runZero 101 training
This training uses the runZero success outcomes to help you understand the top use cases for runZero and how to achieve them.
To follow along with the hands-on portions, you can either:
- Use your company’s existing runZero implementation as a reference to see what was done, or
- Set up a personal runZero account to scan your home network
Introduction
Asset management challenges
A few challenges related to asset management include:
- Significant overhead managing asset discovery for unmanaged assets.
- Asset data is siloed and leads to multiple pivots during investigations.
- Time-consuming, cross-team effort to understand potential exposure every time an exploitable vulnerability is released.
The common threads between these challenges are wasted time. Time translates to metrics, and a few security metrics that can be improved through improved asset management include:
- Unidentified devices on internal networks: Through effective asset discovery, you can eliminate the gaps in asset visibility on your network.
- Mean time to discovery: Through effective asset discovery, you can identify risks in the environment sooner. Ideally prior to an alert from a detection and response tool.
- Mean time to resolve: If you are able to reduce pivots during the investigation process, you can reduce the time it takes for an analyst to run an investigation.
How runZero helps
runZero provides three success outcomes with sets of key results:
Reduce gaps in asset visibility:
- Scan all assets in days, rather than weeks.
- Integrate with all cloud providers and other tools in your IT or security stack.
Reduce investigation times:
- Find any asset in your environment in seconds.
- Review all services an asset runs in minutes.
- Understand potential exposure to new vulnerabilities.
Reduce asset risk:
- Eliminate misconfigurations.
- Reduce gaps in endpoint protection.
- Reduce gaps in vulnerability scanning.
- Eliminate unmanaged assets through onboarding or retirement.
- Discover unauthorized assets to be removed.
Initial configuration
Before you get started, you will need to get your environment setup.
Background information
These are resources related to planning your runZero deployment for your review. These will provide in depth knowledge for running a full scale runZero deployment.
- Deployment plan: video and documentation
- Sample networks: video and documentation
- Setting up organizations: video and documentation
- Setting up sites: video and documentation
Hands-on
In this section, you will get your account setup and initial data populated.
If you are using a personal runZero account:
- Create an account: website and documentation
- Install an Explorer: video and documentation
- Setting up credentials: video and documentation
- Running your first scans: video and documentation
If you are using your company’s runZero account:
- See how many Explorers are deployed
- See what the configured scans look like
- Check whether any credentials are configured
- Verify there are assets in your inventory
Challenge questions
Use this questions to increase your knowledge about runZero’s features and capabilities.
- Why would I use the self-hosted console instead of the SaaS platform?
- To meet compliance or data sovereignty requirements.
- How many organizations do I need?
- Usually just one, unless you are a service provider or require RBAC to the asset data internally.
- When do I use sites?
- When you have overlapping IP space. You might also use them to organize data in highly complex networks.
- What’s the difference between an Explorer and scanner?
- Explorers are connected to the console, and the scanner is a standalone command-line tool.
- When might I need more than one Explorer?
- When dealing with network segmentation that doesn’t allow routing between different networks.
- How long will my scans take?
- It depends on the configuration and number of devices scanned.
- Can I include more than one CIDR block in one scan?
- Yes! Just separate CIDR blocks with commas.
- How do I know if my scans are getting blocked by a firewall/proxy?
- You will have no data for devices that you are confident exist.
- What does subnet sampling do?
- Scans a random sample of each CIDR range to test whether any hosts exist in the range prior to doing a full scan of each IP address.
- Where do I set up SNMP credentials and other integration credentials?
- On the Credentials page.
Reducing gaps in asset visibility
In this section, you will learn how to reduce gaps in asset visibility using runZero. If you think back to the security metrics, this will directly correlate with Unidentified Devices on Internal Networks.
This click through demo will walk through how runZero helps reduce gaps in asset visibility, and the accompanying links will pivot you into your runZero instance.
Click through demo
Click the hotspots below to follow along.
Hands on references
- Dashboard
- Inventory
- Integrations
- Reporting
Challenge questions
- Where can I see how many assets I have?
- On your dashboard.
- Where do I see the most commonly used ports?
- On your dashboard.
- Which reports help with identifying gaps in discovery?
- RFC1918 and Unmapped MACs
- Which reports help with understanding network segmentation?
- Network bridges and Asset route pathing
Reducing investigation times
In this section, you will learn how to reduce your investigation times using runZero. If you think back to the security metrics, this will directly correlate with Mean Time to Resolve.
Click through demo
Click the hotspots below to follow along.
Hands on references
- Inventory Searches
- Up/Down: alive:t
- IP: address:192.168.40.157
- Port: port:161
- Protocol: protocol:snmp
- Multi-homed assets with public and private IP addresses: alive:t AND has_public:t AND has_private:t
- Default SSH configuration using passwords for authentication: alive:t AND protocol:“ssh” AND ssh.authMethods:"=password"
- Remote access services/protocols: protocol:rdp OR protocol:vnc OR protocol:teamviewer
- EOL Windows operating systems: os:windows AND os_eol:<now
- All available serial number source: protocol:snmp has:snmp.serialNumbers OR hw.serialNumber:t OR ilo.serialNumber:t
- Inventory usability
- Use your inventory to follow along
- Asset deep dive
- Use one of your assets to follow along
Challenge questions
- Can I change the asset inventory view columns?
- Yes! Click the
cols
dropdown and add or remove. Columns can also be dragged to reorder them.
- Yes! Click the
- How do I search for a specific hostname?
- Use
name:<hostname>
in a filter line.
- Use
- Can I do a relative time search on things like
mac_age
?- Yes, just use number comparison operators.
- What are the secondary addresses on an asset and how do you get them?
- They are other IP addresses found during the scanning process for a device. It means you scanned one IP but found others while probing.
Reducing asset risk
In this section, you will learn how to reduce asset risk using runZero. If you think back to the security metrics, this will directly correlate with Mean Time to Detect.
Click through demo
Click the hotspots below to follow along.
Hands on references
- Rapid response
- Query library
- Inbound integrations
- Reduce gaps in endpoint protection
- Assets without endpoint protection
- Reduce gaps in vulnerability scanning
- Assets without vulnerability scanning
- Eliminate unmanaged assets and move to managed category
- Assets not in AD or MDM
- Outbound integrations
Challenge questions
- Where can I find risky assets in runZero?
- The Query Library has >100 pre loaded searches with risk levels tied to them.
- What types of gaps can runZero identify in security tooling?
- Endpoint protection, vulnerability scanning, and device management.
- What are sample outbound integrations for runZero asset data?
- SIEMs, CMDBs, and ticketing systems.