Partner Perspectives  Connecting marketers to our tech communities.
10/15/2015
10:25 AM
Ted Gary
Ted Gary
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Asset Segmentation: The Key To Control

Automated asset segmentation and classification helps focus strong security controls where they are needed most.

Segmentation, an established concept, continues to deliver value across multiple disciplines. We are all likely familiar with the concept of market segmentation that is defined in Wikipedia as “a marketing strategy which involves dividing a broad target market into subsets of consumers, businesses, or countries who have, or are perceived to have, common needs, interests, and priorities, and then designing and implementing strategies to target them.”

In IT, network segmentation is well known to increase network performance and security by isolating one network segment (zone) from others. For example, PCI (payment card industry) data within a network must be separated from the rest of the network to limit unauthorized access to credit card data.

When it comes to security and compliance, not all assets pose equal risk. Assets should be segmented into virtual groups based on attributes such as data classification, regulatory requirements, and business criticality. Ideally, multiple criteria can be applicable to the same asset to support specific security policies -- for example, segmenting assets by data classification and geography to meet local data protection regulations such as HIPAA in the United States.

Segmentation Must Inform Security Controls

Determining which security controls should be applied to which assets is a decision that must balance the cost of administering the controls (there is no free lunch) with the need to enable the business (or at least not disable it). For example, a security policy for standard endpoints could require a monthly vulnerability scan, a basic configuration audit that checks for password strength, and remediation of critical vulnerabilities and misconfigurations within 30 days, yet still allow users to install software and write data to USB devices. However, the security policy for endpoints used by finance personnel could require weekly vulnerability scans, strict configuration audits, and remediation of all critical and high vulnerabilities and misconfigurations within seven days. Additionally, when indicators of compromise are discovered that pertain to higher risk assets, higher priority alerts should be triggered to raise the visibility for security monitoring staff.

The benefits of tailoring security controls to specific asset segments include:

  • Risk-based security that applies stronger controls to assets that contain or can access critical data and to assets associated with mission critical services. Hopefully, users of these critical assets will understand and accept the rationale for having their systems “locked down” to protect sensitive data and services.
  • Prioritization of security staff resources. Frequently, security staff resources are spread across implementing and managing preventive controls and across proactive monitoring that demands timely investigation of indicators of weakness. Asset segmentation helps staff focus their time on what matters most.
  • Automated analysis and reporting. Robust segmentation can prioritize weaknesses by grouping assets based on criteria such as regulatory requirements, vulnerability criticality, and the availability of an exploit. This analysis increases staff efficiency by focusing them on high-risk asset groups. Additionally, automated reporting leverages asset segmentation to send information pertaining to specific assets to the responsible parties.

Manual Segmentation Will Fail

Manually assigning assets to segments is doomed to failure because people are notoriously poor at performing classification. Most people don’t like to perform classification, so the unwritten “five-second rule” often applies: If people can’t classify something within five seconds, they tend to resort to the first item in a pick list. When asked to classify assets using multiple criteria such as geography, operating system, and business service, the five-second rule is virtually sure to reduce the quality of the classification. Even with good intentions, people often inaccurately classify items; it is just too easy to make a mistake. The bottom line is that classification must be automated to provide accurate results.

Automated asset segmentation and classification helps focus strong security controls where they are needed most and increases staff efficiency when investigating weaknesses and incidents.

Ted Gary is Tenable's Sr. Product Marketing Manager for Tenable's SecurityCenter Continuous View product. He is responsible for translating the rich features of SecurityCenter into solutions for compelling problems faced by information security professionals. Ted has nearly ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Its family of products includes SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®, the global standard in detecting and assessing network data. Tenable identifies all types of risk on the network — including missing patches, malware and intruders, missing configurations and missing monitoring — so customers can make informed decisions about where they are exposed. Its products reach across cloud, virtual, mobile and traditional IT systems and measure attack vectors in each of these domains. Tenable’s continuous network monitoring solution measures organizations’ compliance in real-time. This ensures that gaps in security coverage and lapses in security programs get detected and prioritized immediately. Tenable is relied upon by many of the world’s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11505
PUBLISHED: 2018-05-26
The Werewolf Online application 0.8.8 for Android allows attackers to discover the Firebase token by reading logcat output.
CVE-2018-6409
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerability via the download.php q parameter.
CVE-2018-6410
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.
CVE-2018-6411
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap_form_elements SQL Injection.
CVE-2018-11500
PUBLISHED: 2018-05-26
An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF vulnerability in "admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list" that can add an admin account.