Finding gaps in endpoint protection

Enterprise

Many customers use runZero to get a consolidated view into their assets. Once you’ve integrated your endpoint protection platform with runZero, there are a variety of ways you can monitor the state of your deployment from within runZero.

Who is this playbook for and why?

This playbook will be useful for security and IT personnel who are responsible for managing their organization’s endpoint protection platform. It can help find gaps in your endpoint protection coverage and ensure that you’re getting full value out of your investment.

How will runZero help?

runZero is able to discover assets on your network without an agent and import asset information from your endpoint protection platform. This allows you to identify gaps in coverage as well as other health information about your EDR implementation.

What will I need to do?

To find gaps in your endpoint protection coverage, start by scanning your entire network. Then, if applicable, you will configure a runZero integration with your endpoint protection platform to merge that data with the runZero data. Lastly, you will query asset data to find assets that do not have the platform installed.

Prerequisites

Steps to implement

  1. Configure endpoint protection integration:
  2. Use sample queries to search your inventory for assets missing endpoint protection.
  3. Set up alerts to automatically notify you of gaps or to initiate a workflow.

Sample Queries

There are endless ways to combine terms and operators into effective queries, and the examples below can be used as-is or adjusted to meet your needs.

CrowdStrike Falcon

The following queries can be used to monitor the state of your CrowdStrike deployment from within runZero.

Identify assets that do not have CrowdStrike installed

(type:server OR type:desktop OR type:laptop) AND not edr.name:CrowdStrike

Identify assets running CrowdStrike in Reduced Functionality Mode (RFM)

(type:server OR type:desktop OR type:laptop) AND @crowdstrike.dev.reducedFunctionalityMode:yes

Identify assets running CrowdStrike where a Protection Policy has not been deployed

(type:server OR type:desktop OR type:laptop) AND @crowdstrike.dev.provisionStatus:NotProvisioned

Identify assets that are quarantined

(alive:true OR scanned:false) AND @crowdstrike.dev.status:Contained

SentinelOne

The following queries can be used to monitor the state of your SentinelOne deployment from within runZero.

Identify assets that do not have SentinelOne installed

(type:server OR type:desktop OR type:laptop) AND not edr.name:SentinelOne

Identify assets that have been decommissioned in SentinelOne

(alive:true OR scanned:false) AND @sentinelone.dev.isDecommissioned:true

Identiy assets that are running an outdated agent

(type:server OR type:desktop OR type:laptop) AND @sentinelone.dev.isUpToDate:false

Identify assets that are quarantined

(alive:true OR scanned:false) AND @sentinelone.dev.networkQuarantineEnabled:true
Tip: In some instances, runZero may be able to identify EDR/AV software without an integration if it exposes services that can be discovered. Running the Installed EDR/AV asset attribute report will provide you with a list of all EDR and AV software discovered in your inventory either through an integration or through runZero scanning techniques. Keep in mind that without an integration you will not be able to pull detailed EDR/AV information about an asset but you may be able to perform basic queries to identify coverage gaps.

Outcome demo

This video is a short demo of what the outcome of finding gaps in your EDR deployment may look like.