Partner Perspectives  Connecting marketers to our tech communities.
10/15/2015
10:25 AM
Ted Gary
Ted Gary
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Asset Segmentation: The Key To Control

Automated asset segmentation and classification helps focus strong security controls where they are needed most.

Segmentation, an established concept, continues to deliver value across multiple disciplines. We are all likely familiar with the concept of market segmentation that is defined in Wikipedia as “a marketing strategy which involves dividing a broad target market into subsets of consumers, businesses, or countries who have, or are perceived to have, common needs, interests, and priorities, and then designing and implementing strategies to target them.”

In IT, network segmentation is well known to increase network performance and security by isolating one network segment (zone) from others. For example, PCI (payment card industry) data within a network must be separated from the rest of the network to limit unauthorized access to credit card data.

When it comes to security and compliance, not all assets pose equal risk. Assets should be segmented into virtual groups based on attributes such as data classification, regulatory requirements, and business criticality. Ideally, multiple criteria can be applicable to the same asset to support specific security policies -- for example, segmenting assets by data classification and geography to meet local data protection regulations such as HIPAA in the United States.

Segmentation Must Inform Security Controls

Determining which security controls should be applied to which assets is a decision that must balance the cost of administering the controls (there is no free lunch) with the need to enable the business (or at least not disable it). For example, a security policy for standard endpoints could require a monthly vulnerability scan, a basic configuration audit that checks for password strength, and remediation of critical vulnerabilities and misconfigurations within 30 days, yet still allow users to install software and write data to USB devices. However, the security policy for endpoints used by finance personnel could require weekly vulnerability scans, strict configuration audits, and remediation of all critical and high vulnerabilities and misconfigurations within seven days. Additionally, when indicators of compromise are discovered that pertain to higher risk assets, higher priority alerts should be triggered to raise the visibility for security monitoring staff.

The benefits of tailoring security controls to specific asset segments include:

  • Risk-based security that applies stronger controls to assets that contain or can access critical data and to assets associated with mission critical services. Hopefully, users of these critical assets will understand and accept the rationale for having their systems “locked down” to protect sensitive data and services.
  • Prioritization of security staff resources. Frequently, security staff resources are spread across implementing and managing preventive controls and across proactive monitoring that demands timely investigation of indicators of weakness. Asset segmentation helps staff focus their time on what matters most.
  • Automated analysis and reporting. Robust segmentation can prioritize weaknesses by grouping assets based on criteria such as regulatory requirements, vulnerability criticality, and the availability of an exploit. This analysis increases staff efficiency by focusing them on high-risk asset groups. Additionally, automated reporting leverages asset segmentation to send information pertaining to specific assets to the responsible parties.

Manual Segmentation Will Fail

Manually assigning assets to segments is doomed to failure because people are notoriously poor at performing classification. Most people don’t like to perform classification, so the unwritten “five-second rule” often applies: If people can’t classify something within five seconds, they tend to resort to the first item in a pick list. When asked to classify assets using multiple criteria such as geography, operating system, and business service, the five-second rule is virtually sure to reduce the quality of the classification. Even with good intentions, people often inaccurately classify items; it is just too easy to make a mistake. The bottom line is that classification must be automated to provide accurate results.

Automated asset segmentation and classification helps focus strong security controls where they are needed most and increases staff efficiency when investigating weaknesses and incidents.

Ted Gary is Tenable's Sr. Product Marketing Manager for Tenable's SecurityCenter Continuous View product. He is responsible for translating the rich features of SecurityCenter into solutions for compelling problems faced by information security professionals. Ted has nearly ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Its family of products includes SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®, the global standard in detecting and assessing network data. Tenable identifies all types of risk on the network — including missing patches, malware and intruders, missing configurations and missing monitoring — so customers can make informed decisions about where they are exposed. Its products reach across cloud, virtual, mobile and traditional IT systems and measure attack vectors in each of these domains. Tenable’s continuous network monitoring solution measures organizations’ compliance in real-time. This ensures that gaps in security coverage and lapses in security programs get detected and prioritized immediately. Tenable is relied upon by many of the world’s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense.
Featured Writers
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.