Using runZero, York University discovers 2.5x more devices than were previously known

Problem

York University is a top international teaching and research university and a driving force for positive change. They boast many impressive accolades, including being named as one of the world’s leading universities in the 2023 Times Higher Education Impact Rankings, ranked first in Canada by Financial Times, The Economist and QS Global MBA rankings (Schulich School of Business), and top five in the 2023 Maclean’s University Rankings (comprehensive category).

Living up to such high praise and recognition across the university community assigns great responsibility to all its members to strive for such excellence, and this proved to be a challenge for Chris Russel, Chief Information Security Officer (CISO), and his security team. He realized there were some key gaps in their security program that needed to be addressed, including their lack of one centralized view of all of the assets in their environment. This was a challenge due to their large, highly complex and distributed environments of campus facilities, faculties, etc.. “Our situational awareness was not the greatest in our environment, because by its nature it’s very distributed, even for the managed devices IT looks after. There’s no one view of any of it. There wasn’t a place for us to easily get that type of information, so we had to make it ourselves with Nmap scans and map it to other sources of information so we can tell who’s the contact point for a given endpoint. It’s not just identifying endpoints but the other correlating bits of information, which is something we need in order to conduct any of our processes,” explained Russel.

They also knew that their manual approach to incident and vulnerability detection and response wasn’t scalable and needed an overhaul to save their small team with limited resources valuable time and effort. “Our incident response and vulnerability management suffered from a clunky way of us addressing and determining what we do with this once we know there's something that we need to address. How important is that asset? Who is responsible for it? Where do we take it from there? Our actions were based on a lot of historical knowledge rather than authoritative sources, and that did not work well as we were rapidly growing our team. There was often a lot of manual review involved on our end. We wanted to automate this as much as possible because it doesn’t scale if you need to have somebody review those things every time,” described Russel. He went on to add, “That's part of our objective. We have a very small team in security and a very large complex environment. So, we need to make as much use of automation as we can.”

Russel and team had been utilizing a few security tools, one of which was Nmap. But they quickly realized its shortcomings of providing a complete, centralized view into their environment without a lot of manual intervention. “For something like Nmap, that’s great. But it’s really just a scanner. You can fit into a larger set of tools to help provide a better view, but on its own, it’s not going to do that for you. That’s where our scripts came into play, where we could automate it as much as we could. But there was still a lot of piecing together that we had to do ourselves. It was a more reactive toolset than something that allowed us to track things well over time. Nmap is great, but it's really just the scanning aspect of it. It’s not the whole picture that we need. It doesn’t solve that problem,” explained Russel. They had also been leveraging Tenable’s Nessus, but that tool proved to be ineffective and unsuitable for getting to a full cyber asset inventory, not to mention it was expensive. “For Nessus, we’ve used the scanner component mainly as the vulnerability scanner, and that’s great for certain classes of vulnerability, detection, and so forth. But it’s not something that’s great for tracking overall asset inventory. We would get into looking at tens of thousands of assets that would actually add up quite a bit. So, it was very costly,” said Russel.

After concluding that their current toolset was incapable of supporting their goals for full, centralized cyber asset discovery and inventory, Russel and his team agreed to pursue a new solution to extend their lean team’s capacity and resources through automation and an overall proactive security program. “It’s always been there as something that we know we need to do better at, partially due to limited resources. We’ve always found ways to get by with various forms of our own automated scanning that we would try to put together something that gave us an ability to identify assets. But it was usually after the fact, and we didn’t have a good capability for tracking changes over time or integrating with other sources of information. It was also very ad-hoc and manual. All that took effort and skills that we just didn’t have the time for,” described Russel.

Solution

After some research, York University discovered runZero and were immediately impressed with their interest and commitment in supporting the higher education sector. “One of the differentiators is that runZero was interested in talking to EDUs. They seem to be interested in how we’re using it and how to make the product better. The fact that they’re interested in working with people in our industry and to make it better for us was very helpful,” explained Russel.

Russel and his team have enjoyed runZero’s ease of deployment and use, helping them reap the benefits of the platform and get to value that much quicker. “One of the benefits of runZero was making use of the tool. It didn’t really take a lot of training and then getting up to speed to make it useful for us. Setting up scanners was fairly straightforward. That’s not always the case with security tools. Usually there’s a large ramp up in and getting value out of it. It was pretty much useful to us right away,” said Russel. He continued, “It's very usable. It's simple, but it also has a lot of capability built into it. With a small team, we don’t have enough time for training on a lot of different products. So having a tool that people can jump into very easily and quickly is helpful.”

runZero has already proven its value in a myriad of ways for the team, including increasing their speed to action for incident response, and the ability to rapidly detect and mitigate vulnerabilities. “Our environment can be quite complex. When a new vulnerability comes out, finding out whether there are things that might be affected by it is not always easy or automatic to tell what’s out there and what might be active. There may be devices offline that may come back online at some point when the person returns from vacation. We want to be sure that we don’t miss things like that. A point in time isn’t necessarily going to capture all that. So runZero is very helpful in those types of situations,” said Russel. runZero has also contributed to Russel’s ease and speed in pulling reports for making critical decisions. “runZero’s ad-hoc reporting has been invaluable. Sometimes our opportunity to get attention on a problem is fleeting. If I’m able to get some data quickly about a particular problem, I can strike while the iron’s hot. If we’re in a situation where we need to know, ‘how many systems with this particular issue do we have out there,’ and run a report on that, that would have been a lot of work in previous years before we had runZero to try to piece together the scanning. We wouldn’t be very confident of the accuracy either because it would be lacking. We have some endpoints that are off the network that we wouldn’t be able to necessarily see in a scan before, where now some of the data comes in through the integrations, we have with runZero,” described Russel.

Regarding integrations, Russel and his team recently completed setting up a Microsoft Defender for Endpoints (MDE) integration. They noted some immediate advantages, including gaining visibility beyond the campus. “It allows us to bring AD/MDE onboarded assets into our runZero views and reports even if they are not on our campus network (such as laptops used with hybrid/remote working or servers hosted in cloud infrastructure), giving us a comprehensive asset picture that is not dependent on network location,” explained Russel. The team now has a clearer view into asset ownership since this information that they have set in MDE is synchronized with runZero, which has proven to be helpful in avoiding maintaining ownership in multiple locations with different tools. They have also gained the ability to find endpoints missing Microsoft Defender for Endpoints and it is now an easier task to identify and report on assets that are not yet onboarded to MDE/EDR. Finally, they have gained a consolidated, normalized view, enabling and accelerating security investigations. “The integration permits and simplifies more complex queries and reports that would not otherwise be possible, such as listing all assets by owner, including those onboarded to MDE and those that are not. Additionally, a lot of additional context has been added for the assets and having that plus the AD data and runZero data all consolidated in the runZero console is a huge time saver when handling potential incidents or vulnerabilities, rather than having to look up the same asset in different tools,” said Russel.