Uncover the unmanaged and unknown to meet hidden risk requirements

With the Digital Operational Resilience Act (DORA) set to take effect on January 17th, 2025, financial institutions across the European Union must prepare to meet stringent regulatory requirements. At its core, DORA mandates resilience in Information and Communication Technology (ICT) systems, covering five primary pillars:

  1. ICT risk management

  2. Incident reporting

  3. Resilience testing

  4. Third-party risk management

  5. Information sharing

While these pillars seem straightforward, the implementation has a hidden complexity in meeting standards: unmanaged and unknown assets. These devices—ranging from decentralized IT assets to unconventional (but highly-interconnected ) IoT and OT devices—are notoriously hard to identify and secure.

Why are these unmanaged and unknown devices such a critical focus of DORA? The answer lies in their profound impact on the regulatory pillars. These assets, often hidden in the shadows of your environment, don’t just represent gaps in visibility—they create vulnerabilities that ripple through every aspect of operational resilience.

Consider this: over 60% of connected devices are invisible to defenders, and unmanaged assets were linked to 7 out of 10 breaches last year. To truly grasp the gravity of this problem, let’s explore how these blind spots hinder compliance across DORA’s relevant pillars—and what it takes to close those gaps effectively.

DORA chapter requirement

Downstream effect of unmanaged and unknown assets

ICT risk management

Develop and implement comprehensive frameworks to identify, assess, and mitigate information and communication technology (ICT) risks, ensuring robust protection against potential threats.

How can you protect something you don’t know exists? Unmanaged assets create gaps in your risk management framework, making it impossible to fully identify, assess, and mitigate vulnerabilities. Without a clear picture of your entire environment, staying compliant with DORA’s ICT risk management standards becomes a major challenge.

Incident reporting

Establish mechanisms for the timely detection and reporting of significant ICT-related incidents to regulatory authorities, facilitating prompt response and mitigation.

Unmanaged assets are often where problems start—and if they’re exploited, you might not even know an incident happened. That means delays in detection, reporting, and response, putting you at risk of missing DORA’s strict incident reporting timelines.

Resilience testing

Conduct regular testing of ICT systems to evaluate and enhance their resilience against disruptions, ensuring continuous and secure operations.

Resilience testing is about ensuring your ICT systems can handle disruptions. But if unknown assets aren’t included, you’re testing only part of your environment, leaving hidden risks unchecked. That’s a compliance issue waiting to happen.

Third-party risk management

Implement stringent oversight and management of third-party ICT service providers to ensure they adhere to security and resilience standards, thereby safeguarding the institution's operations.

Shadow IT and forgotten vendor integrations often bring unmanaged assets into the mix. If you don’t have visibility into these, there’s no way to verify that your third-party providers are meeting DORA’s security and resilience standards.

To truly meet DORA’s requirements, you need complete visibility into your environment. Unmanaged and unknown assets are like puzzle pieces left out of the box; they make it impossible to see the full picture. Discovery and management of all your assets are the true foundation of compliance and resilience. Relying solely on traditional discovery and vulnerability management tools often leaves critical gaps, potentially putting you at risk of non-compliance—or worse, exposing your organization to security threats.

That’s where runZero comes in. Unlike traditional tools, runZero uncovers the unmanaged, unknown, and shadow IT assets that others miss using novel discovery and scanning techniques. In fact, enterprises on average find 25% more assets with runZero than they were previously aware of. Our objective is to provide you with unparalleled visibility across IT, OT, IoT, including those assets that aren’t actively managed. By layering in-depth fingerprinting data and detailed insights into vulnerabilities and exposures, runZero helps you to close those gaps, meet DORA’s requirements with confidence, and build a stronger, more resilient ICT environment.

DORA chapters

runZero alignment

ICT risk management

With runZero, you gain the tools to create and maintain robust ICT risk management frameworks. Complete asset discovery, continuous monitoring of IT, OT, IoT, and unmanaged devices, and identification of vulnerabilities and protection gaps across your critical operational assets ensure you have a complete view of your environment. This eliminates blind spots, supports thorough risk assessments, and empowers you to proactively mitigate ICT risks before they become problems.

Incident reporting

runZero provides detailed data on all assets, asset ownership, and associated exposures, helping you accurately assess the potential impact of incidents. You can easily map affected areas of the network and use runZero's insights to classify and prioritize incidents effectively. With this level of clarity, you can respond rapidly to incidents, minimizing disruption and staying aligned with DORA’s reporting requirements.

Resilience testing

When it’s time to test your ICT systems’ resilience, runZero ensures your assessments cover the entire environment, both internally and externally. By providing visibility into system configurations, vulnerabilities, and sensitive areas, as well as leveraging external scanning to validate exposures on the edge, runZero helps you prioritize critical assets for testing. It maps out network structures and highlights exposures, so your testing efforts are targeted, accurate, and effective, ultimately strengthening your operational readiness.

Third-party risk management

If third-party ICT service providers are connected to your environment, runZero helps you keep them in check. It provides visibility into third-party managed assets, their network interactions, and any configuration changes that might introduce risks. With runZero, you can map dependencies, uncover vulnerabilities, and assess the impact of third-party services, enabling you to mitigate risks proactively and maintain a secure and resilient ICT ecosystem.

The high-level overview of how runZero aligns with DORA's pillars demonstrates its powerful capabilities. However, to truly appreciate its impact, let’s explore how runZero directly maps to specific DORA articles, such as Articles 6, 7, 8, and 9. These articles outline the actionable steps required for ICT risk management, resilience, and collaboration. The section below also illustrates how runZero goes beyond compliance to deliver operational excellence.


Article 6: ICT risk management framework #

What DORA requires: #

  • Develop a framework to identify, assess, and mitigate ICT risks.

  • Address risks tied to internal systems, third-party services, and external threats.

Key challenges: #

  • ICT risk management frameworks often rely on incomplete inventories.

  • Without identification of all assets and understanding device interdependencies, assessing impact and mitigation strategies is guesswork.

How runZero helps: #

runZero supports the creation and maintenance of ICT risk management frameworks by delivering advanced asset discovery, continuous monitoring of IT, OT, IoT, and unmanaged devices, and identifying vulnerabilities and security control gaps.

  1. Complete asset discovery:
    • Identifies all IT, OT, IoT, and unmanaged devices using active scanning, passive scanning, and integrations.

    • Incorporates external scanning to identify assets and monitor risks on the edge, ensuring comprehensive visibility across both internal and external attack surfaces.

    • Accurately and precisely fingerprints assets providing deeper insights for more accurate risk assessment and mitigations.

    • Detects shadow IT and rogue devices not visible to traditional tools.

  2. Risk interdependency mapping:
    • Maps relationships between assets, revealing critical dependencies.

    • Identifies single points of failure, such as connections between essential systems and vulnerable third-party services.

  3. Risk monitoring:
    • Identifies issues beyond CVEs, such as misconfigurations, segmentation weaknesses, insecure services, EoL, policy violations, etc.

    • Monitors for emerging risks and zero-day vulnerabilities through the Rapid Response Program, enabling swift identification of vulnerable assets without the need for rescanning.

    • Tracks changes in device configurations and interdependencies.

    • Uses safe scanning to identify fragile devices without the risk of disrupting operations.

    • Alerts on deviations, such as newly connected devices or unexpected configuration changes, that introduce new risks.

  4. Enriched risk context:
    • Integrates with a broad range of existing security solutions in your stack to provide enriched asset data, improving risk analysis and prioritization.

Outcome:
runZero ensures that your ICT risk management framework is underpinned by a complete and up-to-date view of all assets, enabling precise risk assessment, mitigation, and operational resilience.


Article 7: ICT systems, protocols, and tools #

What DORA requires: #

  • Implement secure ICT systems and tools designed to safeguard the organization's digital infrastructure from unauthorized access and cyber threats.

  • Maintain a complete and continuously updated inventory of ICT assets.

  • Conduct regular resilience testing through vulnerability assessments and security audits.

Key challenges: #

  • Legacy discovery tools fail to capture non-traditional protocols or devices outside standard IT ecosystems.

  • Inventory updates are often manual, leading to outdated or incomplete data.

  • Testing often overlooks unmanaged or obscure devices, leaving blind spots.

How runZero helps: #

With runZero, you gain visibility into your IT, OT, and IoT assets, ensuring every device in your environment is tracked and accounted for. This gives you the deep insight needed to uncover vulnerabilities, misconfigurations, and insecure protocols while mapping interdependencies to reveal hidden security gaps. By spotlighting all assets and exposures, runZero helps you ensure nothing is overlooked, empowering you to make more accurate assessments and build stronger defenses.

  1. Complete, up-to-date inventory management:
    • Provides comprehensive visibility into both internal and external assets, including IT, OT, and IoT devices to ensure all systems are tracked.

    • Regularly updates asset data through continuous monitoring, maintaining up-to-date visibility into the network’s infrastructure.

    • Discovers unknown and unmanaged devices that may not have been previously tracked, ensuring that all assets are accounted for.

    • Updates inventories continuously through automated scanning, ensuring accuracy.

  2. Informs security of ICT systems, protocols, and tools:
    • Identifies CVEs and non-traditional vulnerabilities, such as insecure services and segmentation weaknesses, that compromise infrastructure.

    • Continuously monitors for new or unexpected devices, ensuring prompt response to unauthorized access attempts.

    • Detects outdated or misconfigured protocols like SMBv1, Telnet, or unencrypted HTTP.

    • Maps interdependencies between systems, helping organizations understand how internal and external assets interact including gaps or deficiencies in security controls and segmentation weaknesses

  3. Resilience testing optimization:
    • Ensures that all assets, including hidden and rogue devices, are included in vulnerability assessments and threat-based testing procedures.

    • Supports more accurate threat assessments by continuously updating data on internal and external attack surfaces, even as they change.

    • Provides detailed context for each device, such as OS versions, open ports, and known vulnerabilities (CVEs), to prioritize testing efforts.

  4. Third-party tool integration:
    • Integrates with vulnerability management and endpoint security tools to enhance testing scopes and ensure no assets are missed.

Outcome
runZero delivers detailed asset visibility, empowering your teams to secure ICT systems and conduct comprehensive resilience testing with confidence.


Article 8: Identification of critical assets #

What DORA requires: #

  • Identify and prioritize critical ICT assets and services.

  • Map interdependencies between systems to understand potential cascading failures.

  • Continuously monitor critical assets for emerging risks.

Key challenges: #

  • Identifying critical assets isn’t just about visibility; it requires understanding each device's function, connectivity, and risk profile.

  • Interdependency mapping is complex, particularly when third-party services or legacy systems are involved.

  • Monitoring is often siloed, missing broader network impacts.

How runZero helps: #

runZero gives you full visibility into your critical IT, OT, and IoT assets, maps out how they’re connected, and spots risks like vulnerabilities or misconfigurations. By continuously keeping an eye on everything, it helps you stay ahead of threats and keep your most important systems secure.

  1. Critical asset discovery:
    • Identifies critical devices and services through advanced fingerprinting techniques.

    • Highlights assets critical to business operations based on their roles and interdependencies.

  2. Comprehensive risk mapping:
    • Maps interdependencies across IT, OT, IoT, and third-party systems.

    • Visualizes network connections and highlights cascading risks from single points of failure.

    • Combines detailed internal fingerprinting with external data sources to uncover hidden risks such as shared cryptographic keys, cloned assets, and overlooked misconfigurations that EASM tools miss.

    • Highlights network segmentation issues.

  3. Risk prioritization:
    • Assesses vulnerabilities in critical systems, including software versions, configuration issues, and exposure levels.

    • Monitors for emerging risks and zero-day vulnerabilities through the Rapid Response Program, enabling swift identification of vulnerable assets and timely remediation.

    • Assesses and prioritizes externally facing assets as critical, highlighting high-risk targets with vulnerabilities or misconfigurations that could expose the organization to external threats.

    • Flags critical assets with high-risk vulnerabilities or misconfigurations.

  4. Continuous monitoring:
    • Tracks changes in critical systems, such as new software vulnerabilities or configuration deviations.

    • Monitors for emerging threats, such as exploits targeting specific device types.

Outcome:
runZero provides a detailed, dynamic understanding of critical assets, their risks, and their interdependencies, enabling your team to make more informed decision-making and proactive risk mitigation.


Article 9: Protection & prevention #

What DORA requires: #

  • Regularly update software and apply security patches.

  • Address vulnerabilities promptly to minimize risks across systems.

Key challenges: #

  • Legacy systems and IoT devices often have unique patching challenges, such as vendor-specific firmware updates.

  • Traditional vulnerability management tools struggle to identify end-of-life (EOL) systems or devices with no official CVEs.

How runZero helps: #

With runZero, you get actionable insights to identify vulnerabilities, enforce security policies, monitor patch status, and stay ahead of emerging risks—ensuring your protection and prevention measures, from IT to IoT, are secure and compliant.

  1. Vulnerability identification:
    • Monitors for emerging risks and zero-day vulnerabilities through the Rapid Response Program, enabling swift identification of vulnerable assets without the need for rescanning.

    • Detects outdated software and unpatched systems across all device types, including OT and IoT.

    • Highlights vulnerabilities in non-traditional assets, such as smart cameras or building management systems.

  2. Policy enforcement:
    • Flags misconfigurations, insecure protocols, and policy violations on a continuous basis.

    • Identifies segmentation weaknesses that expose critical systems to lateral movement attacks.

  3. Patch monitoring:
    • Tracks patch status for all devices, ensuring critical systems are prioritized.

    • Identifies EOL systems, providing actionable recommendations for replacements or compensating controls.

  4. Time-sensitive risk updates:
    • Monitors the external attack surface for vulnerabilities in known or unknown assets exposed on the network edge, ensuring timely detection and mitigation of risks.

    • Continuously monitors for new vulnerabilities or exploits targeting devices in your environment.

    • Alerts on deviations from secure configurations, such as weakened encryption protocols.

Outcome:
runZero empowers your team to proactively manage patching and configuration efforts, ensuring no vulnerabilities are left unchecked—even in unconventional or legacy systems.


runZero: Your Partner in DORA Compliance #

Compliance with DORA is a monumental challenge that requires comprehensive asset visibility and continuous exposure management. runZero’s capabilities go beyond traditional solutions, offering financial institutions a unified solution to:

  • Discover all assets, including IT, OT, IoT, and unmanaged devices.

  • Monitor continuously for new vulnerabilities, changes, and risks across your completed attack surface..

  • Provide detailed data to enrich security and compliance workflows.

With runZero, you can bridge the gaps that traditional tools leave behind, ensuring not just compliance, but true resilience against today’s evolving cyber threats.

Schedule a demo today to see how runZero transforms your DORA compliance strategy.

Written by Wes Hutcherson

With 16 years of experience in the technology and cybersecurity landscape, Wes has established himself as a seasoned expert in product strategy, market intelligence, and go-to-market strategies, primarily leading product marketing teams. Wes’s deep expertise extends to Managed Detection and Response, Attack Surface Management, Exposure Management, and Offensive Security, areas where he has not only excelled but also shared his knowledge through public speeches, educational series, and published articles and studies. His insights have been instrumental in shaping how we should assess solutions in the marketplace, ensuring that organizations, their customers, and invested parties are held to rigorous standards that keep their interests secure.

More about Wes Hutcherson
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

runZero Insights
Taming the Typhoons: How runZero Keeps You Ahead of State-Sponsored Cyber Threats
China's Typhoon cyber attacks are evolving, but runZero helps you stay one step ahead with unmatched visibility and proactive defense.
Life at runZero
Employee Spotlight: Doug Markiewicz
Doug Markiewicz is a strategic Customer Success Engineer with a passion for solving complex cybersecurity problems. Learn more about his journey as...
runZero Insights
Evolving from IT to IoT: Flax Typhoon preyed on the lesser knowns
A look at Flax Typhoon's latest operations, and how runZero’s unknown and IoT asset visibility can help calm the storm for security teams.
runZero Insights
How runZero finds unmanaged devices on your network
How do you find unmanaged devices on your network when they aren't accounted for? Learn how you can use runZero to find unmanaged devices on your...

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved