Full-scale deployment

As you get started with runZero, we recommend kicking off with our standard deployment plan and adding tasks as needed. The standard deployment plan is broken out into six stages which will help you plan out your requirements, execute the deployment, and optimize your environment based on runZero’s best practices.

1. Identify key success outcomes

Total attack surface visibility

• Active discovery on all internal assets
• Active discovery on all externally facing assets
• Passive discovery and enrichment in key network segments
• Integrate with all cloud providers and other relevant data sources

Additional Resources

• Overview
• RFC1918 coverage playbook
• Scanning OT playbook

Full-spectrum exposure detection

• Rapid Response findings and asset-level pivoting
• Network misconfiguration findings and control coverage gaps
• Vulnerability enrichment and inside-out findings

Additional Resources

• Overview
• Rapid Response blog
• Gaps in EDR playbook
• Gaps in VM playbook

Risk prioritization and insights

• Custom dashboards
• Rules and alerts
• Setting asset criticality and ownership

Additional Resources

• Overview
• Custom Dashboards documentation
• Alerting playbook

Compliance, Reporting, and KPIs

• Comply with asset inventory and discovery requirements of relevant frameworks
• Comply with secure configuration requirements of relevant frameworks
• Comply with malware protection requirements of relevant frameworks
• Comply with vulnerability management requirements of relevant frameworks

Additional Resources

• Overview
• Compliance alignment documentation
• NYDFS dashboard playbook

2. Planning your deployment

This first set of tasks will help your team identify target results, get ahead of potential blockers, and help you avoid misconfigurations within runZero.

Tasks

• Identify key organizational stakeholders
  • Administrator(s) - who will be setting up runZero?
  • Integration owner(s) - who will provide credentials for each integration?
• All users take the runZero 101 training
• Administrators take the runZero 201 training
• Determine whether self-hosting is required (docs | video)
• Determine if you will use SSO or local accounts for user access.
  • If SSO, you will want to start any internal processes for getting the runZero app created in your provider.
• Identify known networks and subnets for discovery and other inventory sources. (docs | video)
  • If available, prepare CSV files for bulk importing subnets.
  • Firewalls should also be configured to allow the Explorer IPs to scan the entire network on all ports.
• Define organizations based on RBAC requirements, including configuring organization-level data retention and expiration thresholds (docs | video).
• Determine Explorer deployment location(s).
  • Explorer Groups can be used to logically combine Explorers for streamlined task scheduling.
• Identify required inbound integrations, prioritizing connectors for platforms such as EDR and CSPM to get full vulnerability and misconfiguration coverage.
• Familiarize the team with the runZero search to plan initial asset searches and reporting requirements.

3. Initial configuration

Once you have your plan in place, it’s time to execute and run your initial scans. Please note that these configuration tasks are in a prioritized order to help you avoid having to reconfigure things down the road.

Tasks

• Deploy self-hosted console (if required) (docs | video)
• Setup organizations, ensuring expiration thresholds for stale data, integrations, and vulnerabilities are configured.
• Set up sites, and define subnets for discovery (video)
  • Sites do not necessarily correspond to physical locations within runZero. Sites are used to represent distinct networks that may have overlapping IP space
  • This also includes Public IP space and domains for external scanning.
• Install Explorer(s) (video)
  • If planned, configure Explorer Groups to logically organize scanners for streamlined task distribution.
• Define private network addresses
  • You can set custom Private IP ranges if you use Public IP ranges internally in Account Settings.
• Run initial scan (docs | video)
• Configure credentials and inbound integration connections
  • Cloud inventory sources
  • Endpoint protection
  • Vulnerability management
  • Directory services
  • Custom Integrations

4. Review Assets and Exposures

Now that you have done some initial discovery and leveraged integrations, it’s time to review the results. Reviewing the results and leveraging our advanced reporting features will help you expand scan scope, prioritize risk, better understand your network, and identify key exposure issues such as misconfigurations and actively exploited vulnerabilities.

Tasks

• Review Results and Exposure Overview

  • Review the Risk Management Dashboard (new default dashboard) for a centralized view of risks. This dashboard provides insights, trend data, and breakdowns of assets (docs).
    • Check the Latest Rapid Response alerts widget, which includes a carousel of the five most recent Rapid Response posts and displays matches in your inventory (docs).
    • Leverage the capability to create and share multiple, custom dashboards for different use cases or teams (e.g., Compliance or Vulnerability Management) (docs).
  • Review the Asset Inventory (docs). The inventory correlates and merges assets across all data sources (scan, passive, and integrations) to provide a single source of truth.
  • Review the Asset Detail View, noting the consolidated view of attributes, vulnerabilities, and software (docs).

• Identify and Prioritize Exposures with Findings

  • Review the Findings section, which aggregates vulnerabilities and misconfigurations into prioritized risk categories (e.g., Internet Exposure, Open Access, End-of-Life, Certificates, Vulnerability, and Best Practice Violations) (docs).

• Deep Investigation and Querying

  • Identify risky assets using the Queries library (docs):
    • Learn query syntax (docs).
    • Apply vulnerability records to queries (e.g., for novel internal findings) (docs).
    • Filter assets and services directly by their associated Finding Code (e.g., finding_code:rz-finding-internet-exposed-database) to target remediation (docs).
    • Search for assets exposed to Known Exploited Vulnerabilities (KEV) lists (CISA KEV, VulnCheck) and leverage EPSS scores for priority assessment.

• Track Long-Term Initiatives

  • Track long-term initiatives with Goals (docs).
  • Utilize Baseline Goals to measure progress against specific inventory subsets (e.g., setting a goal to remediate all expired certificates or critical vulnerabilities in the os_eol:<now subset).

• Review Reporting

  • Review reports (docs).
  • Identify gaps in scanning uisng reports (docs).
  • Understand network segmentation (docs).

5. Optimization

After you’ve done your initial analysis, you will want to optimize your scans and configurations to follow best practices.

Tasks

• Configure SNMP credentials (video)
• Optimize scans by adjusting scan rates and other configurations (docs | video)
  • See our clickthrough of some key additional configuration options as well
• Ensure default credential and vulnerability checks are enabled on all scans.
  • Current coverage can be found in this documation.
• Configure asset ownership to streamline investigations.

6. Automation

Now that you have optimized your scans and have analyzed your runZero data, you can automate these tasks to avoid manual effort. You can leverage this automation to run scans on a recurring basis, automate queries, and generate alerting for the team.

Tasks

• Schedule recurring scan tasks and any inbound integration tasks
• Automate queries and configure alerts to align with use cases (video)
• Use rules to automate tagging and setting asset criticality (walkthrough)
• Setup alerts for system events like Explorer offline and scan failures.
• Configure outbound integration connections to enrich other IT and security tools
  • CMDB
  • SIEM
  • SOAR
  • Note: If you’re utilizing a solution that runZero does not offer a standard outbound integration for at this time, be sure to review our API documentation to learn about how to export runZero data.

7. Rollout

As your runZero deployment comes to a close, you will want to ensure all users have gone through training and ensure anyone that would get value from runZero has access to the platform.

Tasks

• Add users
• Ensure all users are trained on runZero
  • Training and key documentation
    • 101 user training
    • 201 administrator training
    • Use case library
    • Search
    • Reporting
    • Exporting assets
  • runZero playbooks
• Identify other teams interested in the asset inventory data, such as:
  • Enterprise security team
    • runZero is typically used by security teams to achieve a complete asset inventory, find gaps in their vulnerability scanning and endpoint protection, as well as discover potential vulnerabilities.
  • IT Operations team
    • runZero is typically used by IT Operations teams to achieve a complete inventory of all assets across on-premise and cloud-based infrastructure. This allows the team to identify misconfigurations as well as report on assets in the environment by leveraging our searching and reporting capabilities.
  • Penetration testing team
    • runZero is typically used by penetration testing teams for conducting reconnaissance both internally and externally, identifying vulnerable targets, and finding ways to get to these vulnerable targets by using our reporting and searching capabilities.

Additional Resources

Now that runZero has been deployed and users have been trained on the platform, please review some of our additional resources to help answer questions you might have as well as maximize the value of runZero:

• runZero playbooks
• Use Case Library
• Leveraging the API
• Glossary
• runZero FAQs

Getting help

If you need assistance at any point in this process, you can book a session with a runZero Customer Success Engineer to discuss further.