Full-scale deployment
As you get started with runZero, we recommend kicking off with our standard deployment plan and adding tasks as needed. The standard deployment plan is broken out into six stages which will help you plan out your requirements, execute the deployment, and optimize your environment based on runZero’s best practices.
Identify key success outcomes
Achieve complete asset and attack surface visibility
- Active discovery on all internal assets
- Active discovery on all externally facing assets
- Passive discovery and enrichment in key network segments
- Integrate with all cloud providers and other relevant data sources
Additional Resources
Mitigate exposure before compromise
- Rapid understanding of potential exposure on new vulnerabilities
- Reduce gaps in security controls
- Identify unnecessary public facing services
- Identify insecure software and services
Additional Resources
- Overview
- Rapid Response blog
- Alerting on queries playbook
- Gaps in EDR playbook
- Gaps in vulnerability management playbook
Minimize corporate and regulatory compliance risk
- Comply with asset inventory and discovery requirements of relevant frameworks
- Comply with secure configuration requirements of relevant frameworks
- Comply with malware protection requirements of relevant frameworks
- Comply with vulnerability management requirements of relevant frameworks
Additional Resources
Planning your deployment
This first set of tasks will help your team identify target results, get ahead of potential blockers, and help you avoid misconfigurations within runZero.
Tasks
- Identify key organizational stakeholders
- Administrator(s) - who will be setting up runZero?
- Integration owner(s) - who will provide credentials for each integration?
- All users take the runZero 101 training
- Administrators take the runZero 201 training
- Determine whether self-hosting is required (docs | video)
- Identify known networks and subnets for discovery and other inventory sources (docs | video)
- Define organizations based on RBAC requirements (docs | video)
- Determine Explorer deployment location(s)
Initial configuration
Once you have your plan in place, it’s time to execute and run your initial scans. Please note that these configuration tasks are in a prioritized order to help you avoid having to reconfigure things down the road.
Tasks
- Deploy self-hosted console (if required) (docs | video)
- Setup organizations
- Set up sites, and define subnets for discovery (video)
- Sites do not necessarily correspond to physical locations within runZero. Sites are used to represent distinct networks that may have overlapping IP space
- Install Explorer(s) (video)
- Run initial scan (docs | video)
Analysis
Now that you have done some initial discovery, it’s time to review the results. Reviewing the results and leveraging our reports will help you expand scan scope, better understand your network, as well as help you identify key issues such as misconfigurations.
Tasks
- Review results of initial scan
- Identify risky assets using the Queries library (docs | clickthrough)
- Learn query syntax
- Apply vulnerability records to queries (docs)
- Track long-term initiatives with Goals
- Review reporting
Advanced configuration / Optimization
After you’ve done your initial analysis, you will want to optimize your scans and configure integrations to further build your complete asset inventory.
Tasks
- Configure inbound integration connections
- Configure SNMP credentials (video)
- Optimize scans by adjusting scan rates and other configurations (docs | video)
- See our clickthrough of some key additional configuration options as well
Automation
Now that you have optimized your scans and have analyzed your runZero data, you can automate these tasks to avoid manual effort. You can leverage this automation to run scans on a recurring basis, automate queries, and generate alerting for the team.
Tasks
- Schedule recurring scan tasks and any inbound integration tasks
- Automate queries and configure alerts to align with use cases (video)
- Configure outbound integration connections to enrich other IT and security tools
- CMDB
- SIEM
- SOAR
- Note: If you’re utilizing a solution that runZero does not offer a standard outbound integration for at this time, be sure to review our API documentation to learn about how to export runZero data.
Rollout
As your runZero deployment comes to a close, you will want to ensure all users have gone through training and ensure anyone that would get value from runZero has access to the platform.
Tasks
- Add users
- Ensure all users are trained on runZero
- Training and key documentation
- runZero playbooks
- Identify other teams interested in the asset inventory data, such as:
- Enterprise security team
- runZero is typically used by security teams to achieve a complete asset inventory, find gaps in their vulnerability scanning and endpoint protection, as well as discover potential vulnerabilities.
- IT Operations team
- runZero is typically used by IT Operations teams to achieve a complete inventory of all assets across on-premise and cloud-based infrastructure. This allows the team to identify misconfigurations as well as report on assets in the environment by leveraging our searching and reporting capabilities.
- Penetration testing team
- runZero is typically used by penetration testing teams for conducting reconnaissance both internally and externally, identifying vulnerable targets, and finding ways to get to these vulnerable targets by using our reporting and searching capabilities.
- Enterprise security team
Additional Resources
Now that runZero has been deployed and users have been trained on the platform, please review some of our additional resources to help answer questions you might have as well as maximize the value of runZero:
Getting help
If you need assistance at any point in this process, you can book a session with a runZero Customer Success Engineer to discuss further.