How to track asset ownership with runZero
Imagine: there’s a new security threat. How do you find out if your organization is affected? You might research the CVE to gauge the severity and impact of the vulnerability. You might perform a vuln scan — if there’s a vuln check available. At some point, you’ll eventually end up with a list of devices that you need to update.
What are your next steps?
The cost of not tracking asset ownership
In an ideal world, your asset inventory would be the first place you would look for information. However, the reality is: most organizations have their asset inventory data distributed across multiple solutions and maintained by different teams. So instead of being able to focus on mitigating issues, your security team spends an inordinate amount of time doing detective work. And for security practitioners, time is of the essence.
Asset inventory is the first step to getting context around a device: the hardware, OS, software, etc. But what about who owns it? More and more, knowing who is responsible for an asset is as important as knowing what an asset is. Without clear asset ownership tracking, you waste a lot of time going from team to team, person to person, trying to find out who is responsible for an asset.
Let’s take a look at three reasons why a lack of asset ownership can adversely impact your business.
Reason #1: Forgotten assets can be costly
One of the biggest obstacles to tracking asset ownership is humans. Humans are dynamic, often upgrading to new equipment, changing roles, or even leaving organizations entirely. As a result, assets are often left abandoned, unmanaged, and unowned. Documenting asset ownership manually, like in a spreadsheet, means that the data becomes outdated very quickly. Effective asset ownership tracking requires regular updates and attention. Without a major investment of time and resources to maintain asset ownership tracking, stale data will continue to plague your organization. For example, consider infrastructure that no longer has an owner, but is still racking up recurring expenses. These forgotten assets can be costly over time.
Reason #2: Lack of asset ownership can lead to service outages
Your business relies on having systems that are working efficiently. Systems need to be updated, upgraded, and maintained regularly to ensure that everything runs smoothly and outages do not occur. However, what would happen if a specific system needed a configuration update to continue to operate? How would you know who to go to?
Oftentimes, it’s a goose chase. You start with one person (or team) and hope they can point you in the right direction. While you’re chasing down the appropriate person to help you, access to the systems you need may be shuttered or months may have passed by. These consequences can be detrimental to business – especially if these systems directly impact revenue.
Reason #3: Wasted time slows down remediation
9 years ago: Shellshock.
5 years ago: Apache Struts.
1 year ago: Log4Shell.
Nearly a decade has come and gone between these major vulnerabilities, and yet, building comprehensive asset inventory and tracking asset ownership continues to be a challenge. One of the biggest challenges faced by security teams is that they often need to rely on asset owners to take action to update and secure their devices. However, tracking down the right asset owner can be a bit of a journey through a myriad of data sources – from CMDBs to VMs to EDRs to device logs to spreadsheets. The amount of time that security teams spend hunting for information is a hindrance to fast response and remediation times.
Tracking asset ownership with runZero
runZero 3.5 introduces the ability to track asset owners in your inventory. Asset owners can be anyone in your organization who can help you remediate issues. For most organizations, assets will likely have multiple owners, such as an individual, team, and business unit. For example, a laptop might have an assigned device user, business owner, IT owner, and security owner. Each of these assignments will help you zero in on the right person who can take action on the device, based on the situation. Let’s take a look at how runZero can help you track different types of owners within your organization.
What are ownership types?
In runZero, ownership types help you classify and assign ownership to assets. There is a default ownership type, called
Asset Owner, which automatically pulls owner data from integrations you have configured. Otherwise, you can add up to nine custom ownership types based on what your organization needs. For example, you might want to have ownership types for the security owner, IT owner, and business owner.
When you create an ownership type, you will need to specify the following:
- Name - The name of the asset ownership type, such as
- Reference - You can set the reference to
none. If set, you will be able to easily search within the user or group inventories for owners that match the display name.
- Visibility - You can set the visibility to
visible. This setting controls the ability to view the asset owner from the asset inventory and asset details page.
After you have created your ownership types, you’re ready to start assigning owners within your asset inventory. Let’s take a look at how you can do this in runZero.
How to assign ownership to assets in runZero
There are a couple of ways to assign asset owners: manually or automatically through rules and the API. However, the most efficient way to apply ownership is through rules, which allows you to set up specific conditions and automate the assignment of asset ownership after each scan. For example, let’s say you want to assign an IT owner for all firewalls. Here’s how you can do it with rules:
- From the Rules page, create a rule using the
asset-query-resultsevent type. Based on this event type, the query will run against the asset inventory after a scan completes.
- Give the rule a descriptive name, like
Automate IT ownership for firewalls.
- Configure the rule with the following conditions:
- Run the following query after a scan completes:
type:firewalland the number of matches is greater than 0.
- If there is a match on the query, take the following action: modify the asset and set the ownership of the matching assets. This value for the owner can be any name. For our example, we will assign the
IT ownerto someone on the team named
- Make sure the rule is enabled. If it is not, it will not run.
- Run the following query after a scan completes:
- Save the rule.
Each time a scan completes, this rule will check for matching conditions and perform the configured actions.
Viewing ownership data for an asset
Now that you’ve set up ownership types and automated ownership assignment, let’s take a look at how you can view this data in runZero. You can view ownership information from two areas of the console: the asset inventory and the asset details page.
There’s a new column in the asset inventory called
Owners, which will list the owners for the asset. If there are multiple owners, there will be a plus (+) sign to indicate that there are more for you to view. The owner name that gets displayed in the inventory table depends on the order you have them ranked on the ownership types page. The highest ranked ownership type will take precedence. In our example, we have our
IT owner ranked first, so we will see our IT owners displayed in the inventory table. Other owners will be viewable by hovering over the plus (+) sign. From the asset inventory page, you can select some assets then use the Manage asset ownership button to manually update the owner for those devices.
From the asset details page, there is a new ownership section that lists all the visible owners assigned to that asset. If the ownership type has a reference set (to user or group), you’ll be able to click on the magnifying glass next to the owner name to search within those inventories for matching results. From the asset details page, you can go to Manage > Asset ownership to manually update the owner for that specific device.
Searching the inventory for assets based on owners
Now that you have asset ownership data in your inventory, you can search for assets that match specific ownership criteria. To enable searching based on ownership attributes, the following new keyword terms have been added:
- owner - Filter by asset owner name, such as
- has_owner - Filter assets by whether or not they have an owner. Use
fas your input.
- owner_count - Use a comparison operator (>, >=, <, <=, =)to filter assets by count.
- ownership_type - Filter by ownership type, such as
Here are a few useful queries (based on some common use cases):
has_owner:f- Searches for assets that don’t have an owner assigned.
ownership_type:"IT owner"- Searches for assets by ownership type.
owner_count:>1- Searches for assets that have more than one owner.
For example, if you need to gauge the number of unowned (and likely unmanaged) assets in your inventory, the query
has_owner:f would help identify assets that don’t have an owner. Inversely, you can use
has_owner:t to see all the ones that do have an owner. Between these two results, you can discern how well you’ve got your asset ownership data covered. To see how well your organization is tracking asset owners, you can also check out the asset ownership goal from the dashboard.
Zero in on unowned assets on your network
Imagine: there’s a new security threat. Thankfully, you have an asset inventory that includes asset ownership data. With a solid program and solution in place to track asset owners, you’ve eliminated unnecessary time spent chasing down people. You can focus on remediation.
If you’re a runZero Enterprise customer, you can check out the ownership capabilities by going to the new Ownership page in your console. You’ll notice a new menu item for it under Global Settings. Otherwise, if you’re new to runZero, sign up for a free trial to test out this new feature for 21 days.
Start tracking asset ownership
Focus your time and efforts on remediation–not tracking down asset owners.Get started
March 13, 2023
The role of asset ownership in the Equifax breach
Equifax lacked adequate cyber asset management practices, including a comprehensive IT asset inventory. As a result, when CVE-2017-5638 was announced, Equifax lacked the ability to effectively take action against the vulnerability.
October 19, 2022
Contextualize honeypot alerts automatically with GreyNoise, runZero, Thinkst Canary, and Tines
Learn how to continuously enrich your asset inventory with high-fidelity data and context, leveraging tools, like Tines, Thinkst Canary, Greynoise, and runZero.
September 1, 2022
Transient assets: managing the unmanageable
Transient assets can introduce unique challenges to tracking asset inventory and securing your network, especially in the education sector. Students and faculty rely on a diverse range of personal devices and expect to be able to use them everywhere, resulting in high ratios …Read More