Doing Continuous Compromise Assessment® correctly requires proper incident organization, categorization and prioritization; to assist organizations in properly doing so, Lumu has created Lumu Labels. Labels give you the power to categorize and filter your traffic by business relevance, asset criticality, network segment, geography, device, domain, all according to your business necessities. Proper use of Labels enables easy identification and prioritization of compromise distribution across your infrastructure, allowing your team to respond efficiently to attacks at every stage.

How to Create a Label

Before going into the procedure, we must first consider the criteria to create a label. Labels should serve as a tool to quickly assess the importance of an incident and the asset is affecting, therefore, they should provide enough information at a glance for you to make that assessment. Let’s examine these criteria and some considerations while looking at the procedure.

While the labels you need depend on your network's unique characteristics, it's important not to create too many. Excessive labels can obscure your network’s cybersecurity posture and hinder operational efficiency.

1. There are two main ways to create a label:

a. When creating collectors in the Lumu Portal, such as gateways, agents, virtual appliances, custom collectors, etc., you are prompted to associate their traffic with a label. Associate an existing label with the collector, or add a new label.

b. By heading to the Settings drop-down menu and selecting the Labels section. You will find the Add Label option.

2. In both cases, the label creation form will open up.

Let’s go through it field by field while pointing out considerations and recommendations for label creation.

1. Name(1): You must assign not only an identifiable name to your label, but one that provides as much information as possible about it at a glance. The purpose of labels is to allow the team to prioritize and operate incidents in a quick and precise way, so there must be consideration put into naming your labels. You want to consider your network segmentation and the criticality of the asset, first and foremost. Geography,  organizational criteria, and others may be useful, but they will always come second in terms of importance.

1. Playback Analysis(2): This switch serves to enable Lumu Playback® analysis for traffic assigned with this label. If for some reason you wish to exclude this label from retrospective threat analysis, make sure to disable this switch. Lumu Playback® Analysis is enabled by default.

1. Business Relevance(3): This is one of the most critical label parameters. Assess the importance of the asset group assigned to this label and select one of the three available values accordingly. This parameter      serves as an immediate indicator for prioritizing incidents, so it’s essential to assign it thoughtfully.

1. Description(4): Add a detailed and relevant description. This will help other team members use the label correctly, and prevent them from assigning it inaccurately.

3. Once you are done configuring the labels settings, click the Create button.

The label has been created. Now, let’s talk about how to assign a label.

Assigning Labels

On a technical level, assigning labels is simple and intuitive; however, there are some aspects to consider before doing so to ensure that the feature is providing value to your organization.

These are some recommendations to achieve that goal:

1. Determine the network segment the asset you are collecting data from belongs to, and how critical it is for your operation. If you already have a label that fits the criteria, assign it to this asset.
1. As mentioned previously, each label should reflect an environment or group with significance to your cybersecurity operations, such as critical business functions or compliance-sensitive areas. Labels should be assigned in such a way that the assets’ operational significance they represent is immediately apparent.
2. Some assets such as firewalls and DNS, for example, gather data from several devices connected to them, so assigning labels to these types of collectors isn’t advisable in some cases. Consider assigning labels in a more granular fashion by using Grouping Rules.
3. If you aren’t certain that assigning a label to an asset or collector is going to make it more visible and help you operate more efficiently, it is preferable to leave it unlabeled.
4. Avoid common mistakes like labeling based on technical parameters such as VLAN names or collector identifiers, which don't convey the business impact of incidents

Actually assigning the label is rather simple. When creating collectors in the Lumu Portal, such as gateways, agents, virtual appliances, custom collectors, etc., you are requested to associate their traffic with a Label. Associate an existing label with the collector.

Alternatively, you can add a new label.

Assign the label and save your changes. This menu is also accessible through the Edit button on all Lumu collectors.

Labeling Use Examples

Let’s take a look at some examples of organizations that have properly categorized their traffic with Lumu Labels to prioritize incidents and optimize their operation. These examples have been built using real implementation scenarios as a basis. They can be used as reference when setting up your organization’s labels.

Example 1: Institution in the Education Sector

An institution in the education sector needs to organize and categorize their traffic adequately. The institution has two different locations in different cities, and dedicated network segments for their staff and students. After studying their network’s characteristics and their business necessities, the Lumu Support team and the institution’s cybersecurity team came up with the following labeling strategy:

1. Label 1/2 - Location 1/2:A dedicated label for a specific location enables the institution to easily identify traffic sources from a particular site. The label can be named after the city where the site is located, for example. Unless a location houses significantly more vital assets and resources than others, these labels should have a Medium business relevance level.
2. Label 3 - Academy staff: This label helps the institution identify traffic from administrative and teaching staff, who handle sensitive data such as student and family information, payment details, and more. Given its relevance during potential incidents, this label may be of particular interest to the team and its business relevance should be set to High.
3. Label 4 - Students: This label enables the institution to quickly identify all traffic from the student network. Similar to a guest network in a corporate environment, student devices are largely unmanaged, with little to no control over them. Since malicious activity within this network is unlikely to impact the institution’s infrastructure, the label’s business relevance should be set to Low.

Example 2: Corporation in the Retail Sector

A retail corporation must effectively organize and categorize its network traffic. The company processes credit card transactions and operates multiple stores, each with its own network segment. After analyzing the network’s characteristics and business needs, the Lumu Support team and cybersecurity team developed the following labeling strategy:

1. Label 1 - Server Network: A label was created for the network segment connecting the organization’s servers, as they store the most sensitive data and are equally critical to the corporation’s operations. The business relevance of this label should be set to High.
2. Label 2 - PCI (Payment Card Industry) Network: This label is assigned to devices that handle credit card payments. Since these devices process payment details and must comply with strict security standards, the data they generate requires careful handling and proper categorization. The business relevance of this label should be set to High.
3. Label 3 - Administrative Network: This label was created to categorize the traffic of devices used by executive and managerial staff. These devices handle relatively sensitive data, which may be enough to consider setting its business relevance to High; however, not every single label can be set to high as that would defeat the purpose of categorizing and prioritizing traffic, so, in this case, it was set to Medium.
4. Label 4 - Public Cloud Network: This label applies to all public cloud servers (AWS, GCP, Azure, etc.) within the network. While infections in this environment are rare, they can be highly severe due to the volume and sensitivity of the stored data. The business relevance of this label should be set to High.
5. Label 5 - Retail Stores: This label groups the devices across all of the corporation’s physical retail stores. While each store has its own network segment, they share the same criticality and business relevance, making a unified label practical. The business level of this label should be set to Medium.
6. Label 6 - Guest Network: This label applies to the corporation's public guest network. Since the cybersecurity team has minimal control over the security of connected devices and incidents on this network are unlikely to impact the corporation’s infrastructure or operations, the recommended business relevance level for this label is Low.

Using Grouping Rules with Lumu Collectors

Grouping Rules is a feature shared by some of our collectors, more specifically, the ones that can receive data from several devices and require more granular traffic management. This allows you to better label, organize and categorize the traffic these collectors analyze.

These Lumu collectors are designed to receive traffic in bulk. The Grouping Rules feature allows you to properly label traffic from your network to maximize efficiency and visibility.

The following collectors support Grouping Rules:

1. Agents Server Collector
2. Virtual Appliances
3. Custom Collector (API)
4. Log Forwarder
5. Out-of-the-Box Data Collection Integrations
1. AWS
2. Google Cloud
3. Kubernetes
4. Netskope
5. Cisco Umbrella

If you want to learn more about this feature, make sure to check or article on Grouping Rules.

If you wish to learn more about the Lumu Portal, we recommend reading the following articles:

1. Lumu Incidents View
2. Incident Prioritization and Operation
3. Compromise Overview