Applying RealContext with tags

When tracking assets in your organization, you may want to identify, group, and report on them according to how they impact your business.

For example, you have a server with sensitive financial data and a number of workstations in your accounting office located in Cleveland, Ohio. The accounting department recently added three new staff members. Their workstations have just come online and will require a number of security patches right away. You want to assign the security-related maintenance of these accounting assets to different IT administrators: A SQL and Linux expert is responsible for the server, and a Windows administrator handles the workstations. You want to make these administrators aware that these assets have high priority.

These assets are of significant importance to your organization. If they were attacked, your business operations could be disrupted or even halted. The loss or corruption of their data could be catastrophic.

The scan data distinguishes these assets by their IP addresses, vulnerability counts, risk scores, and installed operating systems and services. It does not isolate them according to the unique business conditions described in the preceding scenario.

Using a feature called RealContext, you can apply tags to these assets to do just that. Your can tag all of these accounting assets with a Cleveland location and a Very High criticality level. You can tag your accounting server with a label, Financials, and assign it an owner named Chris, who is a Linux administrator with SQL expertise. You can assign your Windows workstations to a Windows administrator owner named Brett. And you can tag the new workstations with the label First-quarter hires. Then, you can create dynamic asset groups based on these tags and send reports on the tagged assets to Chris and Brett, so that they know that the workstation assets should be prioritized for remediation. For information on using tag-related search filters to create dynamic asset groups, see Performing filtered asset searches.

You also can use tags as filters for report scope. See Creating a basic report.

Types of tags

You can use several built-in tags:

You can also create custom tags that allow you to isolate and track assets according to any context that might be meaningful to you. For example, you could tag certain assets PCI, Web site back-end, or consultant laptops.

Tagging assets, sites, and asset groups

You can tag an asset individually on the details page for that asset. You also can tag a site or an asset group, which would apply the tag to all member assets. The tagging workflow is identical, regardless of where you tag an asset:

  1. If you are creating or editing a site: Go to the General page of the Site Configuration panel, and select Add tags.

If you are creating or editing a static asset group: Go to the General page of the Asset Group Configuration panel, and select Add tags.

If you are creating or editing a dynamic asset group: In the Configuration panel for the asset group, select Add tags.

If you have just run a filtered asset search: To tag all of the search results, select Add tags, which appears above the search results table on the Filtered Asset Search page.

The section for configuring tags expands.

  1. Select a tag type.
  2. If you select Custom Tag, Location, or Owner, type a new tag name to create a new tag. To add multiple names, type one name, press ENTER, type the next, press ENTER, and repeat as often as desired.

OR

To apply an previously created tag, start typing the name of the tag until the rest of the name fills in the text box.

If you are creating a new custom tag, select a color in which the tag name will appear. All built-in tags have preset colors.

s_nx_dag_add_custom_tags.jpg 

Creating a custom tag

If you select Criticality, select a criticality level from the drop-down list.

Applying a criticality level

  1. Click Add.
  1. If you are creating or editing a site or asset group, click Save to save the configuration changes.

Applying business context with dynamic asset filters

Another way to apply tags is by specifying criteria for which tags can be dynamically applied. This allows you to apply business context based on filters without having to create new sites or groups. It also allows you to add new criteria for which assets should have the tags as you think of them, rather than at the time you first tag assets. For example, you may have searched for all your assets meeting certain Payment Card Industry (PCI) criteria and applied the High criticality level. Later, you decide you also want to filter for the Windows operating system. You can apply the additional filter on the page for the High criticality level itself.

To apply business context with dynamic asset filters:

  1. Click the name of any tag to go to the details page for that tag.
  2. Click Add Tag Criteria.
  3. Select the search filters. The available filters are the same as those available in the asset search filters. See Performing filtered asset searches. There are some restrictions on which filters you can use with criticality tags. See Filter restrictions for criticality tags.
  4. Select Search.
  5. Select Save.

s_nx_add_tag_criteria.jpg 

You can add criteria for when a tag will be dynamically applied

To view existing business context for a tag:

To edit, add new, or remove dynamic asset filters for a tag:

  1. Click the name of any tag to go to the details page for that tag.
  2. Click Edit Tag Criteria.
  3. Edit or add the search filters. The available filters are the same as those available in the asset search filters. See Performing filtered asset searches. There are some restrictions on which filters you can use with criticality tags. See Filter restrictions for criticality tags.
  4. Select Search.
  5. Select Save.

To remove all criteria for a tag:

s_nx_edit_asset_filter.jpg

You can take different actions to view or modify rules for tags

Filter restrictions for criticality tags

Certain filters are restricted for criticality tags, in order to prevent circular references. These restrictions apply to criticality tags applied through tag criteria, and to those added through dynamic asset groups. See Performing filtered asset searches.

The following filters cannot be used with criticality tags:

Removing and deleting tags

If a tag no longer accurately reflects the business context of an asset, you can remove it from that asset. To do so, click the x button next to the tag name. If the tag name is longer than one line, mouse over the ampersand below the name to expand it and then click the x button. Removing a tag is not the same as deleting it.

If you tag a site or an asset group, all of the member assets will "inherit" that tag. You cannot remove an inherited tag at the individual asset level. Instead, you will need to edit the site or asset group in which the tag was applied and remove it there.

s_nx_dag_expand_delete_custom_tag.jpg 

Removing a custom tag.

If a tag no longer has any business relevance at all, you can delete it completely.

Note:  You cannot delete a criticality tag.

To delete a tag, go to the Tags page:

Click the name of any tag to go to the details page for that tag. Then click the View All Tags breadcrumb.

s_nx_tag_page_tags_highlighted.jpg 

Viewing the details page of a tag

OR

Click the Assets icon, then click the number of tags listed for Tagged Assets, even if that number is zero.

s_nx_home_tags.jpg 

Go to the Asset Tag Listing table of theTags page. Select the check box for any tag you want to delete. To select all displayed tags, select the check box in the top row. Then, click Delete.

Tip:  If you want to see which assets are associated with the tag before deleting it, click the tag name to view its details page. This could be helpful in case you want to apply a different tag to those assets.

Changing the criticality of an asset

Over time, the criticality of an asset may change. For example, a laptop may initially be used by a temporary worker and not contain sensitive data, which would indicate low criticality. That laptop may later be used by a senior executive and contain sensitive data, which would merit a higher criticality level.

Your options for changing an asset's criticality level depend on where the original criticality level was initially applied and where you are changing it:

Creating tags without applying them

You can create tags without immediately applying them to assets. This could be helpful if, for example, you want to establish a convention for how tag names are written.

  1. Click the Assets icon, then click the number of tags listed for Tagged Assets, even if that number is zero.
    OR
    Click the Create tab at the top of the page and then select Tags from the drop-down list.
  1. Click Add tags and add any tags as described in Tagging assets, sites, and asset groups.

Avoiding "circular references" when tagging asset groups

You may apply the same tag to an asset as well as an asset group that contains it. For example, you might want to create a group based on assets tagged with a certain location or owner. This may occasionally lead to a circular reference loop in which tags refer to themselves instead of the assets or groups to which they were originally applied. This could prevent you from getting useful context from the tags.

The following example shows how a circular reference can occur with with location and custom tags:

  1. A first user tags a number of assets with the location Cleveland.
  2. The user creates a dynamic asset group called Midwest office with search results based on assets tagged Cleveland.
  3. The user applies a custom tag named Accounting to the Midwest office asset group because all the assets in the group are used by the accounting team.
  4. A second user, who is not aware of the Midwest office dynamic asset group or the Cleveland tag, creates a new dynamic asset group named Financial with search results based on the Accounting tag.
  5. That user tags the Financial group with Cleveland, expecting that all assets in the group will inherit the tag. But because the assets were tagged Cleveland by the first user, the Cleveland tag now refers to itself in a potentially infinite loop.

The following example shows how a circular reference can occur with criticality:

  1. You create a dynamic asset group Priorities for all assets that have an original risk score of less than 1,000. One of these assets is named Server_1.
  2. You tag this group with a Very High criticality level, so that every asset in the group inherits the tag.
  3. Your Security Console has been configured to double the risk score of assets with a Very High criticality level. See Adjusting risk with criticality.
  4. Server_1 has its risk score doubled, which causes it to no longer meet the filter criteria of Priorities. Therefore, it is removed from Priorities.
  5. Since Server_1 no longer inherits the Very High criticality level applied to Priorities, it reverts to its original risk score, which is lower than 1,000.
  6. Server_1 now once again meets the criteria for membership in Priorities, so it once again inherits the Very High criticality level applied to the asset group. This, again, causes its risk score to double, so that it no longer meets the criteria for membership in Priorities. This is a circular reference loop.

The best way to prevent circular references is to look at the Tags page to see what tags have been created. Then go to the details page for a tag that you are considering using and to see which assets, sites, and asset groups it is applied to. This is especially helpful if you have multiple Security Console users and high numbers of tags and asset groups. To access to the details page for a tag, simply click the tag name.