Case study

Using runZero, York University discovers 2.5x more devices than were previously known

The York University security team were aware of and protected roughly 10,000 assets. With runZero, they discovered around 25,000 assets. This increased awareness resulted in a notable risk reduction for the York University community, and increase in efficiency for the team to do more with their limited time and resources.

Download PDF

Problem

Chris Russel, Chief Information Security Officer (CISO), and his security team realized there were some key gaps in their security program that needed to be addressed, including their lack of complete, centralized network visibility. This was a challenge due to their large, highly complex and distributed environment. They also knew that their manual approach to incident and vulnerability detection and response wasn’t scalable and needed an overhaul to save their small team with limited resources valuable time and effort. Russel and team had been utilizing a few security tools, including Nmap and Tenable’s Nessus. But they quickly realized their shortcomings, specifically Nmap’s inability to provide a complete, centralized view into their environment without a lot of manual intervention, and Nessus’ ineffectiveness for getting to a full cyber asset inventory, not to mention it was expensive.

Solution

After some research, York University discovered runZero and were immediately impressed with their interest and commitment in supporting the higher education sector. Russel and his team have since enjoyed runZero’s ease of deployment and use, helping them reap the benefits of the platform and get to value that much quicker. runZero has already proven its value in a myriad of ways for the team, including increasing their speed to action for incident response, rapidly detecting and mitigating vulnerabilities, and contributing to Russel’s ease and speed in pulling reports for making critical decisions.

Outcomes

A key outcome that the York University security team has witnessed is a measurable increase in visibility into their environment. Before runZero, they were aware of and protecting roughly 10,000 assets. With runZero, Russel and his team have been able to discover and better protect 25,000 assets, including IoT devices, 2.5x what they had insight into before, or a 150% increase. This increased visibility has benefited the team in other ways, including a reduction in overall risk for the university community. Another key value-add that the team has tracked is an increase in their efficiency so they can do more with their limited time and resources.

Why runZero?

"We use runZero for things like ad-hoc reports and being able to understand the nature of our environment better at a glance. We can get a good view into what’s out there and dive into details of groups and classes of assets, and physical and logical areas of the network landscape, as we need to, which is not something we were ever able to do before very easily. For instance, getting a rapid and detailed view of what devices are in a building or area of the network/subnet or being able to understand the details of unmanaged assets. Before, we could get that data and try to massage it in certain ways, but it was much less accessible and had to be done manually. As a result, our small team often did not have the time to properly analyze our whole environment and we had to do without that insight. runZero provides that interface that allows us to dive into those details pretty quickly, run reports very easily, and gain awareness of what’s out there. It just makes that whole process fast and easy" - Chris Russel, Chief Information Security Officer, York University

Problem

York University is a top international teaching and research university and a driving force for positive change. They boast many impressive accolades, including being named as one of the world’s leading universities in the 2023 Times Higher Education Impact Rankings, ranked first in Canada by Financial Times, The Economist and QS Global MBA rankings (Schulich School of Business), and top five in the 2023 Maclean’s University Rankings (comprehensive category).

Living up to such high praise and recognition across the university community assigns great responsibility to all its members to strive for such excellence, and this proved to be a challenge for Chris Russel, Chief Information Security Officer (CISO), and his security team. He realized there were some key gaps in their security program that needed to be addressed, including their lack of one centralized view of all of the assets in their environment. This was a challenge due to their large, highly complex and distributed environments of campus facilities, faculties, etc.. “Our situational awareness was not the greatest in our environment, because by its nature it’s very distributed, even for the managed devices IT looks after. There’s no one view of any of it. There wasn’t a place for us to easily get that type of information, so we had to make it ourselves with Nmap scans and map it to other sources of information so we can tell who’s the contact point for a given endpoint. It’s not just identifying endpoints but the other correlating bits of information, which is something we need in order to conduct any of our processes,” explained Russel.

They also knew that their manual approach to incident and vulnerability detection and response wasn’t scalable and needed an overhaul to save their small team with limited resources valuable time and effort. “Our incident response and vulnerability management suffered from a clunky way of us addressing and determining what we do with this once we know there's something that we need to address. How important is that asset? Who is responsible for it? Where do we take it from there? Our actions were based on a lot of historical knowledge rather than authoritative sources, and that did not work well as we were rapidly growing our team. There was often a lot of manual review involved on our end. We wanted to automate this as much as possible because it doesn’t scale if you need to have somebody review those things every time,” described Russel. He went on to add, “That's part of our objective. We have a very small team in security and a very large complex environment. So, we need to make as much use of automation as we can.”

Russel and team had been utilizing a few security tools, one of which was Nmap. But they quickly realized its shortcomings of providing a complete, centralized view into their environment without a lot of manual intervention. “For something like Nmap, that’s great. But it’s really just a scanner. You can fit into a larger set of tools to help provide a better view, but on its own, it’s not going to do that for you. That’s where our scripts came into play, where we could automate it as much as we could. But there was still a lot of piecing together that we had to do ourselves. It was a more reactive toolset than something that allowed us to track things well over time. Nmap is great, but it's really just the scanning aspect of it. It’s not the whole picture that we need. It doesn’t solve that problem,” explained Russel. They had also been leveraging Tenable’s Nessus, but that tool proved to be ineffective and unsuitable for getting to a full cyber asset inventory, not to mention it was expensive. “For Nessus, we’ve used the scanner component mainly as the vulnerability scanner, and that’s great for certain classes of vulnerability, detection, and so forth. But it’s not something that’s great for tracking overall asset inventory. We would get into looking at tens of thousands of assets that would actually add up quite a bit. So, it was very costly,” said Russel.

After concluding that their current toolset was incapable of supporting their goals for full, centralized cyber asset discovery and inventory, Russel and his team agreed to pursue a new solution to extend their lean team’s capacity and resources through automation and an overall proactive security program. “It’s always been there as something that we know we need to do better at, partially due to limited resources. We’ve always found ways to get by with various forms of our own automated scanning that we would try to put together something that gave us an ability to identify assets. But it was usually after the fact, and we didn’t have a good capability for tracking changes over time or integrating with other sources of information. It was also very ad-hoc and manual. All that took effort and skills that we just didn’t have the time for,” described Russel.

Solution

After some research, York University discovered runZero and were immediately impressed with their interest and commitment in supporting the higher education sector. “One of the differentiators is that runZero was interested in talking to EDUs. They seem to be interested in how we’re using it and how to make the product better. The fact that they’re interested in working with people in our industry and to make it better for us was very helpful,” explained Russel.

Russel and his team have enjoyed runZero’s ease of deployment and use, helping them reap the benefits of the platform and get to value that much quicker. “One of the benefits of runZero was making use of the tool. It didn’t really take a lot of training and then getting up to speed to make it useful for us. Setting up scanners was fairly straightforward. That’s not always the case with security tools. Usually there’s a large ramp up in and getting value out of it. It was pretty much useful to us right away,” said Russel. He continued, “It's very usable. It's simple, but it also has a lot of capability built into it. With a small team, we don’t have enough time for training on a lot of different products. So having a tool that people can jump into very easily and quickly is helpful.”

runZero has already proven its value in a myriad of ways for the team, including increasing their speed to action for incident response, and the ability to rapidly detect and mitigate vulnerabilities. “Our environment can be quite complex. When a new vulnerability comes out, finding out whether there are things that might be affected by it is not always easy or automatic to tell what’s out there and what might be active. There may be devices offline that may come back online at some point when the person returns from vacation. We want to be sure that we don’t miss things like that. A point in time isn’t necessarily going to capture all that. So runZero is very helpful in those types of situations,” said Russel. runZero has also contributed to Russel’s ease and speed in pulling reports for making critical decisions. “runZero’s ad-hoc reporting has been invaluable. Sometimes our opportunity to get attention on a problem is fleeting. If I’m able to get some data quickly about a particular problem, I can strike while the iron’s hot. If we’re in a situation where we need to know, ‘how many systems with this particular issue do we have out there,’ and run a report on that, that would have been a lot of work in previous years before we had runZero to try to piece together the scanning. We wouldn’t be very confident of the accuracy either because it would be lacking. We have some endpoints that are off the network that we wouldn’t be able to necessarily see in a scan before, where now some of the data comes in through the integrations, we have with runZero,” described Russel.

Regarding integrations, Russel and his team recently completed setting up a Microsoft Defender for Endpoints (MDE) integration. They noted some immediate advantages, including gaining visibility beyond the campus. “It allows us to bring AD/MDE onboarded assets into our runZero views and reports even if they are not on our campus network (such as laptops used with hybrid/remote working or servers hosted in cloud infrastructure), giving us a comprehensive asset picture that is not dependent on network location,” explained Russel. The team now has a clearer view into asset ownership since this information that they have set in MDE is synchronized with runZero, which has proven to be helpful in avoiding maintaining ownership in multiple locations with different tools. They have also gained the ability to find endpoints missing Microsoft Defender for Endpoints and it is now an easier task to identify and report on assets that are not yet onboarded to MDE/EDR. Finally, they have gained a consolidated, normalized view, enabling and accelerating security investigations. “The integration permits and simplifies more complex queries and reports that would not otherwise be possible, such as listing all assets by owner, including those onboarded to MDE and those that are not. Additionally, a lot of additional context has been added for the assets and having that plus the AD data and runZero data all consolidated in the runZero console is a huge time saver when handling potential incidents or vulnerabilities, rather than having to look up the same asset in different tools,” said Russel.

“The other aspect is how quickly we can do a search because we don’t have to go and scan the network again for something new. If we know the characteristics of what we’re looking for, we can look for that in runZero and get a short list of assets that might be targets and narrow it down further. Once we have a more refined list of potential targets, we can use something like Nessus that will dig into it more deeply.”

Chris Russel, Chief Information Security Officer, York University

Outcomes

A key outcome that the York University security team has witnessed is a measurable increase in visibility into their environment. Before runZero, they were aware of and managing roughly 10,000 assets. Now with runZero, Russel and his team have been able to discover and better protect 25,000 assets, including IoT devices, 2.5x what they had insight into before, or a 150% increase. “Of the assets that were the most visible to us, there were roughly 10,000 assets. Now we have a lot more out there, up to 25,000 assets in runZero that we’re looking at and have the ability to get data on. There’s a lot there and having the visibility beyond just the Windows devices that are Active Directory joined is a huge benefit,” said Russel. This visibility with runZero is possible despite a constantly changing environment that continues to increase in complexity, a win that Russel doesn’t take for granted. “Part of it is that the environment changes a lot. Even the networking environment. We never really did have that clear visibility before, even through the networking management tools, which are great for managing the network but not so much for the devices in it. So that’s where part of the gap was addressed by runZero. We can now truly see what’s out there and track it over time.”

Outcomes

This increased visibility has benefited the team in other ways, including a reduction in overall risk for the university community. “runZero has helped us reduce our overall risk by helping us gain visibility into what’s out there, where those risks are, and being able to spot anomalies where those things before might not have shown up. Sometimes your vulnerabilities and risks are hidden in a long tail of oddities that might be in a large network, such as things that may have been misconfigured or in the wrong network segment even. This is something that is much easier for us to figure out with runZero. For example, an OT or IoT device that may not even be managed by an IT team could be installed or configured incorrectly and result in being in the wrong logical network zone. This could result in an unintended exposure or vulnerability that might not otherwise be easily noticed amongst many other unmanaged devices, but it will show up as an anomaly in our runZero reports,” explained Russel.

Another key value-add that Russel and his team have tracked the improvement of with runZero is an increase in their efficiency so they can do more with their limited time and resources. “We’ve definitely seen the benefit with respect to our ability to do our jobs faster. This is part of the reason why we’re using it. It’s filling some gaps and allowing us to automate our processes where there would have been a big gap at this point in time, like when we’re redesigning and revamping our security program. If we were to have a gap like that today, that would be a major issue in that we wouldn’t be able to operate.” This efficiency has translated into a time savings, which has freed up the team to focus on other mission critical tasks. “We have definitely saved time from the way we used to handle things. We’re also doing a whole lot more in general. We’ve changed how we do things and runZero had an overall impact on that. It’s been a big factor in our ability to be agile and automate some of our core processes,” detailed Russel.

Russel had a few parting words to sum up his experience so far with runZero, “It’s a tool that we’re able to rapidly get up to speed with. It allows us to be agile and provide quick answers to a lot of our questions. It has vastly improved our awareness of our environment, which is necessary for understanding the risks and issues we have.”

What will you find on your network?

Try runZero for free
runZero on laptop