Rumble 2.11 Identify outliers, trace network paths, and streamline SSO user provisioning

|
Updated

What's new with Rumble 2.11? #

  • Identify outliers to find misconfigurations, missing patches, and rogue devices
  • Trace potential network paths to verify network segmentation
  • Streamline SSO user provisioning
  • Cloud connectors available in Rumble Professional

Identify outliers to find misconfigurations, missing patches, and rogue devices #

Our users tell us that they know the state of their standard-issue workstations pretty well, but are worried about the unknown unknowns. Attackers love these oddball systems: they are rarely well-managed or patched, and they can be easy targets. A signature-based approach is a game of catch-up that will always miss the most peculiar assets. A simple statistical analysis, however, effectively surfaces these types of systems. The dashboard now shows outliers according to specific attributes. Each card displays both the most and least seen values.

Outlier detection goes beyond the home dashboard. Rumble now includes an outlier score in the asset inventory that indicates how unique an asset and its configurations are. Security teams can filter and query by this score to surface assets worth investigating. This score, a number between 0 and 5, indicates how unique the asset is based on a number of different attributes, relative to the site it belongs to.

The asset details view highlights outlier attributes and indicates how often that value occurs.

While outlier scores are available in all editions, Rumble Enterprise users now also have access to two new reports:

  • The Outlier Overview Report - Lists the most anomalous values for all asset attributes that have a significant commonality. From here, security teams can pivot to an inventory view of only those specific assets.

  • The Specific Outlier Report - Generate this report for a specific asset or service attribute. This report includes a list of assets grouped by attribute value.

Outliers

Trace potential network paths to verify network segmentation #

Network segmentation is a foundational security control that can be easily undermined by network misconfigurations and multi-homed machines. Rumble Enterprise users can now visualize potential network paths between any two assets in an organization using the Asset Route Pathing report.

This report generates a graph of multiple potential paths by analyzing IPv4 and IPv6 traceroute data in combination with subnet analysis of detected multi-homed assets–without requiring access to the hosts or network equipment. This unique methodology identifies surprising and unexpected paths between assets that may not be accounted for by existing security controls or reviews.

With a view of potential paths, security professionals can verify whether a low-trust asset, such as a machine on a wireless guest network, can reach a high-value target, such as a database server within a cardholder data environment (CDE). The new feature highlights potential network segmentation violations and opportunities for an attacker to move laterally from one segment to another.

Rumble Enterprise users can generate the Asset Route Pathing report to view potential network paths.

Asset Route Pathing Report

Streamline SSO user provisioning #

For Rumble Enterprise customers, single sign-on support now includes support for automatic role assignment through custom rules. Rumble administrators can now map users to groups using SSO attributes and custom rules to ease onboarding, removing the need to provision individual users. SSO group mapping centralizes authorization configuration to the customer's directory or identity provider. A user authorized by SSO can login and automatically be assigned correct permissions, all without pre-provisioning of their account. After evaluating all SSO group mapping rules, Rumble grants the user the highest privilege asserted for each organization. Rumble Enterprise users can set up SSO group mappings in the Rumble console.

SSO group mapping

Cloud connectors now available in Professional Edition #

Over the past year, Rumble has grown in scope to include cloud assets. Based on customer feedback, we have now made AWS and Azure integrations available in the Professional Edition. Pro customers can now connect to their AWS or Azure environment.

Release notes #

The Rumble 2.11 release includes a rollup of all the 2.10.x updates, which includes all of the following features, improvements, and updates.

New features #

  • Identify outliers to find misconfigurations, missing patches, and rogue devices.
  • Trace potential network paths to verify network segmentation.
  • Streamline SSO user provisioning.
  • Cloud connectors available in Professional Edition.

Integration improvements #

  • The Azure integration now tracks the clientID, tenantID, and subscriptionID as attributes for each asset.
  • The Azure integration can now create a site per subscription ID.
  • The AWS integration now supports using a provided session token.
  • The AWS integration now tracks the account name as an attribute for each asset.
  • The AWS integration can now create a site per account in addition to the existing site per VPC capability. These options can also be combined to create a site for unique account and VPC combinations.
  • The AWS and Azure integrations are now available to Professional Edition customers.
  • Azure assets can now be synced from the standalone scanner, as a scan probe in the console, or imported from previous Azure connector tasks.
  • A bug that prevented some AWS asset attributes from being populated has been resolved.

Inventory management improvements #

  • The web console now flags under-resourced Explorers in the Deploy view.
  • The dashboard now tracks how many assets have been seen in the last 30 days across all sources.
  • The dashboard has been updated and now shows both most and least seen values for most stats.
  • The dashboard now has CSV exports for all stats and links to deeper views of each given stat.
  • OS EOL dates are now reported for Red Hat Enterprise Linux, Fedora, and CentOS.
  • Enterprise Edition customers can now access the Outlier Summary and Specific Outlier reports.
  • Asset outliers are now tracked in the inventory and within the asset details page.
  • Asset correlation has been improved for a variety of corner cases, including Cisco Nexus switches.
  • Asset and service search now supports new keywords for matching primary and secondary addresses.
  • A bug that mangled UTF-8 characters in the subject and message body of email notifications has been fixed.
  • A bug that led to broken search links in the task details page has been resolved.

Scan engine improvements #

  • The Explorer console URL can now be set through the RUMBLE_CONSOLE environment variable.
  • The scan engine now spends less time on per-VLAN SNMP enumeration when the device does not support it.
  • The scan engine now supports full SNMP v1 enumeration using non-bulk lookups, if necessary.
  • The scan engine is now much more conservative on a wider range of ICS ports.
  • The scan engine is now much more friendly to fragile Lantronix devices.
  • The scan engine now supports the Lantronix device discovery protocol.
  • The scan engine now detects the Java Debug Wire Protocol (JDWP).
  • The scan engine now detects and uses Qualys Cloud Agent correlation IDs.
  • The scan engine now reports more information from NTP services.
  • A bug that prevented CIDR addresses in the default scan scope of a Site from being used has been fixed.
  • A bug that could prevent the host-ping feature from finding all hosts has been resolved.
  • A bug that caused stale IPv6 addresses and UDP services to remain between scans has been resolved.
  • A bug in the HTTP scanner that could prevent images from being captured correctly has been resolved.

Self-hosted platform improvements #

  • The self-hosted platform now supports a generate-certificate command.

Fingerprinting changes #

  • The Azure integration now identifies VM operating system information using disk image fingerprints.
  • Office asset and service fingerprint additions and improvements, including: 3xLOGIC, Avaya, Biamp, Cambium, Compuprint, D-Link, ExaGrid, FLIR, JDWP, Proxim, Qualys, Speakerbus, Symantec, Trassir, Vertica, Yealink.
  • OT and testing asset and service fingerprint additions and improvements, including: CS121, Fronius, Micro Matic.
  • NTP probe logic has been updated to provide (and utilize) additional details around referenceID and readVar data, when available.
  • Fingerprinting for Azure VMs now includes OS identification.
  • Consumer asset and service fingerprint additions and improvements, including: Eero, EnGenius, LANCOM, Linksys, NetworkThermostat, Panasonic, Philips, Reolink, Sony.

User access and management improvements #

  • The web console now allows admins to force user logouts from the Team page.
  • The web console now allows limited administrators to view users and create new projects.
  • The Account API now supports group management through new endpoints.
  • Enterprise Edition customers can now map users to groups based on SAML attribute rules.
  • A bug that prevented single-org admins from seeing users on the team page has been resolved.

Start your free trial #

Want to take Rumble for a spin? Sign up for a free trial to try out these capabilities free for 21 days.

Written by runZero Team

Due to the nature of their research and out of respect for their privacy, runZero team members prefer to remain anonymous. Their work is published under the runZero name.

More about runZero Team
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

runZero Insights
Evolving from IT to IoT: Flax Typhoon preyed on the lesser knowns
A look at Flax Typhoon's latest operations, and how runZero’s unknown and IoT asset visibility can help calm the storm for security teams.
runZero Insights
How runZero finds unmanaged devices on your network
How do you find unmanaged devices on your network when they aren't accounted for? Learn how you can use runZero to find unmanaged devices on your...
runZero Research
RDP security: The impact of secure defaults and legacy protocols
Explore the evolution of the Remote Desktop Protocol to become secure by default and learn how to audit your environment for risky RDP configurations.
Industry
Active scanning industrial control systems safely
Do you still believe active scanning in OT environments isn't safe? We all know passive scanning is difficult to deploy, misses assets, and is...

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved