertaining to specific assets to the responsible parties.

Manual Segmentation Will Fail

Manually assigning assets to segments is doomed to failure because people are notoriously poor at performing classification. Most people don’t like to perform classification, so the unwritten “five-second rule” often applies: If people can’t classify something within five seconds, they tend to resort to the first item in a pick list. When asked to classify assets using multiple criteria such as geography, operating system, and business service, the five-second rule is virtually sure to reduce the quality of the classification. Even with good intentions, people often inaccurately classify items; it is just too easy to make a mistake. The bottom line is that classification must be automated to provide accurate results.

Automated asset segmentation and classification helps focus strong security controls where they are needed most and increases staff efficiency when investigating weaknesses and incidents.

Ted Gary is Tenable's Sr. Product Marketing Manager for Tenable's SecurityCenter Continuous View product. He is responsible for translating the rich features of SecurityCenter into solutions for compelling problems faced by information security professionals. Ted has nearly ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19790
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...
CVE-2018-19829
PUBLISHED: 2018-12-18
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
CVE-2018-16884
PUBLISHED: 2018-12-18
A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...
CVE-2018-17777
PUBLISHED: 2018-12-18
An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have acc...
CVE-2018-18921
PUBLISHED: 2018-12-18
PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action.