runZero 101 training

This training uses the runZero success outcomes to help you understand the top use cases for runZero and how to achieve them. If you’d prefer a live training, there is a weekly live webinar every Thursday at 11am CST. You can register here.

To follow along with the hands-on portions, you can either:

• Use your company’s existing runZero implementation as a reference to see what was done, or
• Set up a personal runZero account to scan your home network

Introduction

In this training, we will use the standard success outcomes runZero customers accomplish to walk through different parts of the platform.

Asset management challenges

A few challenges related to asset management include:

• Significant overhead managing asset discovery for unmanaged assets.
• Asset data is siloed and leads to multiple pivots during investigations.
• Time-consuming, cross-team effort to understand potential exposure every time an exploitable vulnerability is released.

The common threads between these challenges are wasted time. Time translates to metrics, and a few security metrics that can be improved through improved asset management include:

• Unidentified devices on internal networks: Through effective asset discovery, you can eliminate the gaps in asset visibility on your network.
• Mean time to discovery: Through effective asset discovery, you can identify risks in the environment sooner. Ideally prior to an alert from a detection and response tool.
• Mean time to resolve: If you are able to reduce pivots during the investigation process, you can reduce the time it takes for an analyst to run an investigation.

runZero provides three success outcomes with sets of key results

Achieve complete asset and attack surface visibility

• Active discovery on all internal assets
• Active discovery on all externally facing assets
• Passive discovery and enrichment in key network segments
• Integrate with all cloud providers and other relevant data sources

Mitigate exposure before compromise

• Rapid understanding of potential exposure on new vulnerabilities
• Reduce gaps in security controls
• Identify unnecessary public facing services
• Identify insecure software and services

Minimize corporate and regulatory compliance risk

• Comply with asset inventory and discovery requirements of relevant frameworks
• Comply with secure configuration requirements of relevant frameworks
• Comply with malware protection requirements of relevant frameworks
• Comply with vulnerability management requirements of relevant frameworks

Initial configuration

Before you get started, you will need to understand planning your deployment and get your environment setup.

Background information

These are resources related to planning your runZero deployment for your review. These will provide in-depth knowledge for running a full scale runZero deployment.

• Deployment plan: video and documentation
• Sample networks: video and documentation
• Setting up organizations: video and documentation
• Setting up sites: video and documentation

Environment setup

In this section, you will get your account setup or verify you have the access needed to complete the training in your corporate account.

If you are using a personal runZero account:

• Create an account: website and documentation
• Install an Explorer: video and documentation

If you are using your company’s runZero account:

• Verify you can see how many Explorers are deployed
• Verify you can view configured scans
• Verify you can view any credentials that have been created
• Verify there are assets in your inventory
• Verify you can add rules and alerts

Achieve complete asset and attack surface visibility

Key outcomes

1. Active discovery on all internal assets
2. Active discovery on all externally facing assets
3. Passive discovery and enrichment in key network segments
4. Integrate with all cloud providers and other relevant data sources

Click through training

Section highlights

Scan with active discovery

Find every asset in every subnet regardless of its activity.

1. Use your Explorers to scan your RFC 1918 space
2. Get a full inventory for all IT, OT, and IoT assets
3. Most people use the default scan configuration but you can adjust all aspects as needed
4. Relevant playbooks
   • Building your complete asset inventory
   • Achieving RFC 1918 coverage
   • Scanning OT networks
   • Scanning with SNMP
   • Using traffic sampling for passive asset discovery
5. Scan page

Monitor with passive discovery

Enrich your active scan data with passive monitoring.

1. Passively monitor assets using your already deployed Explorers
2. Configure a TAP or SPAN to mirror traffic to the Explorer
3. The Explorer will upload results to enrich your inventory over time
4. Monitor page

Integrate with your existing stack

Pull assets in from your existing tools with integrations spanning cloud, EDR, vulnerability, and more.

1. Navigate to the Integrate page to see all native integration options
2. Assets pulled in from integrations will automatically merge with existing assets in runZero
3. You can also create custom integrations to pull in asset information from any data source of interest
4. Integrate page

Use reporting to understand high level findings

RFC1918 and Subnet utilization reports allow you to understand your initial results.

1. Reports
   • RFC1918 Coverage
   • Subnet utilization report
2. RFC1918 shows scan coverage, utilization percentages by /16, and hinted assets
3. Subnet utilization shows view of utilization by the subnet range size you select

Mitigate exposure before compromise

Key outcomes

1. Rapid understanding of potential exposure on new vulnerabilities
2. Reduce gaps in security controls
3. Identify unnecessary public facing services
4. Identify insecure software and services

Click through training

Section highlights

Proactive vulnerability response with the Rapid Response blog

Why wait for a vulnerability scan if you already know what you have?

1. Rapid Response posts will contain a search to identify assets potentially vulnerable in your runZero inventory
   • How to find systems impacted by CVE-2024-3094 (XZ Utils backdoor)
   • How to find Palo Alto Network firewalls running PAN-OS 11.1, 11.0, and 10.2
   • How to find potentially vulnerable Ivanti VPN Gateways
2. These are also stored in the Query library for future reference
   • Query library

Manage gaps in security controls with flexible search

Find assets missing EDR, MDM, and Vulnerability scans in seconds.

1. Use playbooks based on your use case
   • Find gaps in endpoint protection
   • Find gaps in vulnerability scanning
2. Run your scans, set up your integrations, and use the searches provided to find gaps
3. In some cases, you will need to add additional filters to align with your deployment strategy
4. Other sample searches
   • Up/Down: alive:t
   • IP: address:192.168.40.157
   • Port: port:161
   • Protocol: protocol:snmp
   • Multi-homed assets with public and private IP addresses: alive:t AND has_public:t AND has_private:t
   • Default SSH configuration using passwords for authentication: alive:t AND protocol:“ssh” AND ssh.authMethods:"=password"
   • Remote access services/protocols: protocol:rdp OR protocol:vnc OR protocol:teamviewer
   • EOL Windows operating systems: os:windows AND os_eol:<now
   • All available serial number source: protocol:snmp has:snmp.serialNumbers OR hw.serialNumber:t OR ilo.serialNumber:t

Mitigate exposures on public assets with Hosted Explorers

Take control over your border with scans on your desired cadence.

1. runZero allows you to use Hosted Explorers to scan external assets without deploying your own Explorers
2. This is a full scan vs the limited scope you may see with EASM tools
3. Steps to configure:
   • Create scan
   • Change “Explorer” to None
   • Select “Hosted zone” as US - New York
   • Input discovery scope including IPs, Domains, ASNs, and/or Country Codes
4. Use the Query library to identify risks commonly seen with public facing assets
5. Playbooks on risky services
   • Unnecessary public facing services
   • Insecure services

Use reporting to understand your blast radius

Visualize network bridges and routes from one asset to another.

1. Network bridges
2. Network bridges helps you understand segmentation
3. Green bubbles represent internal networks
4. Red bubbles represent externally facing networks
5. Sample searches that can filter results down
   • Network bridges report of assets missing CrowdStrike
   • Network bridges report of assets with remote access services

Minimize corporate and regulatory compliance risk

Key outcomes

1. Comply with asset inventory and discovery requirements of relevant frameworks
2. Comply with secure configuration requirements of relevant frameworks
3. Comply with malware protection requirements of relevant frameworks
4. Comply with vulnerability management requirements of relevant frameworks

Click through training

Section highlights

Track asset ownership

Keep tabs on who owns what with integration based and rule based ownership tracking.

1. Asset ownership allows you to quickly identify who needs to help you resolve an issue with an asset
2. Ownership can populate in a few ways:
   • Automatically through integrations
   • Manually through the inventory views
   • Automatically through rules based on inventory searches
3. You can also have multiple categories of owners depending on your use cases
4. Ownership types page
5. Search for owner = Zeti

Use alerting and rules to stay on top of changes

Get notified when an asset goes out of compliance within minutes of scan completion.

1. You can create a rule based on any search with various knobs to turn
2. You can be alerted a few ways:
   • Native alerts
   • Email
   • Webhooks to other tools
3. Rules page
4. Relevant playbooks
   • Alerting on asset and service changes
   • Alerting on runZero system events
   • Tracking hardware and operating system requirements

Set Goals to align with policies

Track progress towards your asset maturity with Goals.

1. Report on trends in your inventory based on current projects
2. Track Goals to the dashboard to keep a consolidated view of status
   • Goals page