runZero 101 training

This training uses the runZero success outcomes to help you understand the top use cases for runZero and how to achieve them. If you’d prefer a live training, there is a weekly live webinar every Thursday at 11am CST. You can register here.

To follow along with the hands-on portions, you can either:

  • Use your company’s existing runZero implementation as a reference to see what was done, or
  • Set up a personal runZero account to scan your home network

Introduction

In this training, we will use the standard success outcomes runZero customers accomplish to walk through different parts of the platform.

Asset management challenges

A few challenges related to asset management include:

  • Significant overhead managing asset discovery for unmanaged assets.
  • Asset data is siloed and leads to multiple pivots during investigations.
  • Time-consuming, cross-team effort to understand potential exposure every time an exploitable vulnerability is released.

The common threads between these challenges are wasted time. Time translates to metrics, and a few security metrics that can be improved through improved asset management include:

  • Unidentified devices on internal networks: Through effective asset discovery, you can eliminate the gaps in asset visibility on your network.
  • Mean time to discovery: Through effective asset discovery, you can identify risks in the environment sooner. Ideally prior to an alert from a detection and response tool.
  • Mean time to resolve: If you are able to reduce pivots during the investigation process, you can reduce the time it takes for an analyst to run an investigation.

runZero provides three success outcomes with sets of key results

Achieve complete asset and attack surface visibility

  • Active discovery on all internal assets
  • Active discovery on all externally facing assets
  • Passive discovery and enrichment in key network segments
  • Integrate with all cloud providers and other relevant data sources

Additional Resources

Mitigate exposure before compromise

  • Rapid understanding of potential exposure on new vulnerabilities
  • Reduce gaps in security controls
  • Identify unnecessary public facing services
  • Identify insecure software and services

Additional Resources

Minimize corporate and regulatory compliance risk

  • Comply with asset inventory and discovery requirements of relevant frameworks
  • Comply with secure configuration requirements of relevant frameworks
  • Comply with malware protection requirements of relevant frameworks
  • Comply with vulnerability management requirements of relevant frameworks

Additional Resources

Initial configuration

Before you get started, you will need to understand planning your deployment and get your environment setup.

Background information

These are resources related to planning your runZero deployment for your review. These will provide in-depth knowledge for running a full scale runZero deployment.

Environment setup

In this section, you will get your account setup or verify you have the access needed to complete the training in your corporate account.

If you are using a personal runZero account:

If you are using your company’s runZero account:

Achieve complete asset and attack surface visibility

Key outcomes

  1. Active discovery on all internal assets
  2. Active discovery on all externally facing assets
  3. Passive discovery and enrichment in key network segments
  4. Integrate with all cloud providers and other relevant data sources

Click through training

Section highlights

Scan with active discovery

Find every asset in every subnet regardless of its activity.

  1. Use your Explorers to scan your RFC 1918 space
  2. Get a full inventory for all IT, OT, and IoT assets
  3. Most people use the default scan configuration but you can adjust all aspects as needed
  4. Relevant playbooks
  5. Scan page

Monitor with passive discovery

Enrich your active scan data with passive monitoring.

  1. Passively monitor assets using your already deployed Explorers
  2. Configure a TAP or SPAN to mirror traffic to the Explorer
  3. The Explorer will upload results to enrich your inventory over time
  4. Monitor page

Integrate with your existing stack

Pull assets in from your existing tools with integrations spanning cloud, EDR, vulnerability, and more.

  1. Navigate to the Integrate page to see all native integration options
  2. Assets pulled in from integrations will automatically merge with existing assets in runZero
  3. You can also create custom integrations to pull in asset information from any data source of interest
  4. Integrate page

Use reporting to understand high level findings

RFC1918 and Subnet utilization reports allow you to understand your initial results.

  1. Reports
  2. RFC1918 shows scan coverage, utilization percentages by /16, and hinted assets
  3. Subnet utilization shows view of utilization by the subnet range size you select

Mitigate exposure before compromise

Key outcomes

  1. Rapid understanding of potential exposure on new vulnerabilities
  2. Reduce gaps in security controls
  3. Identify unnecessary public facing services
  4. Identify insecure software and services

Click through training

Section highlights

Proactive vulnerability response with the Rapid Response blog

Why wait for a vulnerability scan if you already know what you have?

  1. Rapid Response posts will contain a search to identify assets potentially vulnerable in your runZero inventory
  2. These are also stored in the Query library for future reference

Find assets missing EDR, MDM, and Vulnerability scans in seconds.

  1. Use playbooks based on your use case
  2. Run your scans, set up your integrations, and use the searches provided to find gaps
  3. In some cases, you will need to add additional filters to align with your deployment strategy
  4. Other sample searches

Mitigate exposures on public assets with Hosted Explorers

Take control over your border with scans on your desired cadence.

  1. runZero allows you to use Hosted Explorers to scan external assets without deploying your own Explorers
  2. This is a full scan vs the limited scope you may see with EASM tools
  3. Steps to configure:
    • Create scan
    • Change “Explorer” to None
    • Select “Hosted zone” as US - New York
    • Input discovery scope including IPs, Domains, ASNs, and/or Country Codes
  4. Use the Query library to identify risks commonly seen with public facing assets
  5. Playbooks on risky services

Use reporting to understand your blast radius

Visualize network bridges and routes from one asset to another.

  1. Network bridges
  2. Network bridges helps you understand segmentation
  3. Green bubbles represent internal networks
  4. Red bubbles represent externally facing networks
  5. Sample searches that can filter results down

Minimize corporate and regulatory compliance risk

Key outcomes

  1. Comply with asset inventory and discovery requirements of relevant frameworks
  2. Comply with secure configuration requirements of relevant frameworks
  3. Comply with malware protection requirements of relevant frameworks
  4. Comply with vulnerability management requirements of relevant frameworks

Click through training

Section highlights

Track asset ownership

Keep tabs on who owns what with integration based and rule based ownership tracking.

  1. Asset ownership allows you to quickly identify who needs to help you resolve an issue with an asset
  2. Ownership can populate in a few ways:
    • Automatically through integrations
    • Manually through the inventory views
    • Automatically through rules based on inventory searches
  3. You can also have multiple categories of owners depending on your use cases
  4. Ownership types page
  5. Search for owner = Zeti

Use alerting and rules to stay on top of changes

Get notified when an asset goes out of compliance within minutes of scan completion.

  1. You can create a rule based on any search with various knobs to turn
  2. You can be alerted a few ways:
    • Native alerts
    • Email
    • Webhooks to other tools
  3. Rules page
  4. Relevant playbooks

Set Goals to align with policies

Track progress towards your asset maturity with Goals.

  1. Report on trends in your inventory based on current projects
  2. Track Goals to the dashboard to keep a consolidated view of status
Updated