Using traffic sampling for passive asset discovery
The traffic sampling capability available on runZero Explorers enables users to passively discover assets on the network during the time between active scans.
Who is this playbook for and why?
The traffic sampling feature could be useful to any runZero users, though may be of particular interest for organizations that want to understand the scope of their asset inventory before beginning active scans.
Traffic sampling will also be useful to teams across the OT security space, including those just getting started with asset inventory efforts, struggling to deploy a full passive solution, wanting to sample remote sites, or responsible for assets across IT, IoT, and OT.
How will runZero help?
By enabling traffic sampling on one or more Explorers in your environment, you can start gathering asset details before you implement active scans. Additionally, when active scan tasks aren’t happening, the Explorers will continue passively discovering assets by performing traffic sampling tasks.
What will I need to do?
In order to leverage traffic sampling, runZero recommends taking the following steps:
- Create an organization, project, or site to contain the traffic sampling results (optional).
- Configure traffic sampling on Explorer(s).
Prerequisites
- A runZero Community or Platform license
- One or more Explorers deployed with sufficient resources
Implementation steps
The following instructions will show you how to configure the traffic sampling capability on your Explorers.
Step 1: Create an organization, project, or site to contain the traffic sampling results (optional)
In order to provide an idea of how many additional assets you may add to your inventory through traffic sampling, the use of dedicated organizations, projects, or sites is recommended. If you have concerns about experiencing a spike in asset count, a project may be the right option while you test traffic sampling in your environment.
Step 2: Configure traffic sampling on Explorer(s)
The Explorer details page is also where users can configure traffic sampling.
- From the Registered Explorers page, select the Explorer you wish to configure to perform traffic sampling.
- In the traffic sampling card, configure the following options:
- Site: Specify the site the assets discovered as a result of Traffic Sampling will be added to.
- Discovery scope: List the IP addresses or CIDR networks that traffic sampling will observe on this Explorer.
- Asset tags (optional): List the tags you want applied to assets discovered through traffic sampling.
- Excluded hosts (optional): List the IP addresses or CIDR networks that traffic sampling will exclude from the results.
- Interfaces: Toggle the switches for the interfaces you want this Explorer to listen on.
- Click Save to save your configuration and initiate the traffic sampling task.
Once configured, traffic sampling can be disabled by returning to this page and toggling off the selected interfaces. Upon saving, the traffic sampling tasks will automatically stop.
Getting help
If you need assistance in building out this process, you can book a session with a runZero Customer Success Engineer to discuss further.