Kivu Consulting is an incident response consulting company that specializes in post breach remediation, managed security services, and security program maturity support for their customers. They were witnessing the challenges their customers were facing with improperly deployed security rules and not knowing which assets were missing EDR agents. Kivu Consulting needed to provide their customers with a solution for asset inventory and management to impart vital insight into the assets on their networks and be able to determine their level of risk to reduce their security vulnerabilities and prevent future attacks.
After first hearing about runZero on a security podcast, the Kivu Consulting team became intrigued and decided to initially test it out internally. They leveraged runZero to locate unmanaged devices and rogue assets as a result of their workforce moving to a work from home environment due to COVID-19. It proved to be an invaluable tool, which ultimately convinced their leadership to move forward with bringing runZero on board and deploying the solution on a broader scale to their customers.
About a month after runZero was deployed, the Log4J/Log4Shell vulnerability happened. Kivu Consulting utilized runZero’s out-of-the-box queries to rapidly inform their customers of where this vulnerability existed in their networks and which vendor software libraries were affected, which was no small task. When paired without the need to rescan, this allowed for expedited, proactive remediation actions to be advised upon over that weekend. Since then, Kivu Consulting has relied on runZero to help them overcome additional vulnerabilities and risky misconfigurations, saving Kivu Consulting and their customers valuable time when time was of the essence in preventing potential hacking attempts.
"We have clients coming out of incident response engagements where they're asking about some of these zero-day vulnerabilities and exploits. Oftentimes, runZero already has a search query in place for us. So, from a threat hunting and proactive security standpoint, these queries are a huge advantage in time saving and information gain." - Chase Martin, Senior Consultant, Kivu Consulting
Kivu Consulting prides themselves in ensuring that their customers are protected from the minute they hear from Kivu. While they already offered robust incident response and mitigation services to their customers, they saw an opportunity to broaden and enhance their services. They sought out an additional solution to empower their customers to be more proactive in their cyber security and strengthen their defense against ransomware and other attacks in the future. Kivu Consulting knew that with a highly capable cyber asset discovery, inventory, and remediation solution in place, they could become their customers’ primary source for complete defense.
During their research for an ideal solution, they observed that other solutions like JupiterOne didn’t support key integrations with cloud and endpoint protection vendors they were looking for such as CrowdStrike and Microsoft Azure. Additionally, other solutions like Tenable were difficult to deploy and required a lot of manpower, technical expertise, and training to make it happen. It was important to the Kivu Consulting team to hone in on a solution that would provide visibility into the assets on their customers’ networks and identify which endpoints lacked EDR. This new visibility would also provide Kivu Consulting and their customers with a blueprint for building a tailored security improvement strategy for their unique environments.
Before introducing runZero to their security solution package for their customers, Kivu Consulting first decided to test it out internally. They deployed runZero during the mass work-from-home movement triggered by COVID-19 to discover unmanaged remote assets and determine which devices were risky, missing security controls, were outdated, or out of compliance. Dan Paulmeno, Director of Managed Services at Kivu Consulting, shared his first experiences utilizing the runZero solution, “We initially used runZero internally in a work-from-home environment during COVID-19. We were trying to track down everything and look for rogue assets and that was tough to deal with. With runZero, we were able to segment networks, see if work-from-home devices were still being used and put together a plan for returning them for reimaging and sending them back out.” He went on to explain, “runZero was an invaluable tool early on, and these use cases and benefits sold our board to deploy it to our customers on a broader scale.”
After deciding that runZero was the right fit, Kivu Consulting’s timing for rolling it out to their customers was anything but advantageous. It happened to coincide with the emergence of Log4J, but luckily, runZero was firmly in place to support Kivu Consulting and their customers quickly through this zero-day vulnerability without the need to rescan their networks using canned queries. “When we pulled the trigger on runZero, Log4J happened literally a month later. We thought, ‘This absolutely makes sense.’ We were able to quickly query and get the information out to our customers,” said Paulmeno. Since then, many additional vulnerabilities and risky misconfigurations have presented themselves, including ESXi, Nevada ransomware, publicly accessible RDP, Kaspersky, and SMBv1. With each new vulnerability and risky misconfiguration, runZero has proven to be a vital tool in their arsenal to get ahead of potential security threats and take swift preventative action for them and their customers.
runZero has proven to be a source of cost savings for Kivu Consulting’s customers in that they are able to avoid the need to pay for unnecessary security vendors. “We support a university whose leadership wanted a comprehensive list of ALL endpoints on their network. With runZero’s asset ownership feature, they now can see who owns assets and who doesn’t and where these assets are going rogue. They can assign them to their team without buying an additional remote vendor to do all this auditing,” stated Paulmeno. Additionally, with visibility into the assets on their customers’ networks and an understanding of which endpoints lacked EDR solutions, Kivu Consulting can now better track the number of assets they need to supply EDR software for so that their customers aren’t overcharged. This also helps them improve the accuracy of their sales strategy, and thus their overall operational efficiency. Chase Martin, Senior Consultant at Kivu Consulting, explained this benefit for their organization: “We’re now able to project better for accompanying renewals and quarterly true ups. We're able to stay ahead on our licensing count to make sure that we aren’t charging any overages. So, from a revenue collection, runZero helps our team as well.”
Between runZero’s ability to report back granular data like asset ownership and EDR saturation for full network visibility, canned queries for saving valuable time during zero-day vulnerabilities, and ease of deployment and use, it has become an important competitive advantage for Kivu Consulting and their customers. “We have clients coming out of incident response engagements where they’re asking about some of these zero-day vulnerabilities and exploits. Oftentimes, runZero already has a search query in place for us. So, from a threat hunting and proactive security standpoint, these queries are a huge advantage in time saving and information gain,” explained Martin. Due to its dependability and key capabilities during the early, critical incident response hours, or advising customers with queries focused toward Log4J, ESXi, Nevada ransomware, Kaspersky, and outdated SMB versions, runZero has also become their go-to cyber asset discovery and remediation solution for a truly proactive approach to cyber security. “runZero has been the first place we go for most of our customers. With a threat, we can quickly pivot and check whether a customer is safe or if they need advisory. With the information you provide on your blog, you have become a one-stop-shop. We’ve developed a weekly ritual to check if there is a new vulnerability. We’ll check runZero and CrowdStrike and then correlate data from the two. And that’s been awesome,” explained Paulmeno.
“When we pulled the trigger on runZero, Log4J happened literally a month later. We thought, ‘This absolutely makes sense.’ We were able to quickly query and get the information out to our customers.”