MSSP guidance
As an MSSP, you can use runZero to enhance current offerings and create new offerings for your customers related to asset management and asset risk management.
Who is this playbook for and why?
This playbook is meant to guide MSSPs along their path to creating and delivering an offering using the runZero platform. It is highly simplified by design and should serve as a starting point rather than a complete offering. We are laying the basic groundwork for you to take it to adapt to your needs.
How will runZero help?
runZero provides three outcomes with sets of key results. These outcomes are all desirable to companies big and small, so they will allow your to frame the offering in a simple manner.
Achieve complete asset and attack surface visibility
- Active discovery on all internal assets
- Active discovery on all externally facing assets
- Passive discovery and enrichment in key network segments
- Integrate with all cloud providers and other relevant data sources
Additional Resources
Mitigate exposure before compromise
- Rapid understanding of potential exposure on new vulnerabilities
- Reduce gaps in security controls
- Identify unnecessary public facing services
- Identify insecure software and services
Additional Resources
- Overview
- Rapid Response blog
- Alerting on queries playbook
- Gaps in EDR playbook
- Gaps in vulnerability management playbook
Minimize corporate and regulatory compliance risk
- Comply with asset inventory and discovery requirements of relevant frameworks
- Comply with secure configuration requirements of relevant frameworks
- Comply with malware protection requirements of relevant frameworks
- Comply with vulnerability management requirements of relevant frameworks
Additional Resources
What will I need to do?
These are the high-level steps you will follow:
- Define your offerings.
- Build your per-offering project plan.
- Identify customers that would be interested in the offerings.
- Deliver the offerings.
Implementation steps
Step 1: Define your offerings
As mentioned earlier, you will likely want to build these offerings around runZero’s core use cases. In this section we will take a deeper dive into each.
Reduce gaps in asset visibility
Current customer challenges:
- Using manual efforts to track assets, such as spreadsheets and scripts.
- Reliant on a a small group of employees whose exits would devastate the program.
- Difficulty tracking rouge IoT and OT devices.
- Migrating to the cloud or remote work, and losing visibility between on-premises, cloud, and remote assets.
Key results:
- Scan all assets in days rather than weeks.
- Integrate with all cloud providers and other relevant tools.
Reduce investigation times
Current customer challenges:
- No single source of truth for assets.
- Consistently getting alerts on assets that are not in the current inventory.
- It’s challenging trying to search and analyze assets with a manually generated inventory.
Key results:
- Find any asset in your environment in seconds.
- Review all services an asset runs in minutes.
- Understand potential exposure to new vulnerabilities.
Reduce asset risk
Current customer challenges:
- Unable to perform vulnerability response since they do not have a complete inventory.
- Unable to confirm endpoint protection deployment or vulnerability scan coverage.
- Unable to identify misconfigurations in the environment at scale.
Key results:
- Eliminate misconfigurations.
- Reduce gaps in endpoint protection.
- Reduce gaps in vulnerability scanning.
- Eliminate unmanaged assets through onboarding or retirement.
- Discover unauthorized assets to be removed.
Step 2: Structure your runZero environment for multiple customers
There are a few key considerations while structuring your runZero tenant for many customers. Understanding this ahead of time will ensure smooth delivery.
Tenancy
There a two overarching models you can choose when it comes to tenancy. The first is using an account per customer and the second is using a global account. There are pros and cons to each.
Per-customer account
In this model, each customer will create their own runZero account and manage the runZero billing themselves. You would then have a separate contract with them for the services you overlay on top of that. You could also still be a runZero partner to keep the runZero billing on your paperwork as well.
Pros:
- Each customer can use SSO.
- Customers have access to global settings like user management, queries, and alerts.
Cons:
- Licensing will be on a per-account basis.
Global account
In this model, you will run a single runZero account where you will manage all of the customers yourself. You would increase your asset count in runZero as your customer base grows.
Pros:
- Ability to make global changes to all customers’ queries and alerts.
- Simplifies the customer experience.
Cons:
- No per-customer SSO.
Self-hosting
You and your customers also have the option to self-host runZero. The per-customer and global account models above still apply, but access to the self-hosted instance will require some configuration since it will likely be on a private network. Self-hosted instances can also be deployed in the cloud to simplify access.
Pros:
- Data remains in your environment if you have requirements around that.
Cons:
- Access to the runZero console will get more complicated.
Organizations
In runZero, organizations are at the heart of RBAC. If you choose the global account tenancy model, you will create a new organization for each customer to allow for proper data access. If you are using per-customer account tenancy, it’s likely each customer will have a single organization besides edge cases where further access controls are needed.
If a customer needs further RBAC requirements, you can use parent-child relationships within organizations to provide more granular access. You will then have the option to provide access to the parent organization of the customer or a specific child organization.
A sample structure could look like this:
- Customer A
- Customer B
- Customer B1
- Customer C
- Customer C1
- Customer C2
- Customer D
Customer access to organizations
Your options for user access depend on the tenancy model.
Per-customer account tenancy
- SSO: Configure SSO, optionally with group mappings, to allow user access.
- Username and password: Require users to sign in using their registration email and a password.
Global account tenancy
- User by user: Provide each user invited specific access to their organization(s).
- Groups: Create groups for each customer and add each inited user to the group that has access to their organization(s).
Your access to organizations
Your options for access will also depend on your tenancy model.
Per-customer account tenancy
- External users: Customers will invite you to their account as an external user.
Global account tenancy
-
Global access: Provide your team a default role with access to every organization
- Pro: simplified authentication for you
- Con: potential for accidental updates to the wrong customer
-
Organization-based access: Use a custom email per customer to login to each account with the proper permissions
- Pro: reduced risk of making a change on the wrong customer
- Con: more authentication to manage
Sites
We highly encourage you to use a single site per customer unless there is overlapping IP space. This will simplify your investigation processes across accounts since there will be less site-based context to worry about.
Credentials
Administrators will have the ability to create credentials for any organization they have access to. If you have access to multiple customer organizations, you need to use caution while creating credentials and ensure it’s only available in the correct organization.
Queries and Alerts
Only superusers can create new queries and alerts in runZero, so you will want to ensure you have a process in place for customers to be able to submit query and alert requests. You will still be able to push queries and alerts out globally, so you will not need to replicate them.
Step 3: Build your per-offering deployment plans
While we have a complete deployment plan documented, it will make sense to condense this for your customer engagements since they will be more limited in scope based on the offering. There will be four starting templates for you to take and customize.
- Customer onboarding
- Reduce gaps in asset visibility
- Reduce investigation times
- Reduce asset risk
Customer onboarding
- Create new organization for a new customer or have them invite you to their account.
- Add child organizations if they have RBAC requirements (reference video).
- Invite users from the customer based on the access route chosen in step 2.
- Configure access for your team if necessary based on access route chosen in step 2.
- Identify subnets to scan (reference video):
- Known subnets can be provided via CSV.
- We also recommend using the RFC1918 scan playbook to verify full coverage.
- Customer deploys Explorer(s) (reference video).
- You need one Explorer per network.
- In smaller environments, a single Explorer is usually sufficient.
Reduce gaps in asset visibility
- Configure (initial scans using known subnets or the RFC1918 scan playbook.
- Verify full scan coverage using the RFC1918 scan playbook.
- Configure SNMP credentials (reference video).
- Configure cloud integrations to add visibility into your cloud assets.
- Configure MDM integrations to gain visibility into managed assets.
- Configure endpoint protection integrations to get visibility into managed assets.
Reduce investigation times
- Ensure all users have taken the (training) for general UI usage.
- Use the sample queries documentation to extend the search capabilities of the team.
- Configure outbound integrations to allow existing tools to access runZero data.
Reduce asset risk
- Use the query library to identify misconfigurations of interest (reference video).
- Create remediation steps per each misconfiguration of interest.
- Work with the customer to remediate the issues.
- Use the endpoint protection coverage playbook to reduce gaps in endpoint protection deployment.
- Use the vulnerability scanning coverage playbook to reduce gaps in vulnerability scanning.
- Once the inventory is in the desired state, automate queries and configure alerts to align with use cases (reference video).
Getting help
If you need help building out this process, you can book a session with a runZero Customer Success Engineer to discuss further.