Skip to content

Why we chose to be a fully remote company (and how we make it work)

At runZero, a physical office isn’t what unites us–it’s our mission that brings us together.

We are proud of the fact we are a 100% remote team,distributed across 10 states. From software engineers to product developers, we aim to help organizations keep their networks secure–all from the comfort of our own homes.

People often ask me why we chose to be a fully remote company from the beginning. As we look to grow, I wanted to take time to elaborate on why we made this choice, the benefits to our company and employees, and how we cultivate our culture without a shared office space.

Why remote-only was the right choice

I joined runZero in late 2020, two years after our founder, HD Moore, started the company. We were in the middle of a pandemic, and our conversations quickly turned to the practicalities of running a startup remotely. Because the whole world was still working remotely due to the pandemic, opening an office just didn’t make sense at the time.

HD felt that he could run the engineering side of things remotely from Austin, TX, and he asked if I needed a sales office in Boston. With all the tools at our fingertips today, I knew I could accomplish most tasks remotely.

My perspective was that working in an office is only important for certain meetings and social interactions. It’s not required for individual, focused-work (unless you have a lot of people in your apartment and need a quiet place to work,but even then, there are other options to meet that need such as coworking spaces).

All that to say: my immediate instinct was runZero could run very well remotely.

Hybrid work is the worst of both worlds

Hybrid usually means employees are in the office around 3 days a week. Employers usually allow people to have some level of freedom over the days they choose to be in the office, so they still get the flexibility from remote work. As a result, it’s difficult to get everyone at the office at the same time.

These hybrid models work in theory, but to me, they seem to bring out the worst parts of each working environment. You still feel isolated (a challenge of remote work), even though you are technically back in the office. You’re able to meet with your colleagues in-person, but never at the same time. So what’s the point?

Hybrid models are also not conducive to productive meetings. Trying to optimize an audio and video setup for in-person and remote meetings is an exercise in futility. One person is drawing on a whiteboard you can barely see, and another is struggling to hear what’s going on through the dreaded Polycom.

Meanwhile, if everyone is on a Zoom call, we can all hear and see each other simultaneously and clearly. Video-conferencing software has improved drastically over the last few years and video and audio quality is heads and tails above typical conferencing options, which allows for efficient and productive meetings.

On a personal level, this is how I prefer to work. I don’t have to sit in a car for two hours a day to get to an office and to run between different meeting rooms at different times. I can prepare healthy meals and pop in a load of laundry in between writing up strategic reports.

Beyond that, however, there are tangible benefits to the company itself that made our decision to become 100% remote an easy one.

Remote work attracts the best talent and gives us an edge over the competition

As things slowly returned to normal in 2021, more companies began to ask employees to come back to the office. However, not all of them wanted to return.

We saw this as a competitive advantage for us. We offered a workplace that allowed for talented individuals to continue working independently, while also being part of a team that shared their values. The certainty that we were never going to ask people to come to an office was a big plus for a lot of people.

In turn, the talent pool we could choose from actually broadened. Now we could pick up people from companies that wanted employees to return when they didn’t want to. We weren’t restricted to a single city either. We could attract quality candidates nationwide and hire, onboard, and train them quickly and efficiently. That’s a cost advantage that we can reinvest in the company.

As a result, our employees have also shared feedback that they are able to maintain a better work-life balance, while also feeling connected to the company mission.

Staying Connected While Apart: How We Cultivate a Company Culture

Admittedly, a formidable challenge to not having a physical workplace is missing out on what I would call ‘water cooler chatter’: those impromptu conversations. Sometimes they were about work, other times about our personal lives. These moments are crucial to helping teams feel connected to a shared experience.

However, company culture is so much more than incidental conversations around the office. It’s about people feeling like they are truly a part of something, and that kind of culture is cultivated thoughtfully and holistically.

First and foremost, understanding our cultural values was key to helping us build a remote culture – or any company culture. Then, our focus shifted to understanding how we help connect people to those values, help people develop 1-on-1 relationships, and foster interpersonal communication that builds the fabric of the company.

Let’s talk about some practical ways we foster and maintain company culture across time zones and locations.

Practical Ways we Manage Culture (and the tools we use!)

We still see the value of in-person interactions. We choose differently.

Our approach to communication is if it involves simply transferring knowledge or information, it can be accomplished virtually (through Slack, Zoom, or recorded video).

For example, we host monthly virtual town halls, which all employees and executives attend. Town halls are an important way to keep information flowing. We are open about our standing as a company, where we are going, and what’s coming next. Transparency is an even higher priority when you operate as a 100% remote company, and that’s why it’s one of our core values.

To set the tone for our time together, we usually kick off each meeting with a soundtrack. One time, after we closed a big customer in the telecommunications space, we played Lady Gaga’s “Telephone”. We take our work seriously, but we also like to have a little fun.

Since our town halls focus mainly on sharing information, they can be virtual. Meanwhile, we reserve in-person events for culture-building activities and interactions.

For example, we had our first ever company-wide meeting in-person in October 2022 in San Diego, an event we plan to host yearly. We had two to three hours of scheduled time during the day that involved sitting in a room pouring over information. The rest of each day was dedicated to team building exercises and common activities to foster lots of unstructured interactions. We also plan to meet up a second time each year for a go-to-market kickoff.

We use communication tools effectively and creatively

As you can expect, we use Slack for work-related communications, including weekly one-on-ones and asynchronous communications on important work matters.

We also use it as a way for everyone to connect. Lots of people check in with each other in the morning on the #casual-random Slack channel. We have a channel for foodies, movies, books, pets, kids,and many other channels to help employees connect who live in the same geographical area and sometimes get together in-person.

When you work remotely, almost every interaction is scheduled, and it can start to feel too structured. To help with this, we use Donut.com; it picks two random people within the company’s Slack that haven’t chatted in a while and pairs them up that month for a 30 minute one-on-one meeting. This meeting has no specific business purpose; it is simply there to mimic–to some degree–those casual water cooler conversations. This tool is a great way to make those types of conversations happen, and we have received positive feedback from employees who have built relationships this way.

Another tool we have used is called Gather.Town. You walk around a room that looks like an 8-bit game. As you wander, you can hear and see people standing near you (virtually), similar to a cocktail party. It’s a fun, gamified way to have a sort of happy hour with colleagues.

Our Head of People, Madison Smiser, has also been organizing company coffees (some virtual, some in-person where possible), show and tells, and breakout groups. We certainly don’t have it all figured out, but we are always listening to feedback and trying out new things. We know that socializing is an important part of building culture inside a company (remote or not).

Is going remote the right choice for you?

Truthfully, remote work is not for everyone, and that’s okay. Some people don’t have the physical workspace or environment to work remotely, while others work in service-based industries or manufacturing where it’s not a feasible option.

There are certainly challenges to running a remote company, but at the end of the day it can contribute positively to employee satisfaction and culture. There is something fascinating about the level of trust that binds a team together when everyone works remotely. It’s a benefit that comes from being in completely different places and, yet, still feeling connected.

If you’re interested in joining a fully remote workplace that’s building culture in creative ways, check out our Careers page.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Creating a culture of transparency

I once managed a product line when I didn’t even have access to revenue figures. Looking back now, that seems unthinkable. How was I supposed to manage a business when I didn’t even know how it was doing? I’m going to bet many others have a story like that too: where a culture of secrecy kept them from effectively doing their job.

In contrast, at runZero, we work at creating a culture of transparency: an environment where information flows between different levels of the organization and employees feel comfortable asking questions and sharing feedback.

When the executive team openly communicates with their employees, it builds trust and respect. In turn, employees are more likely to be productive and act in the best interest of the company. At tech companies, employees especially need access to accurate, up-to-date information to do their jobs well.

Ultimately, a culture of transparency leads to success because everyone is on the same page and working towards the same goals. Let’s dive into the specific values we’ve developed to promote and nurture transparency within our company.

Decentralize decision-making

Cultural value: “We provide transparency about decisions and the state of the business so everyone can make the right decisions autonomously.”

At runZero, transparency is a fundamental part of the way we do business. We focus on openness, so everyone knows the expectations, trusts each other, and feels confident in their role.

This level of transparency plays out in a variety of ways. At our monthly virtual town halls, for example, we are open about our standing as a company, where we are going, and what’s coming next. Our town halls deliver detailed information on financials, business performance, and even our cash position. We intend to be as honest if our cash position ever changes for the worse (though it hasn’t happened yet at the moment). By building trust and being transparent, everyone at runZero will feel like they are part of our successes and solutions.

When it comes to strategic planning, leaders provide context on the business to the team ahead of time, even if final decisions aren’t made yet. Leadership needs to be vulnerable in order to do this. They need to be able to admit that they don’t have all the answers yet, but are willing to share where they are in the process. This approach fosters collaboration and invites feedback. These are key elements to solving complex problems. We also take this approach in our one-on-one meetings.

We don’t pretend to have all the answers and understand that our employees may feel some degree of ambiguity in the face of such openness. This mindset allows for a free exchange of ideas between leadership and staff and promotes an environment where key players can work together to come to a consensus. The openness and directness of our leadership encourages employees to participate in the brainstorming process, ensuring that we make decisions based on collective wisdom instead of individual opinion.

When employees are confident in the knowledge they have, they can make the informed decisions independently, instead of expending time and resources asking for approvals internally. Transparency is essential for creating an environment where autonomous decision-making is not only accepted but encouraged.

The line between confidentiality and transparency

While transparency helps keep everyone in the loop, there are certain aspects of any business that must remain confidential, such as employee data and other human resources type information. In these cases, full transparency is not always the best solution.

In fact, during times of rebranding or restructuring, it’s better to wait until the new direction is clear before sharing any information widely, so it doesn’t create confusion. Information shared in confidence, for example about performance or health issues, should also not be shared widely.

However, our internal communication will always strive to be as honest and transparent as reasonably possible. We trust our employees to handle sensitive matters with utmost discretion and integrity.

Foster transparency through sharing

Cultural value: “We reward people who share information rather than hoard it.”

Information hoarding and siloed decision-making leads to inefficient processes and mistrust inside an organization.

Employees often hoard information to protect themselves from negative perceptions or to make themselves more valuable in the organization. However, when employees feel secure and comfortable in their environment, information hoarding becomes unnecessary.

That’s why we model and reward information sharing and transparency. For example, runZero’s Google Drive is fairly open—almost any employee has access to the files, except for those pertaining to sensitive information like human resources or finance. Generally speaking, however, employees can dig around for all kinds of data: company stats, dashboards, Hubspot data, and more. If employees can investigate, they can find solutions. In turn, we give them recognition for finding those solutions.

By providing tools like these and encouraging employees to use them openly and confidently, we avoid the issue of information hoarding altogether.

Help candidates grow through transparency

Cultural value: “If we turn a candidate down and we have helpful feedback, we offer to provide it.”

Sharing feedback with a candidate during the hiring process can be one of the most challenging tasks for any leader. Not only do we have to choose our words carefully, so that the message is constructive, but we also have to pick information that is truly valuable for the candidate’s growth. We also give the candidate the option to decline feedback, as we know sometimes that it can be a hard pill to swallow, depending on their circumstances.

The most difficult type of feedback is about someone’s potential. Oftentimes, this feedback may not consist of more than general comments about their capabilities or capacity for growth. It can be hard to deliver this type of feedback without it being demoralizing. So, we try to encourage candidates, while giving clear guidance on what specific improvements to help them understand what we are looking for at runZero. You never know what could happen: a few years down the line, the candidate could improve with feedback, timing shifts, and they end up being just the right fit for runZero.

We want the best fit for everyone involved. Anyone interviewing a candidate for runZero will be open and transparent, and we look for that to be reciprocated. We really listen for people with a growth mindset and who value transparency as much as we do.

Be honest with customers

Cultural value: We only take deals that are mutually beneficial partnerships. We take an honest, consultative approach to selling. We don’t pressure customers into sales if runZero is the wrong solution.

At runZero, we pride ourselves on our commitment to fair and transparent pricing. We are honest with our customers about what our product can do and if their requests exceed its capabilities, it’s best that everyone knows sooner rather than later. It saves everyone time in the long run. The sales team can disqualify the deal earlier and spend more time on deals with a higher likelihood to close. Disqualifying a deal builds trust and helps the customer understand the problems we can solve for them – and some return later when they are looking for a solution to those problems. The company experiences a higher renewal rate because customers weren’t oversold.

This approach benefits both parties in different ways: by being upfront about what our product can do, buyers benefit from a service that actually gives them what they need, while sellers don’t waste time trying to convince someone of a product that ultimately won’t work for them.

By committing to this type of customer service, we hope to help create an environment where buyers and sellers form trusting relationships.

The foundations of a great team and company

Open and honest dialogue is the cornerstone of any healthy team. Carrying out transparency in everything we do creates deeper connections between employees, leaders, and customers. We understand that fostering a supportive environment means that everyone should have access to information needed to be successful in their roles.

Creating a culture of transparency guides us at runZero every day. So if you’re looking for a role where transparency is in our DNA, we’d love for you to join us.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Why runZero is the best way to fulfill CISA BOD 23-01 requirements for asset visibility – Part 1

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently published the Binding Operational Directive 23-01 for Improving Asset Visibility and Vulnerability Detection on Federal Networks. CISA’s asset visibility requirements are doing a big part in moving the industry forward and evolving our approach to asset inventory while also highlighting the importance of asset inventory in relation to national or organizational security.

The directive covers both vulnerability management and asset inventory. This blog post only focuses on the relevant parts for asset inventory. However, there are some important areas where the two disciplines interact and asset inventory is better suited to fulfill the requirements.

CISA recommends unauthenticated scanning for asset discovery

Many organizations are using data sourced from authenticated vulnerability scans and installed EDR agents to derive asset inventory. CISA’s directive demonstrates that while this is a viable way to augment the data set, it is no longer sufficient:

“Asset discovery is non-intrusive and usually does not require special logical access privileges.”

“No special logical access privileges” translates to either unauthenticated active discovery or passive collection, which is confirmed in the following statement:

“Discovery of assets and vulnerabilities can be achieved through a variety of means, including active scanning, passive flow monitoring, querying logs, or in the case of software defined infrastructure, API query.”

API queries are only recommended for software defined infrastructure, such as cloud-hosting other virtualized environments, but not for your physical network.

Log files can be a helpful way to augment breadth of asset inventory but they do not yield depth. DHCP and DNS logs don’t yield much more information than IP addresses, hostname, and MAC addresses. This misses the essence of what a device is: you know it’s there but you don’t know what hardware and operating system it’s running or what ports and services are active.

CISA directive solves for unmanaged devices

When talking to security teams about challenges with their asset inventory, they frequently cite unmanaged devices as the biggest headache. The CISA directive seems to optimize for unmanaged devices since these are the hardest to cover.

Many asset inventory vendors, particularly those in the CAASM (Cyber Asset Attack Surface Management) space, claim that you can magically solve for unmanaged devices via integrations with existing tooling. That is a great pitch, but it ignores the fact that security teams have tried to use the data from vulnerability scanners and EDR agents for asset inventory for a long time and failed. They do not provide the right data–we’ll get to why in part two of this series.

CISA is well aware of this fact and recently published a binding directive that requires more than just integrations for solving asset inventory.

We’ll take a deeper look into why that is throughout this blog series. Stay tuned for more details and subscribe to our blog so you don’t miss out.

Follow the story

Part two of this story was published on Tuesday, January 18, so be sure to follow the story. Also, don’t forget to subscribe for regular blog notifications.

Try runZero for free

See how you can comply with CISA BOD 23-01 using runZero.

Get started
Learn more about runZero

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Fostering a culture of kindness at runZero

Our world today is so fast-paced that sometimes kindness can take a back seat. At runZero, kindness is in the front seat, guiding how we work together as a company.

For us, it was really important for kindness to be one of our core values–not only because it aligns with how we work–but because it makes all of us successful as a result of it. We really believe that a kind environment cultivates meaningful work experiences that help drive greater success for our customers, employees, and partners alike.

To really deliver on instilling kindness throughout our company, we really focus on:

  • Always assuming good intentions
  • Being kinder than necessary
  • Working at sustainable levels
  • Hiring based on attitude and aptitude and promote accordingly
  • Being fair and respectful of the candidate and employee experience

Always assume good intentions

When we talk about kindness, we start with a shared understanding that everyone has good intentions. Oftentimes, even when someone makes a decision that seems a bit miscalculated, they do it with good intentions. That’s why we strive to assume kindness before anything else.

Instead of going into a conversation on the defense, it’s more productive to come prepared to have an open discussion. Asking questions demonstrates that you truly want to understand someone. For example, if a teammate has taken a different approach on a project, rather than making a statement, ask, “Can you help me understand why you chose this approach?” This kind of communication helps to build trust and kindness, as well as communication, in the workplace.

Be kinder than necessary

It’s not always obvious what someone is going through, so we genuinely ask people how they are doing. Whenever I’ve gone into a situation with guns-a-blazing, I’ve always regretted it afterward. It’s better to keep in mind that there might be something more going on. After all, there may be other things going on in their lives, including family, personal, and medical issues.

Compassion has a profound impact on people and can help create a supportive environment for everyone to thrive. For leaders and managers, it’s important to be compassionate and ask questions when an employee is significantly underperforming compared to their baseline. Try something like this: “I’m getting the feeling that I’m not getting your best work lately. Is there something going on in your life that I should be aware of? Is there any way I can help?”

This kind of warmth not only creates goodwill between both parties, it also indicates you are a more attentive leader. One study, which tracked more than 50,000 leaders, found that those in the top-quartile of performance ranked high on levels of warmth. As it turns out, the nice ones do finish first.

Work at sustainable levels

Some people have trouble believing this, but taking time off makes you a good employee. As leaders, it’s important to set this example.

Having down time allows us to take care of ourselves, our loved ones, and our colleagues. I recognize that it can be difficult to do in startup environments when there’s not enough people to go around to handle all the tasks. However, it’s crucial to make rest a priority for all. Otherwise, you may end up with a different set of problems when conflict inevitably arises inside your teams due to stress.

If your company has a PTO policy of “take whatever you need,” it can be helpful to track your days off in a spreadsheet. Research shows people actually take less than they should, so this is a good way to hold yourself accountable. As a leader, check in with your teams and make sure they are taking the time off they need to be productive.

Hire based on attitude and aptitude and promote based on merit and company needs

When it comes to hiring, we focus on more than just experience. We place a high value on attitude and aptitude, so that everyone has an equal opportunity to join our team and grow their career.

Just because someone has been doing their job for a long time doesn’t mean they are the best at it. We are trying to encourage more diversity in the technology sector, and if we rely mainly on years of experience, then we are dipping into the same talent pool as everyone else. We focus more on demonstrable skills and an attitude that is in line with our cultural values as a company.

We also strongly believe in promoting from within where possible, based upon merit and what best aligns with the needs of the company. This helps minimize regrettable attrition and reduces the amount of time onboarding new employees.

In order for our culture to thrive, positivity is essential. Negativity can spread like wildfire, so we take it seriously.

Be honest about the job

As much as we’re screening a candidate, the candidate is screening us as an employer. We are both trying to discover if we’re the right fit, so it’s important for both of us to be honest.

As an employer, we strive to be transparent with our prospective candidates by publishing salary range data so they can make an informed decision. We are also candid about the challenges of the role and our company, which helps build trust in our relationship. We ask all our candidates to be honest in their assessment of their skills, values, and concerns they may have about the role. We want everyone to start off on the right foot.

Another way we demonstrate kindness to employees is by compensating fairly. We pull benchmark data and compensate at the 75th percentile, meaning we pay better than 75% of employers hiring for comparable roles.

Our employees form the backbone of our company and we want to show how much we value their contribution.

Be fair and respectful to candidates and employees

Rejection is tough, no matter the circumstances, but kindness goes a long way in alleviating the sting of rejection. We try to be as empathetic as possible when dealing with departures of any kind–whether they come from a job application or within the company.

When a prospect has been in the late-stages of interview rounds and we feel we have helpful feedback, we offer to share it. We let them know it’s honest, constructive feedback, but we also also give the candidate the option to decline, as we understand that feedback can be hard to receive, depending on what’s going on in their life at the moment.

For outgoing employees, our company culture works hard to ensure kindness and respect during these transitions. Even when legal best practices restrict our ability to share details, we always strive to uphold our reputation of kindness and understanding at all times. We understand that people sometimes just don’t fit into roles and don’t take it as an indication that someone is a bad person or employee.

Why kindness = success

Kindness isn’t just so people feel good about their work. It’s also for the success of your company. A kind, fair, and just culture sets a strong foundation for employees to feel secure in their environment which increases productivity. A healthy company culture reduces conflict amidst employees so they can focus their energy on collaboration and productivity. Hiring is easier because you screen for candidates that share the same values and you create a positive reputation with candidates and recruiters.

Frankly, it’s also just the right thing to do. Companies are made up of people who deserve kindness from others.

Want to join our team?

Explore our open positions and find the perfect fit for you. Discover why runZero is the best place to build your career.

View open roles
Join our team

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

CISA BOD 23-01: Why vulnerability scanners miss the mark on asset inventory

On October 3, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 23-01: Improving Asset Visibility and Vulnerability Detection on Federal Networks. The directive requires that federal civilian executive branch (FCEB) departments and agencies perform automated discovery every 7 days and identify and report potential vulnerabilities every 14 days. Additionally, it requires the ability to initiate on-demand asset discovery to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA.

To meet these requirements, agencies will need to start with an accurate asset inventory. Most agencies will attempt to leverage existing solutions, like their vulnerability scanners, to build their asset inventories. It seems reasonable to do so, since most vulnerability scanners have built-in discovery capabilities and can build asset inventories. However, they will quickly learn that vulnerability scanners are not up for the task and cannot help them sufficiently and effectively meet the requirements laid out by CISA.

Let’s take a look at why agencies need a solution solely focused on asset inventory, in addition to their vulnerability scanner, if they want to tackle CISA BOD 23-01.

Asset inventory is a foundational building block

Every effective security and IT program starts with a solid asset inventory. CISA BOD 23-01 reinforces that imperative. Specifically, it states, “Asset discovery is a building block of operational visibility, and it is defined as an activity through which an organization identifies what network addressable IP-assets reside on their networks and identifies the associated IP addresses (hosts). Asset discovery is non-intrusive and usually does not require special logical access privileges.”

What does this mean? FCEB agencies looking to meet the requirements outlined by CISA BOD 23-01 must be able to discover managed and unmanaged devices connected to their networks. Internal and external internet-facing assets must be cataloged with full details and context. All within the timeframe outlined by CISA.

So now, the question is why vulnerability scanners can’t be used to meet the requirements laid out in the directive.

The challenges of asset inventory with vulnerability scanners

As the number of devices connecting to networks continues to grow exponentially, agencies need to stay on top of these devices; otherwise, they could provide potential footholds for attackers to exploit. However, common issues like shadow IT, rogue access, and oversight continue to make it difficult to keep up with unmanaged devices. BOD 23-01 highlights the importance of identifying unmanaged assets on the network. That’s why the need for a fully comprehensive asset inventory is the key to adequately addressing the directive.

So, why can’t vulnerability scanners deliver on asset inventory? Most vulnerability scanners combine discovery and assessment together, resulting in slower discovery times, delayed response to vulnerabilities, and limited asset details. As a result, most agencies are left wondering how they can do a better job building their asset inventories.

Combining discovery and assessment slows everything down

Vulnerability scanners typically combine asset discovery and assessment into one step. While on the surface, this appears to be efficient, it is actually quite the opposite. In regards to asset discovery, CISA BOD 23-01 specifically requires that FCEB agencies perform automated discovery every 7 days and identify and initiate on-demand discovery to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA.

Because vulnerability scanners leverage a lot of time-consuming checks, they’re not able to scan networks quickly enough. Add in the complexity of highly-segmented networks and maintenance windows, and it is nearly impossible to effectively utilize vulnerability scanners for discovery and meet the timing requirements outlined by CISA.

Under the new directive, assessing the potential impact of vulnerabilities becomes even more urgent. Agencies will need to perform on-demand discovery of assets that could be potentially impacted within 72 hours, if requested by CISA. When security news breaks, agencies need to respond as quickly as possible, but vulnerability scanners slow down the process. In a scenario like this, it would be more efficient to have a current asset inventory that agencies can search–without rescanning the network. This is particularly useful if agencies know there are specific assets they need to track down, they can query their existing asset inventory to identify them immediately.

For example, let’s say a new vulnerability is disclosed. Vendors will need some time to develop the vuln checks, and agencies will need to wait for the vuln checks to become available. Once they’ve been published, agencies can finally start rescanning their networks. Imagine waiting for the vuln check to be released, and then delaying the rescan due to scan windows. Without immediate insight into the potential impact of a vulnerability, agencies are playing the waiting game, instead of proactively being able to assess the risk.

How agencies can speed up discovery

So, what can agencies do? Let vulnerability scanners do what they do best: identify and report on vulnerabilities. Complement them with a dedicated solution that can automate and perform the discovery of assets within the timeframe set by the directive. In order to accomplish this, the asset inventory solution must be able to quickly and safely scan networks without a ton of overhead, be easy to deploy, and help security teams get ahead of new vulnerabilities.

Agencies need to have access to their full asset inventory, on-demand, so they can quickly zero in on any asset based on specific attributes. This information is invaluable for tracking down assets and investigating them, particularly when new zero-day vulnerabilities are uncovered. When the new zero-day is announced, agencies can find affected systems by searching across an existing asset inventory–without rescanning the network.

Meet CISA BOD 23-01 requirements with a dedicated asset inventory solution

It is increasingly evident that decoupling discovery and assessment is the most effective way to ensure that agencies have the data needed to accelerate vulnerability response and meet the requirements outlined in the directive. Because let’s face it: vulnerability scanners are really good at vulnerability enumeration–that’s what they’re designed to do. However, they really miss the mark when it comes to discovering assets and building comprehensive asset inventories. Because vulnerability scanners combine discovery and assessment, they aren’t able to scan entire networks quickly, and at times, they don’t fingerprint devices accurately.

As a result, many agencies are wondering how to meet the requirements outlined in CISA BOD 23-01 if they can’t depend on their vulnerability scanner for discovery. Agencies will need to start looking for a standalone asset inventory solution that is capable of performing unauthenticated, active discovery, while also enriching data from existing vulnerability management solutions.

How runZero can help agencies focus on asset discovery

runZero separates the discovery process from the vulnerability assessment stage, allowing agencies to perform discovery on-demand. Because runZero only performs discovery, it can deliver the data about assets and networks much faster than a vulnerability scanner. Customers have found that runZero performs scans about 10x faster than their vulnerability scanner, allowing them to:

  • Get a more immediate day one response to new vulnerabilities.
  • Gather as much information as possible about assets while waiting for vulnerability scan results.

That means, while waiting for vulnerability assessments to complete, agencies can already start digging into their asset inventory and identifying assets that may be impacted by a vulnerability. runZero regularly adds canned queries for assets impacted by newly disclosed vulnerabilities and highlights them via Rapid Response. Users can take advantage of these canned queries to instantly identify existing assets in the inventory that match specific identifiable attributes. For example, querying by hardware and device type can narrow down assets to a specific subset that may be affected by a vulnerability. All of the canned queries can be found in the Queries Library.

All in all, runZero is the only asset inventory solution that can truly help FCEB agencies stay on top of their ever-changing networks. By decoupling asset discovery from vulnerability assessment, agencies will gain visibility and efficiencies, while meeting the requirements set by CISA BOD 23-01.Learn more about runZero

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

runZero 3.4: Vulnerability import from CrowdStrike Spotlight (plus something for everyone)

What’s new with runZero 3.4?

  • Vulnerability import from CrowdStrike Spotlight
  • Integration performance improvements and enhancements
    • Automatic expiration of ephemeral AWS assets
    • Processing performance improvements
    • Enrichment-only integration support
  • OAuth Client Secret authentication
  • Simplified site import and export format
  • Rapid Response queries for MegaRAC and Cisco
  • User interface improvements

Vulnerability inventory from CrowdStrike

runZero Enterprise customers can now import vulnerabilities from CrowdStrike Spotlight. runZero 3.4 automatically imports vulnerabilities when a credential is supplied that has access to the “Spotlight” OAuth scope. CrowdStrike Spotlight vulnerability data can be viewed from the asset detail page as well as in the vulnerability inventory. CrowdStrike vulnerability attributes include the relevant CVE identifier, severity, exploitability status, vulnerability detail, and any recommended actions to remediate the issue. Use the filter source:crowdstrike in the asset or vulnerability inventory to see CrowdStrike-sourced data. Use the following queries to track down common concerns: Ready to complement your runZero inventory with vulnerability data from CrowdStrike? To get started, set up a connection to CrowdStrike using a credential with access to Spotlight vulnerabilities. Vulnerabilities from CrowdStrike Spotlight

Integration performance improvements and enhancements

The 3.4 release delivers new features and performance improvements to runZero integrations.

Automatic expiration of ephemeral AWS assets

You can now have your AWS integration automatically remove AWS assets from your inventory that weren’t seen in the latest sync. Many AWS resources are ephemeral, only being in use for a short period of time, and these temporary assets can lead to a slow increase of offline assets over time. If you don’t want to keep those decommissioned AWS assets in your runZero inventory, this feature can be used to automatically delete them. An alternative to this feature is to place your cloud assets in a separate Organization and configure a low stale asset expiration.

Processing performance improvements

The performance of all integration tasks has been improved and processing now completes much faster, with better use of resources, especially for self-hosted customers. This improvement is the most significant for processing data from vulnerability management products.

Enrichment-only integration support

You can now choose to exclude unknown assets from your integration imports. If enabled, runZero won’t import assets from an integration unless they can be merged with an existing asset in your inventory. This places the integration into an enrichment-only mode. This option is helpful when overlaying data from directory providers (Azure AD and Windows AD) as well as MDM and EDR systems that often include off-network assets that may be outside of your runZero scope.

OAuth Client Secret authentication

In addition to being able to access the runZero APIs using bearer tokens, you can now configure the use of OAuth2 client credentials. Simply register an API client and use the client ID and secret to obtain a temporary session token, which can then be using with the existing APIs as a bearer token.

Simplified site import and export format

The process and format for importing sites has been simplified so that you can more quickly add multiple sites based on subnets. The format of the imported CSV has been updated so that each registered subnet can be provided as a separate row, with the results merged automatically during import. Need to add a ton of new subnets to your sites? Export the current CSV, append the new subnets to the end with the same site name, and re-import the list to update your site configuration.

Rapid Response queries for MegaRAC and Cisco

In addition to letting you create queries to fit your needs, runZero includes pre-built queries for recent threats. During the 3.4 release, new queries were added to quickly track down assets running MegaRAC BMC firmware and to locate Cisco 7800/8800 series IP phone assets.

User interface improvements

The 3.4 release includes several changes to the user interface to improve the performance of the runZero console. The tables on the analysis reports, site comparison reports, and SSO groups pages now perform and load faster. This will let users query and sort the results in tables more efficiently, getting to the answers they need faster.

Release notes

The runZero 3.4 release includes a rollup of all the 3.3.x updates, which includes all of the following features, improvements, and updates.

New features

  • The AWS integration now includes an option to automatically remove assets no longer reported by AWS.
  • OAuth 2.0 client credentials can now be used to authenticate with runZero APIs.
  • The edr.name asset attribute is now updated to show when a runZero scan no longer detects the EDR.
  • Tasks can now be stopped during data gathering and processing phases.
  • The site import and export CSV format has been simplified.
  • The performance of connector task processing has been improved.
  • Tables for the Site comparison report, analysis report results, and SSO group mappings have been redesigned for improved performance.
  • Added a new canned query for finding Cisco 7800/8800 series IP phone assets.
  • Improved fingerprinting coverage of Google Workspace assets.
  • Additional fingerprint updates.

Security improvements

  • A bug that could show cross-tenant “no access” role users in the Your team > Current organization view was resolved. This issue only applied to the cloud-hosted version of the runZero platform. The affected build was live for slightly more than two hours. Any customers affected by this issue will receive a detailed notice to the email addresses associated with their superuser accounts.

Product improvements

  • The consistency in asset terminology has been improved.
  • The site import CSV format has been improved.
  • The CLI Scanner --api-url parameter handling has been improved.
  • The DELETE API method for bulk asset deletion has been deprecated.
  • A public API endpoint to check the platform health has been added.
  • OS EOL dates are now reported for Windows 11.
  • A new canned query for MegaRAC BMC firmware has been added.
  • Self-hosted customers can configure concurrent task processing with the RUNZERO_CRUNCHER_INSTANCES option.
  • VMware ESXi instances now display OS end-of-life dates based on version.
  • The scanner now supports a configurable ToS/Traffic Class field in the advanced configuration.
  • Additional operating system and hardware icons are available in the inventory view.
  • Explorer and CLI Scanner binaries are now approximately 5MB smaller.
  • The All Organizations view now more accurately handles limited user permissions.

Performance improvements

  • The performance of the task overview page load time has been improved.
  • The import time for third-party data sources was improved.
  • The scheduler will now delay recurring tasks if the previously completed task has not yet started processing.
  • The backend now processes concurrent tasks for separate sites within the same organization when possible.
  • Searching and sorting is faster when using the asset first seen and last seen columns.

Fingerprinting changes

  • Improved fingerprinting coverage of Apple HomeKit and HomeKit-connected devices.
  • Improved fingerprinting coverage of Google Workspace assets.
  • Improved fingerprinting coverage of Microsoft Intune and Azure Active Directory assets.
  • Additional support added-or-improved for products by by Advidia, APC, Apple, Ascom, Avaya, Cisco, Citrix, D-Link, Dahua, ecobee, Eve, Fortinet, First Peer, Google, Green Electronics, ICP DAS, ifm electronic, iXsystems, LG, Microsoft, Motorola, Nintendo, OnePlus, OpenWRT, Poly, QNAP, Raspberry Pi, Red Hat, Riverbed, Roku, Sagemcom, Samsung, Shelly, Schneider Electric, SolidCP, Sony, SUSE, SwitchBot, TCL, Technicolor, Twinkly, UPS Manufacturing, Vizio, and VMware.

Integration improvements

  • The CrowdStrike integration now imports vulnerabilities when CrowdStrike Spotlight is enabled for the API key.
  • An option to disable the creation of new assets from third-party integrations has been added.
  • Third-party integrations merge assets more consistently.
  • Third-party integrations now merge more accurately when using IP addresses as the match key.
  • Microsoft Intune and Azure Active Directory assets are now fingerprinted more accurately.
  • New LDAP credentials now auto-populate the discovered port.
  • The Microsoft Defender integration now merges assets more comprehensively.
  • The AWS EC2 integration now provides an option to include Stopped instances.

Bug fixes

  • A bug that could prevent an Explorer from running scans with specific network configurations has been resolved.
  • A bug that could cause recurring tasks to backup has been resolved.
  • A bug in the Organization asset export API has been resolved.
  • A bug that caused the License information page to display an incorrect project asset count was resolved.
  • A bug that could delay concurrent task processing has been resolved.
  • An issue that could cause the command-line scanner to skip LDAP enumeration has been resolved with the --ldap-thumbprints flag.
  • A bug that could prevent tag searches from completing when thousands of tags are in use has been resolved.
  • A bug that could result in partial import of GCP CloudSQL assets was resolved.
  • A bug that could lead to duplicate vulnerabilities when an import was restarted has been resolved.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Finding Cisco 7800 and 8800 series IP phone assets on your network

Cisco recently published vulnerability details which affect their 7800 and 8800 series of IP (VoIP) phones. These phones are sold across many different model numbers and can be found in businesses and organizations of varying sizes. Originally reported to Cisco by Qian Chen of the Codesafe Team of Legendsec at QI-ANXIN Group, this vulnerability does not require authentication for successful exploitation and can provide attackers remote code execution and/or denial-of-service (DoS) capabilities.

What is the impact?

Cisco assigned a CVSS “high” rating to this vulnerability (tracked as CVE-2022-20968) and has acknowledged that proof-of-concept exploitation code exists. Firmware for all 7800 and 8800 series IP phones (with the lone exception of Cisco Wireless IP Phone 8821) contains this vulnerability, which resides in the input validation logic of received Cisco Discovery Protocol packets. Attackers who have presence in the same VLAN or network segment as vulnerable devices can send specially-crafted Cisco Discovery Protocol packets to trigger a stack overflow, resulting in a denial-of-service condition or potential code execution.

Are updates available?

All firmware versions (14.2 and prior) for these 7800 and 8800 series IP phones contain this vulnerability (CVE-2022-20968), and Cisco is not planning on releasing patched firmware –which is currently expected to be version 14.2(1)– until next month (January 2023).

In the meantime, Cisco does offer the following mitigation for vulnerable IP phones:

Administrators may disable Cisco Discovery Protocol on affected IP Phone 7800 and 8800 Series devices. Devices will then use LLDP for discovery of configuration data such as voice VLAN, power negotiation, and so on. This is not a trivial change and will require diligence on behalf of the enterprise to evaluate any potential impact to devices as well as the best approach to deploy this change in their enterprise.

You can find the full details around this mitigation in the associated Cisco Security Advisory (see “Workarounds” section).

How do I find potentially vulnerable Cisco 7800 and 8800 series IP phone assets with runZero?

From the Asset Inventory, use the following pre-built query to locate Cisco 7800 and 8800 series IP phone assets which may need remediation:

type:"IP Phone" and (hw:"Cisco CP-78" or hw:"Cisco CP-88")

As always, any prebuilt queries are available from our Queries Library. Check out the library for other useful inventory queries.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Finding MegaRAC BMC assets on your network

Earlier this week, researchers with Eclypsium shared findings on three vulnerabilities present in American Megatrends (AMI) MegaRAC firmware. MegaRAC can be found in many server manufacturers’ Baseboard Management Controllers (BMCs), including AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, HPE, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan. Successful exploitation of these vulnerabilities can provide an attacker with remote code execution, an administrative shell, and user enumeration. Given American Megatrend’s broad reach across server manufacturers and models the number of systems with vulnerable MegaRAC BMC firmware could be quite large.

What is the impact?

These vulnerabilities are scored as CVSS “critical” and “high” severities, and the reported vulnerability details include:

  • CVE-2022-40259 (CVSS “critical” score of 9.9) – Remote code execution via Redfish API; requires initial access to an account with callback privileges or higher
  • CVE-2022-40242 (CVSS “high” score of 8.3) – Administrative shell via default credentials
  • CVE-2022-2827 (CVSS “high” score of 7.5) – User enumeration via API request manipulation

The Eclypsium report does mention that public exposure of vulnerable BMCs appears to be “relatively low compared to recent high-profile vulnerabilities in other infrastructure products.” That said, data centers where many similar servers exist -–including data centers providing cloud-based resources-– could yield many opportunities for an attacker who has attained access, and detection of BMC exploitation can be “complex” and is likely to be missed with traditional EDR/AV.

Are updates available?

While American Megatrends has not made a security advisory available at the time of this publication, owners and administrators of systems with MegaRAC BMC firmware should check with their server manufacturers for patched firmware updates.

Mitigations are offered in the Eclypsium report (see the “Mitigations” section), including (but not limited to) the following suggestions:

  • Ensure that all remote server management interfaces (e.g. Redfish, IPMI) and BMC subsystems in their environments are on their dedicated management networks and are not exposed externally, and ensure internal BMC interface access is restricted to administrative users with ACLs or firewalls.
  • Review vendor default configurations of device firmware to identify and disable built-in administrative accounts and/or use remote authentication where available.

How do I find potentially vulnerable MegaRAC BMC assets with runZero?

From the Asset Inventory, use the following pre-built query to locate BMC assets running MegaRAC firmware which may need remediation:

type:"BMC" and (hw:"MegaRAC" or os:"MegaRAC")

The prebuilt query is available in the Queries Library

You can also locate all BMC assets in your environment by searching your Asset inventory for type:"BMC", which can then be triaged further.

As always, any prebuilt queries are available from our Queries Library. Check out the library for other useful inventory queries.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

CISA BOD 23-01 requires asset visibility and vulnerability detection as foundational requirements

On October 3, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) released the Binding Operational Directive (BOD) 23-01: Improving Asset Visibility and Vulnerability Detection on Federal Networks. This directive requires all Federal Civilian Executive Branch (FCEB) departments and agencies to comply with a set of cybersecurity requirements by April 3, 2023. Under the directive, asset visibility and vulnerability detection capabilities must be improved to meet the requirements outlined by CISA.

The BOD 23-01 strives to improve visibility and vulnerability detection on federal networks. However, the issues addressed by this directive are not exclusive to federal agencies. Asset inventory and vulnerability management are encouraged as best practices for all organizations, even though only FCEB agencies are legally required to comply by the April 3, 2023 deadline. In fact, CISA Director Jen Easterly told reporters, “Knowing what’s on your network is the first step for any organization to reduce risks.”

Asset visibility is foundational to cyber security

Cyber security is a universal challenge where asset inventory plays a major role. In other words, knowing your asset inventory is necessary for effective cyber security practices to be implemented. Easterly also said, “While this Directive applies to federal civilian agencies, we urge all organizations to adopt the guidance in the directive to gain a complete understanding of vulnerabilities that may exist on their network. We all have a role to play in building a more cyber resilient nation.” Regardless of whether or not an organization is a federal civilian agency, asset inventory should be the first step in reaching meaningful risk mitigation.

Modern cyber security practices require multi-part defensive measures. As technology has evolved, so have the threats to our security. More recently, the diversification of network environments in the civilian workplace has made network security and tracking more difficult. What had been a gradual transition to hybrid networks as the norm escalated rapidly during the pandemic, forcing security teams to suddenly manage on-premise, hybrid, and cloud networks more quickly than they were prepared to do. Network visibility now faces new challenges as networking environments have shifted.

There are too many assets to be tracked via manual methods, like spreadsheets. Not to mention unknown assets that may have been missed by traditional discovery methods. If you don’t know about an asset, how can you scan it for vulnerabilities?

Asset visibility is a critical building block for security measures, allowing you to have context around every asset connected to your network. You can leverage this data to assess endpoint detection and response (EDR) and vulnerability scan gaps in your network security. Thus ensuring you have strong, comprehensive network security coverage.

BOD 23-01 requires asset inventory and vulnerability enumeration

The number of assets has only continued to increase over time and CISA says “continuous and comprehensive asset visibility is a basic precondition for any organization to effectively manage cybersecurity risk.” In a 2021 US Senate report, federal agencies highlighted common asset and vulnerability challenges regarding their cyber security posture. That’s where CISA BOD 23-01 comes into play.

government cyber security diagram

BOD 23-01 focuses specifically on asset discovery and vulnerability enumeration which, as indicated in the diagram above, are critical pieces of any cyber security program. By April 3, 2023, federal civilian agencies need to have taken steps to comply with the following requirements:

  • Perform automated asset discovery every 7 days, covering a minimum of the organization’s IPv4 space.
  • Ingest on-demand vulnerability scan reports within 72 hours of a CISA request and be able to present findings to CISA within 7 days.
  • Perform vulnerability enumerations every 14 days with detection signatures that are no more than 24 hours old.

This criteria demands automated, on-demand, and rapid asset discovery capabilities. For many organizations, the volume of assets is too large for manual processing. BOD 23-01 aims to ensure federal agencies can keep up with their asset visibility and tracking. Automation must be able to report vulnerability data into a CDM dashboard to comply with BOD 23-01. CISA BOD 23-01 implementation guidelines specify what assets types fall within the scope of this directive, such as bring-your-own-device (BYOD) assets, communication devices, and more.

Asset discovery and vulnerability enumeration

The CISA BOD 23-01 requires that asset discovery capabilities must be able to capture high-fidelity data for managed and unmanaged devices. This data must be readily available, and presented in a digestible format to be considered compliant with the new directive. But asset discovery is only half the battle. There are several agencies that use vulnerability scanners to conduct discovery in addition to the traditional use of conducting vulnerability assessments. Vulnerability scanners are not an effective way to meet the new CISA requirements for asset inventory because they have limitations in terms of when they can run and how long the scans can take. FCEB agencies, and other organizations are encouraged, need a discovery solution that enables same-day response.

Asset discovery and vulnerability enumeration are the focal points of BOD 23-01. These two aspects of cyber security empower organizations to “better account” for assets and risks that have previously been unknown, and therefore unprotected, within their networks. While the CISA BOD 23-01 aspires to discover and protect the critical infrastructure and networks of the government, the same values can be applied to networks at large, no matter how the network is structured.

Asset discovery is a foundational security measure

The BOD 23-01 states, “Asset visibility is the building block for operational visibility.” Organizations must be able to identify IP addresses directly in the network as well as associated IP addresses. BYOD, cloud, and other assets are included in this identification requirement. IPv4 addresses need to be accounted for in their entirety at a minimum, though full visibility of other IP addressable assets are highly encouraged.

There are several ways to perform asset discovery, including active, passive, and external scanning. Each method will bring certain assets to light, but these methods also come with their own challenges.

  • Active: An active scan transmits network packets or queries local hosts and then analyzes responses. In other words, active scanning creates traffic for the network. If you are scanning a network with fragile devices, ensure that you pick a scanner that has been designed to safely scan these devices.
  • Passive: These scans observe traffic that traverses the network adapter the scanner is configured to listen in on. Passive scanning collects data about the assets actively talking on a limited section of the network, limiting visibility to a singular “choke point” and active assets. Passive collection is difficult to deploy across a sprawling organization. Encrypted protocols have made passive asset inventory increasingly harder.
  • External: External attack surface management (EASM) tools provide a perimeter view of IP addresses outside your network. Scanning external attack surfaces helps with gaining visibility to external hosts or exposed services, reconnaissance in penetration testing, and more. However, network owners can opt to hide their IP ranges, preventing those assets from showing up on your scan. Additionally, these are conducted without direct access to the network so visibility may be limited even further.

Effective asset discovery capabilities will deliver visibility into both internally and externally facing assets. As a result, you’ll have a more comprehensive asset inventory, allowing you to quickly identify and track when assets come online or go offline.

Critical vulnerabilities must be enumerated within 72 hours

Cyber security programs must be able to identify asset-specific vulnerabilities on-demand to comply with BOD 23-01 requirements. This applies to any information technology or operational technology asset that is accessible via IPv4 or IPv6 networks. BOD 23-01 mandates that agencies enumerate vulnerabilities across all discovered assets, such as operating systems, software and versions, potential misconfigurations, and missing updates. However, vulnerability enumeration has its own challenges and limitations with fingerprinting.

On top of struggling to meet data requirements, vulnerability management solutions lack the ability to meet the requirements outlined in CISA BOD 23-01, particularly, the 72 hour response timeline. Vulnerability scan times can vary greatly, depending on the business restrictions in place. Oftentimes, teams need to wait until the new vulnerability checks are available in order to scan for the newest security flaw. The solutions then need to scan the network again, which often requires waiting for the next maintenance window. This makes the required 72 hour response time extremely challenging to meet.

A modern approach to identifying potentially vulnerable systems much faster is to decouple the network scan from the vulnerability analysis. A modern asset discovery solution will be able to scan the hardware and software assets on the network with enough detail that it already contains enough information to identify potentially vulnerable systems. As a result, security teams can identify potentially impacted systems in minutes by querying the database. This approach is much faster than the traditional path of waiting for updated vulnerability checks, updating the scanners, scanning the network, and running reports on the new vulnerability.

Reducing the network security threat surface through asset inventory and vulnerability management solutions is critical to one’s overall security posture. One tool without the other is not enough to comply with the recent directive. Asset inventory and vulnerability management solutions work together to provide a clearer picture of an organization’s security posture.

How runZero helps comply with BOD 23-01

runZero is a comprehensive asset inventory solution that uses active, unauthenticated scanning capabilities as well as the ability to pull in third-party data, for example from vulnerability scanners, for a full picture of your network. runZero was founded by HD Moore, the creator of Metasploit, with cyber security fundamentals in mind. The runZero scan engine was designed from scratch to safely scan fragile devices.

runZero can help with administering asset discovery and inventory management in several ways including:

  • Discover the entire IPv4 space in less than 7 days: BOD 23-01 requires that the entire RFC 1918 space is scanned every 7 days for asset inventory. Most scanning technologies, especially vulnerability scanners, will struggle to cover an entire agency in this amount of time. runZero can cover the entire internally addressable RFC 1918 space overnight. runZero can also scan the agency’s external perimeter.
  • No credentials required: BOD 23-01 states that “asset discovery is non-intrusive and usually does not require special logical access privileges.” runZero features a proprietary unauthenticated active scanner that was designed with asset inventory in mind. Many other solutions require credentials to obtain enough information about systems
  • Respond rapidly to imminent threats: BOD 23-01 requires agencies to “develop and maintain the operational capability to initiate on-demand asset discovery and vulnerability enumeration to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA and provide the available results to CISA within 7 days of request.” After a new vulnerability story breaks, vulnerability scanners often take 1-2 weeks to create a vulnerability check for new vulnerabilities before agencies can even start testing. In most cases, you can use runZero’ existing scan data to find affected systems in a matter of seconds without having to rescan.
  • Get asset context on enumerated vulnerabilities: runZero integrates with Tenable, Rapid7 and Qualys to import vulnerability data into the asset inventory to provide contextual information on what assets a vulnerability was found on as well as the network context of the asset. In addition, runZero makes it easy to check that your vulnerability scanners are covering all of your subnets, highlighting any security control coverage gaps.
  • Import asset inventory data to the CMDB or Agency Data Lake: According to the CISA CDM architecture diagram, active scanners should push their data into the CMDB, which publishes data to the agency data lake that feeds the CDM. runZero integrates with CMDBs (e.g. ServiceNow). Some agencies that do not have an existing CMDB may even choose to aggregate data in runZero directly and feed the Agency Data Lake from there. runZero integrates with vulnerability scanners, endpoint detection and response (EDR) solutions, mobile device management (MDM) software, Microsoft Active Directory / Azure AD, attack surface management vendors, and cloud hosting providers to aggregate and consolidate all asset data in a single platform. It then offers a simple JSON export API to pull the asset inventory into a data lake.

Discover internal and external assets

runZero discovers internal and external assets, providing the high-fidelity context needed to fulfill BOD 23-01 requirements. Set up recurring unauthenticated scans to keep your asset inventory awareness up. Alerts for new asset connections or existing asset changes can be easily added to your scans. You can also conduct on-demand scans as needed and get the asset contextualization you need in minutes, complete with downloadable, digestible reports that you can present to your team (or CISA).

To meet the requirements outlined in BOD 23-01, your asset discovery solution needs to be able to quickly capture high-fidelity asset data on everything within your firewall as well as exposed services to properly assess your asset vulnerabilities. runZero can give you a strong picture of your external attack surface. Through active scanning and integrations, runZero augments data found by taking inputs from internal IPs that have been discovered and identifying public-facing hosts. Additionally, our unauthenticated scans can discover assets on a network without requiring a username/password. This approach is unobtrusive, because it doesn’t require credentials and agent deployment is time consuming and only covers managed assets.

Build a comprehensive asset inventory

A complete asset inventory includes unmanaged devices, internal and external assets, and having relevant data available on all of these assets. This level of visibility is essential both for strengthening your security posture and for meeting BOD 23-01 requirements. Unauthenticated scanning is the best way to quickly capture this information without having to worry about system fragility or resource-intensive setup like with agent-based solutions.

runZero creates a comprehensive picture of your asset inventory through on-demand unauthenticated scans and integrations, giving you more accurate fingerprinting of your assets, including those you don’t know about. You can find unmanaged devices and see when assets come on or offline in your network. Additionally, runZero gives you full control of your scans and queries, including the ability to create custom queries, generating alerts for specific assets in your scan results.

Enrich assets with vulnerability data

runZero leverages asset data from multiple sources, as well as its own unauthenticated scanner, to deliver full visibility into assets across any environment. Integrations with vulnerability scanners, like Tenable, Qualys, and Rapid7, will help you:

  • Add additional asset context to your vulnerability data
  • Find gaps in your vulnerability scan coverage
  • Respond to emerging vulnerabilities faster

Search web screenshots for oddities, identify outliers, and see assets that may need to be patched with on-demand custom queries. For example, let’s assume developers were aware of Log4Shell on the first day. They weren’t able to immediately go into their systems to find and fix the vulnerability because no one had checks available on day one. As a result, teams typically had to wait for their vuln scanner to have the checks available and then wait for a maintenance window to scan their targets resulting in delays in their ability to assess and remediate issues.

During one of our case studies, a customer that had been using ServiceNow ITOM (IT Operation Management) realized they struggled with getting all of the asset data they needed. This was especially true for their unmanaged assets, but they didn’t have the desired data for their managed assets either. The customer said, “The team looked at Qualys as an alternative data source for ServiceNow Discovery, but the system (scanned through appliances) was too slow.”

Log4Shell highlighted the importance of having the ability to quickly search an existing inventory to find assets that may be impacted by a new vulnerability without having to run a new vulnerability scan. runZero was able to provide prebuilt queries to help customers find potentially affected assets before vulnerability scanners had checks available for products and services using the Log4J.

runZero exceeds the asset visibility requirements of BOD 23-01

CISA BOD 23-01 was created to strengthen the overall cyber security posture of federal civilian agencies by requiring improvements around asset inventory and vulnerability management. With several tools and methods being used to conduct these practices, the new timeline requirements will force agencies to evaluate existing processes to comply with BOD 23-01 runZero will unify and enrich asset data from your existing security tools to deliver visibility across your internally and externally facing assets. You can take runZero for a test run with our free 21-day Enterprise trial or get a demo to learn how runZero can help your business. Contact us if you’d like to test our self-hosted version.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

runZero 3.3: Unmatched visibility into your Google ecosystem

What’s new with runZero 3.3?

  • Extended visibility into Google Workspace
  • Queries for Google Workspace users and groups
  • Fingerprinting for Google assets
  • Identification of OpenSSL services
  • Improvements to the runZero Console

Extended visibility into Google Workspace

runZero 3.3 furthers the visibility into your Google ecosystem through a new integration with Google Workspace. runZero Professional+ users will be able to sync Google Workspace asset details from mobile devices, endpoints, and managed Chrome systems, while runZero Enterprise users will also be able to sync Users and Groups. Once the integrations are configured, users can view, search, analyze, export, and alert on attributes from both Google Workspace and Google Cloud Platform.

One of the key reasons to leverage the runZero integrations is to get better insight into the scope of your environment and completeness of coverage since MDM and IAM platforms can’t provide any insights into devices that haven’t been onboarded. To identify assets on your network that aren’t onboarded to Google Workspace, use the query source:runZero AND NOT source:googleworkspace. Conversely, use this query to find assets from Google Cloud Platform or Google Workspace that have not been scanned by runZero yet: (source:gcp OR source:googleworkspace) AND NOT source:runzero. These queries can help you keep pace with unmanaged and disconnected assets.

The integration also pulls in many Google Workspace attributes to give you comprehensive asset visibility. This could include attributes like when a device was last synced, whether a device has a password enabled or is encrypted, or whether it supports the use of a work profile. The Recent Users list in the asset details can also provide insight into device ownership and usage. You can filter for a specific user by using the @googleworkspace.mobile.email attribute for mobile devices or the @googleworkspace.chromeos.recentUsers attribute for ChromeOS devices. To find mobile devices that aren’t locked with a password try the query @googleworkspace.mobile.devicePasswordStatus:="Off", or use @googleworkspace.mobile.encryptionStatus:="Not Encrypted" to find ones without encryption enabled. The wildcard operator also lets you find results with a range of OS versions, such as using @googleworkspace.endpoint.osVersion:="MacOS 12.% to find Google Workspace assets running macOS Monterey.

runZero offers unmatched active network scanning, while also integrating with an ever-growing list of data sources so that you have a complete asset inventory at your fingertips. To get started, set up a connection to Google Workspace or Google Cloud Platform.

Google Workspace integration

Queries for Google Workspace users and groups

runZero Enterprise users can leverage the new queries tailored for the Google Workspace integration to quickly find and alert on accounts that match particular parameters, in addition to being able to run searches in the Users and Groups inventories. Identify administrator accounts, suspended accounts, and accounts without MFA to improve IAM efforts and better protect your environment. These queries are included in the Query Library and can also be used to create alerts.

Run queries about Google Workspace users or create an alert rule to find assets of interest.

Query and Alert on Google Workspace Results

Fingerprinting for Google assets

runZero includes fingerprints for the metadata returned by the Google integrations, including Google Cloud Platform and Google Workspace. This will help provide the most accurate operating system and hardware data about the assets in your inventory.

In addition to Google fingerprints, runZero has also improved fingerprinting coverage of Microsoft 365 Defender assets and SNMP devices. Additional support was added or improved for products by Apache, Aruba, Avaya, Axon, Cisco, CyberPower, Debian, Eaton, Epson, Fortinet, Fujifilm, Geist, Hikvision, Lexmark, Oracle, Sato, Sony, Vivi, and VMware.

Identification of OpenSSL services

In preparation for the OpenSSL vulnerability announcement, runZero released remote, unauthenticated fingerprinting for OpenSSL 3 services, allowing our users to get ahead of the mitigation process prior to the vulnerability details becoming public. This capability has since expanded to detect even more TLS implementations and track the TLS stacks in use on each asset. runZero users can find OpenSSL endpoints using the query product:openssl, in the assets, services, and software inventories.

The server-side exposure only applies to services that process client certificates. runZero already performs checks for this, even though it is not a common configuration. To identify services running OpenSSL 3.0.x variants that may be vulnerable to exploitation, use the following query in the service inventory search: _service.product:"OpenSSL:OpenSSL:3" AND tls.requiresClientCertificate:"true".

Improvements to the runZero Console

The 3.3 release includes several changes to the user interface to improve the performance of the runZero console. The tables on the Explorers, Sites, Organizations, and Your team pages now perform and load faster. This will let users query and sort the results in tables more efficiently, getting to the answers they need faster.

The release also extends the availability of the All Organizations view. All users now have a view that will show them the results from all of the organizations that they have access to. The available permissions in that view reflect their per-organization permissions so that they can manage resources just like they would when viewing a single organization.

Release notes

The runZero 3.3 release includes a rollup of all the 3.2.x updates, which includes all of the following features, improvements, and updates.

New features

  • runZero Professional and Enterprise customers can now sync assets from Google Workspace.
  • runZero Enterprise customers can now sync users and groups from Google Workspace.
  • The “All Organizations” view is now available to restricted users with a filtered scope.
  • User interface tables were revamped for Organizations, Sites, Explorers, and Teams.
  • Live validation is no longer required for Qualys VMDR and InsightVM credentials.
  • Fingerprint updates.

Product improvements

  • The subnet utilization report now supports filtering by site.
  • CSV export of assets now includes the same hostname information as the inventory view.
  • Up-to-date ARM64 builds of the standalone scanner are now available.
  • The account API endpoint for creating organizations now accepts the argument types documented.
  • Merging two assets now correctly updates the date of the newest MAC address for the resulting asset.
  • Disabling all scan probes now disables the SNMP probe.
  • Service Provider information is now displayed with a default domain before SSO settings are configured.
  • Explorers are now ordered alphabetically on the scan configuration and connector configuration pages.
  • runZero users logging in via SSO are now presented with the terms and conditions acceptance dialogue.
  • A new tls.stack attribute that tracks the TLS software provider and version has been added for assets and services.
  • A new canned query for OpenSSL 3.0.x with client certificate authentication has been added.
  • The scanner now reports OpenSSL versions via TLS fingerprinting.
  • The scanner now reports Tanium agent instances on the network.
  • The scanner now reports additional detail for SSLv3 services.
  • The search keywords has_os_eol and has_os_eol_extended are now supported on the Assets and Vulnerabilities inventory pages.
  • The “last seen” link to the most recent scan details has been restored on the asset details page.

Performance improvements

  • Improved performance when scanning from macOS hosts that have certain EDR solutions installed.
  • Improved performance of Intune integration when importing a large number of users and devices.
  • Scan task processing speed has been improved for SaaS and self-hosted customers.
  • The baseline memory usage of Explorers has been reduced.
  • Error handling of misconfigured fingerprints has been improved to reduce Explorer and scanner crashes.

Fingerprinting changes

  • Improved fingerprinting coverage of Microsoft 365 Defender for Endpoints assets.
  • Improved fingerprinting coverage of SNMP devices.
  • Tanium agent detection now sets the edr.name attribute.
  • Added fingerprinting of OpenSSL, GnuTLS, and Windows TLS stacks, including version when possible.
  • Apple ecosystem OS fingerprint updates.
  • Additional support added-or-improved for products by Apache, Aruba, Avaya, Axon, Cisco, CyberPower, Debian, Eaton, Epson, Fortinet, Fujifilm, Geist, Hikvision, Lexmark, Oracle, Sato, Sony, Vivi, and VMware.

Integration improvements

  • The AWS integration now includes an option to delete AWS-only assets that were not seen in the most recent import.
  • The Qualys integration now includes an option to import unscanned assets and is disabled by default.
  • Processing speed for large Qualys imports has been improved.
  • GCP credentials can now be configured to import assets from multiple projects.
  • The error message indicating that an AWS integration credential has insufficient permissions has been improved.

Bug fixes

  • A bug that could prevent the use of third-party credentials when using TLS thumbprints or the insecure connection option with a public URL has been resolved.
  • A bug which sometimes prevented GCP imports from completing has been fixed.
  • A bug in how Service Inventory searches were launched from the Asset details page had been resolved.
  • A bug that could prevent TLS probes from completing has been resolved.
  • A bug that could prevent updating site metrics has been resolved.
  • A bug that could prevent the Intune integration from completing long-running tasks has been resolved.
  • A bug that could prevent the GCP integration from returning all assets has been resolved.
  • A bug that could result in a recurring integration running again before the previous task finished has been resolved.
  • A bug that could prevent importing assets from Microsoft Intune has been resolved.
  • A bug that could prevent importing assets from Microsoft 365 Defender has been resolved.
  • A bug that could prevent importing assets from Microsoft 365 Defender has been resolved.
  • A bug that could cause broken asset links has been resolved.
  • A bug that could cause missing service data for services with conflicting virtual hosts has been resolved.
  • A bug that could cause inaccurate user counts for imported directory groups has been resolved.
  • A bug that affected tooltip display has been resolved.
  • A bug that prevented “open in new tab” navigation using middle/right click has been resolved.
  • A bug that could prevent Azure AD imports has been resolved.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.