Tracking asset ownership with tags

Asset discovery is our bread-and-butter at runZero, allowing us to surface network-connected systems and devices to our users. Once you have an asset inventory, you can track asset ownership with runZero, which allows you to identify assets that have been orphaned and are no longer actively maintained or owned. Surfacing unowned assets allows those assets to be properly decommissioned or reclaimed, ultimately reducing the potential security risks by leaving them on the network.

Ownership tracking can also highlight unexpected or unauthorized assets connected to the network, providing a path for investigation and maintaining good “cybersecurity hygiene”. Let’s walk through a process for tracking asset ownership with tags using runZero Professional and Enterprise features.

Start with the known assets

The first thing you’ll need is an inventory of expected and known assets. If you don’t have a runZero scan of your assets yet, you can follow our Getting Started guide, which covers everything from account creation on up. If you have a large inventory of assets, it might be easier to narrow your scope to a smaller set of assets (like one organization or one site).

In runZero, tagging allows you to label and group assets based on a shared set of characteristics. There are two ways to tag: manually or automatically via rules. To keep things simple, we’ll manually tag our assets in this article.

Starting from your asset inventory, select the assets you expect to see on your network AND know have an owner. To bulk select assets, you can use the checkbox located above the column heading.

If you only want to look at a particular site of assets, you can search by site in the query field:

Once you have selected your known and owned assets, click the Tags button. In the modal window that opened, you can apply these two tags to those assets:

• owner_name - Identifies the owner of the asset. The owner can be an individual, a group, an organization, an ID number, really whatever is most convenient for your situation.
• owner_last_verified - Identifies when the asset was last verified to still be owned by owner_name. This value can be a year, year and month, or other; whatever works best for your situation.

Tags can be applied individually and do not need to be applied at the same time. After you have tagged all known and owned assets with owner_name and owner_last_verified values, you can set up rules and notifications.

Rules and notifications for unowned assets

Within the runZero console, you can use rules to trigger alerts for the events you’re interested in knowing about, such as an asset that does not have a current owner has been discovered on the network.

Rules can be set up to execute for a number of runZero event types. In this example, the rule will execute following a scan, since that is when there will be new asset data available to check for these conditions.

Set up a rule for unowned assets

The first thing you’ll need to do is create a rule for unexpected assets. In the runZero console, navigate to Alerts > Rules and click the Create Rule button.

Under the “Inventory queries (post-scan)” section, select the asset-query-results event type and click the Configure Rule button to continue.

Next, enter in the following rule information:

• Name: Unowned asset
• Query: NOT (tag:owner_name AND tag:owner_last_verified=2021)
• Number of matches: Is greater than
• Value: 0

These settings give the rule a descriptive name (“Unowned asset”), matching whenever ANY scanned assets do not have an owner_name tag and a “current” owner_last_verified tag. You can also limit the rule to a specific organization and/or site, like in the screenshot above, or leave it to match against any organization or site assets.

Set up notifications for unowned assets

Finally, scroll down and ensure that the action for this rule is set to “Notify”, and any specific notification channels or templates can be selected here, as well. The default is a good starting point, but alerts via email and webhook notification channels can be handy, too.

Turn on the rule

Verify everything looks correct, and make sure the Enabled checkbox is selected. Save the rule if everything looks good. The new rule will be listed under the Rules tab:

With this rule in place, you’ll receive alerts for unowned assets–including unknown and orphaned assets–when scans complete.

Investigate (and iterate) as needed

The number of alerts you have will display in the navigation menu.

When you go to the Alerts page, you will see all of the current alerts:

Acknowledge the alerts to dismiss them. Alerts can also be set up to work with different formats of data and different alert mechanisms.

Set up recurring scans to ensure regular coverage

To ensure regular coverage for catching unknown and orphaned assets, you can use recurring scans or continuous scanning.

Assets tagged with owner_name=<name> and owner_last_verified=<date> tags but do not maintain a constant presence on the network will be correctly handled as they come-and-go from the network, as long as they don’t age out due to stale or offline asset settings of the the organization.

Update rules periodically

Asset ownership is also an ongoing process. In order to keep the “Orphaned asset” rule relevant, the rule will need periodic updating for matching the correct owner_last_verified value. For our example, when at the end of 2021, the “Orphaned asset” rule’s Query field should be updated to reflect the new year (e.g. NOT (tag:owner_last_verified=2022 and tag:owner_name)) so that it is now checking current ownership, which itself drives updating the owner_last_verified= tag on assets once their owner has been verified (and perhaps the owner_name= tag, as well, if it has changed). And you may discover some orphaned assets in this process.

Find unknown and orphaned assets with runZero

The features covered in this post are available in runZero Professional and Enterprise editions. Sign up for a free trial to see what you can do with runZero.