Compliance alignment

runZero customers face a variety of compliance obligations from industry standards to state, federal, and international laws and regulations. While each has its own unique attributes, there are common themes across most IT and cybersecurity frameworks. The following sections summarize several of these themes and how runZero can help organizations achieve and maintain compliance.

Establish and maintain an asset inventory

A common adage in cybersecurity is that you can’t protect what you can’t see. As such, establishing an inventory of assets is foundational to building an effective cybersecurity program. Most cybersecurity standards and frameworks include provisions for establishing an asset inventory. Examples of asset inventory controls include:

  • C2M2 ASSET-1a: IT and OT assets that are important to the delivery of the function are inventoried […].
  • CIS Critical Security Control 1.1: Establish and Maintain Detailed Enterprise Asset Inventory.
  • NIST CSF ID.AM-1: Physical devices and systems within the organization are inventoried.

While there are a variety of ways that an organization can build an asset inventory, many standards and frameworks take things a step further by requiring active network scanning. This helps ensure that your inventory stays up-to-date and includes all assets, not just the assets you know about. Examples of this include:

  • CIS Critical Security Control 1.3: Utilize an Active Discovery Tool.
  • CMMC 3.4.3e: Employ automated discovery and management tools to maintain an […] inventory of system components.
  • CISA Binding Operational Directive 23-01 Requirement 1a: Perform automated asset discovery every 7 days.

runZero helps organizations discover assets connected to their networks and in the cloud. Through unauthenticated active scanning, runZero can identify both managed and unmanaged devices across IT and OT networks. runZero also integrates with cloud service providers and numerous other platforms to ingest asset information, allowing it to be a system of record for all your connected assets.

Related runZero resources

Secure configuration of assets

System hardening is a crucial component to maintaining effective cyber hygiene in an enterprise security program. This includes documenting baseline configurations for IT and OT assets, disabling unnecessary or insecure software and services, and continuously monitoring for changes to asset configurations. Example of secure configuration management controls include:

  • CIS Critical Security Control 4.1: Establish and Maintain a Secure Configuration Process.
  • CMMC 3.4.7: Restrict, disable or prevent the use of nonessential programs, functional, ports, portocols and services.
  • NIST CSF PR.IP-1: A baseline configuration of IT/ICS is created and maintained incorporating security principles.
  • PCI DSS 2.2.4: Only necessary services, protocols, daemons, and functions are enabled, and all unnecessary functionality is removed or disabled.

runZero can augment an organization’s secure configuration practices by continually scanning assets for unnecessary or insecure software, services, and protocols. For example, runZero can discover and alert on insecure protocols such as FTP, TFTP, Telnet, and HTTP. runZero can also identify and alert on end-of-life operating systems, out-of-date software, the use of insecure cryptographic libraries, and many other configuration attributes. Additionally, runZero can identify potential weaknesses in an organization’s network such as multihomed assets that have both a public and a private IP address, assets employing both IPv4 and IPv6, and unauthorized wireless access points.

Related runZero resources

Malware protection

Malware continues to play a prevalent role in cybersecurity breaches. Organizations leverage a number of techniques to protect their assets against malicious software. One of the most common techniques is deploying an anti-malware solution to workstations, servers, and mobile devices. While some frameworks specifically call for anti-malware software deployment on all assets, other take a more flexible approach leaving room for organizations to define a defense-in-depth approach to malware protection. Examples of malware protection controls include:

  • CIS Critical Control 10.1: Deploy and maintain anti-malware software on all enterprise assets.
  • CMMC 3.14.2: Provide protection from malicious code at designated locations within organizational systems.
  • NIST CSF DE.CM-4: Malicious code is detected.
  • PCI DSS 5.2: Malicious software is prevented, or detected and addressed.

runZero’s endpoint protection integrations allow customers to enrich their asset inventories with EDR platform data, providing a more comprehensive view into assets. With this data, customers can discover gaps in their endpoint protection deployments. This includes endpoints missing an endpoint protection agent as well as endpoints running an out-of-date version of the agent. In additional to integrations, runZero can also fingerprint a variety of other endpoint protection platforms including Avast, AVG, Kaspersky, McAfee, and Tanium.

Related runZero resources

Vulnerability management

Vulnerability scanning plays a crucial role in any enterprise security program, providing visibility into assets that are unpatched, misconfigured, or vulnerable to known exploits. Examples of vulnerability management controls include:

  • CIS Critical Security Control 7.5: Perform automated vulnerability scans of internal enterprise assets on a quarterly […] basis.
  • CMMC 3.11.2: Scan for vulnerabilities in organization systems and applications […].
  • NIST CSF PR.IP-12: A vulnerability management plan is developed and implemented.
  • PCI DSS 6.3: Security vulnerabilities are identified and addressed.

runZero’s vulnerability management integrations allow customers to enrich their asset inventories with vulnerability data, providing a more comprehensive view into assets and expediting response to new vulnerabilities. runZero can also find gaps in your vulnerability scan coverage by identifying assets that have been discovered by runZero but have not been scanned by your vulnerability management platform.

Related runZero resources

Compliance Frameworks

The following standards and frameworks have been evaluated in order to help customers better align the runZero platform with compliance requirements.

Updated