Creating queries and dashboard for NYDFS compliance
Who is this playbook for and why?
- Security teams
- Compliance teams
How will runZero help?
runZero is able to gather the necessary data for a large portion of the NYDFS compliance, especially in the 500.09 section. By utilizing different queries and widgets in a custom dashboard, you can track and display the information needed.
What will I need to do?
- Identify and save queries for the different requirements of the compliance.
- Create a new custom dashboard for easily accessible information regarding the different requirements.
- Configure the dashboard utilizing the different queries defined in step 1.
Prerequisites
- (Optional) Go through the Finding gaps in endpoint protection and Finding gaps in vulnerability scanning playbooks to create and save queries on finding gaps in your EDR and Vulnerability Management tools (if applicable).
Steps to implement
1. Identify queries of interest
For all of these queries, you first will want to run the query in the Asset Inventory first, click the top right button with the three dots, and then click “Save Query”. This is important so we can reference them later for the dashboard.
These are some notable categories and respective queries that NYDFS is requiring:
- Owner
-
If you want to track the number of assets that are missing an owner, simply use this query:
has_owner:f
-
There is also a pre-built widget around Asset Ownership I will go over later in the playbook.
- Location
- Depending on how you are wanting to track locations and their assets, there are a few queries you can use:
-
If the assets are tagged with the appropriate location, you’d like to track the number of assets in said location, use the query below for each tag you’d like to monitor:
tag:="Name_of_tag"
-
If the assets are split up by Site instead of tags, create a query using this query for each site:
site:="Site_Name"
-
- Classification or sensitivity
- There are a number of great pre-built widgets you can use to display criticality and risk, you shouldn’t need to create additional queries for this.
- Support expiration date
- If you are just looking for number of assets with end-of-life, you won’t need to create any additional queries.
- (Optional) If you want to track EoL assets by operating system, below you will find a few examples you can use.
-
These are “contains” queries, so it should catch all versions of the respective OS.
-
Of course, you can simply change the query to a different OS you’d like to track as well.
name:="End-of-Life: Operating System" and os:ubuntu
name:="End-of-Life: Operating System" and os:windows
name:="End-of-Life: Operating System" and os:apple
-
- The frequency required to update and validate the covered entity’s asset inventory
- Generally, this can be tracked by your scan task schedule and history. You can use the query below to track the number of assets that have been scanned within the last 30 days. Alternatively, the “Asset Trends” pre-built widget should be sufficient enough as well.
last_seen:<30days
2. Create a new custom dashboard
- To create a new personal dashboard, navigate to Dashboards
- Click the Create Dashboard button in the top right.
- Give it a name and (optional) description. ex: NYDFS Compliance
3. Configuring the dashboard
It is recommended to recalculate the metrics at this time to get an updated metric for all the queries you added.
- To recalculate, when you are on a dashboard, if you click the hamburger button in the top-right, one of the options will say “Recalculate Metrics”.
You can now add widgets for the respective queries that we made previously as well as using some pre-built widgets to show the information needed for the compliance.
- Owner
- There are two options that you can choose to use:
- Asset Ownership - This is a prebuilt widget you can select from the available widgets.
- Create either a “Single Match Count” or “Single Match Trend” widget for the missing owner query you created earlier.
- Location
- Create a “Single Match Count” widget using each of either the tag or site-based queries you created earlier.
- You could also use the “Multi-Query match count” widget and put the queries in there to display them in a condensed format.
- Optional: Use the “Asset Tags” widget - This is a prebuilt widget you can select from the available widgets. This will display the top 10 most used tags in your inventory.
- Classification or sensitivity
- Use the “Criticality” and “Risk” widgets - both are a prebuilt widgets you can select from the available widgets.
- Support expiration date
- There is a couple pre-built widgets you can choose from:
- End-of-life findings by name
- End-of-life findings by risk
- Alternatively, if you created any custom queries earlier, you can use those to create either a “Multi-Query match count” widget or a “Single Match Count” widget for each one you created.
- The frequency required to update and validate the covered entity’s asset inventory
- Organization overview
- This will show the number of recent assets, how many active scans are going, number of recurring scans, how many explorers are online/offline and how many users there are. It’s a great synopsis for your organization.
- (Optional) Finding Gaps
- If you created any queries related to finding gaps in your security tools mentioned earlier, you can create a custom widget for those as well. You can choose between any of the options depending on if you want them seperated, combined, and if you want a number or a trend line.
Once you are done adding or creating the widgets that you want, feel free to move and resize the widgets to your liking.
For more information on using dashboards and to see other use cases with runZero, please check out the links below.