What are we going to talk about today?

Transcription

1 For those of you who haven t worked with me over the past 6 years, I m Bryan Senter. I ve been in Wiesbaden in a different role for 5 years. I followed the crowd from Heidelberg before that. EPMSaaS stands for Endpoint Management Solution as a Service. I am the local member of a globally deployed follow the sun team provided by NETCOM. This is the fastest moving NETCOM project I have ever seen. It is actually here! As an (ISC)2 member, I welcome the chance to contribute. I thank you, Mike for the opportunity to share some information. I encourage you as members to make your own contribution. We are all better when we know who knows what we don t know. 1

2 What are we going to talk about today? Number one question since I got here: What is Tanium doing on my machine? OK. Nobody asks me how Tanium is going to help make our environment more secure. But I do get questions about how Tanium can help me at my job. Not applicable for 99% of the enterprise. In this room, it is relevant. If that is your question You can request Tanium access. Send MAJ Hanson or me an and we ll get you started. There is a short training video and 2875 required to get Standard User access. This will enable you to use dashboards and ask pre packaged questions. There is a 3 day training required for Question Author. More info at end. 2

3 Before we talk about Tanium, let s talk about why we re interested in Tanium. Beyond the CPE. When you get a chance, I recommend you review Verizon s Data Breach Report (play link) [Page down once] Are you gambling with your future? Good news this is the busiest slide I have. Bad news is that I ll be presenting, not her. I think we do a better job than many commercial organizations training, awareness, dedicated teams, tools. *** Banks, ISPs, Telecoms all think the same. I believe we could improve our posture toward insider threats. Cyber espionage is a long game. The initial compromise is often followed by tactics aimed at blending in, giving the attacker time to collect data. Almost all phishing attacks that lead to a breach were followed by some sort of software install. How quickly will you know about it? Perimeter security is very important and has long been a focus. Tanium is adding to the security of our endpoints. 3

4 Common questions for new Tanium users 4

5 Surprising answers! These figures are based on actual Tanium Security Hygiene tests. 5

6 What s Tanium got? Response from one million endpoints in less than a minute (usually 15 seconds). Not yesterday s snapshot, not last week s snapshot, but right now! Neighborhoods: think of subnet as default, but boundaries are determined by Tanium Server. Self forming, self repairing and elastic. *** they identify missing clients in their neighborhood. Neighborhoods share responsibility, data is pushed in chunks to the neighborhood; Response data is collated and returned as a neighborhood response. (T/F) 6

7 I have been working with SCCM, ACAS and HBSS views of the EUR network. None of them agree. Our network changes every day by more than 100 endpoints How fresh is your data? Does remediation team see the same thing that the assessment team sees? They can, if they use Tanium. Tanium doesn t add a whole lot of new tools to our set. But it does put them together in one place. 7

8 Now, the reason you are here Title is not a typo. The number one question I am asked is What s Tanium doing TO my machine? The first thing a Tanium client does is index the computer: file system, installed applications, running applications, AD info and more. This is stored locally on each endpoint. This is how sensors can provide sub second response to a question. Index is the busiest time for a Tanium Agent at least until some knucklehead asks a resource intensive question. (next slide) 8

9 This is real data from the same lab machine after the initial index. Tanium is using less than 100MB of RAM and is pretty much zero impact to other resources. Uses disk journal events to identify changed files and updates the index; Rehash those changes periodically. Tanium cannot use more than 50% of the processor. Sensors are also stored on each endpoint. We can write and deploy our own sensors: WMI, VB Script, Shell, PowerShell and Python 9

10 The most used parts of Tanium come down to Questions and sensors, Actions and Packages. Sensors are scripts that live on the endpoint, that includes your workstation. Questions retrieve information from those sensors. Response data is collated into buckets and returned as a neighborhood response. (T/F) 10

11 11

12 EPMSaaS includes some, but not all of the Tanium Modules. Some have not been purchased, probably due to functional overlap with legacy tools. The Core Module includes Interact and the Tanium solutions. Interact provides the platform for asking questions. Connect allows those questions to be scheduled and results sent to a SEIM, to a user via , etc. Discover identifies Unmanaged Assets within the neighborhood. We currently employ both PING script and CONNECTION list. Army does not use ARP Cache or NMAP, which are also supported. IOC Detect provides IOC detection and YARA rule matching for real time responses to intrusions. IOC Detect also provides a REST API for integration to other parts of the security network. Trace provides a live and historical view of critical events including process execution, logon history, network connections, and file and registry changes. Incident Response Module is made up of dozens of sensors and packages. You end up using them together with other tools. More on that later. 12

13 Let s look at a question. Notice that I ve horribly misspelled the name of the sensor, but not unlike Google, Tanium natural language processor knows what I want or gives it s best shot. The Index Query File sensors provide parameters. The gray numbers on the right tell you how many. Expand with the arrows on the left. Index Query File sensors support economical searching because they rely on the index. Searching for a file with this sensor does not crawl the file system. 13

14 Who can tell me what a file header magic number starting with 4d5a is? That s a Windows executable. This question is going to identify windows executable files that are named something.txt. 14

15 Why would there be an executable file on a computer named something.txt? Trying to sneak something past an filter perhaps? How about a safe looking payload in a phishing ? This query is executed in a lab environment. Anybody want to guess what this query returned on EUR? Nearly 7000 rows. Does that make you nervous? It should make you feel protected. If you can see it, you can address it! Are they dangerous? Most are benign, maybe all of them. But from here we can check known malware lists for the MD5 Hash. Tanium can deploy an action to delete it. Or list all workstations that have it. Let s drill down into this workstation. Selecting a row will activate a context menu. 15

16 This slide got pretty crowded. Sorry about that. But the point is I m a few clicks away from more information. I m developing an interest in this guy s workstation. Select the suspect row and a context menu displays where I can add information to the current query. I select Computer Name and Drill down for instant results. What is scarier than an executable named.txt? 16

17 How about the same file named innocentlamb.pdf in a user s download folder? If we had been searching for MD5 of known malware, we can find it on the Army s 1 million endpoints in a minute or less no matter what the file name is! Do you feel safer yet? Well, do ya? 17

18 18

19 Maybe not. This isn t exactly endpoint security, although crashing applications can be the result of a compromise. What if there are complaints ever since that new version got deployed? Could something like this help you? 19

20 How about memory use across the network? Or network use? Or Disk? 20

21 Why do I say this is lighter? I want to point out the count column reporting how many endpoints in each state. Remember when I talked about bucketed results earlier? Information buckets helps keep the result string length low. This query only returned 4 values representing 10 machines. Ask this across Army s 1 million endpoints and you still get 40 rows of data, and you get it when you want it which is right now. 21

22 Start with an ad hoc question or an IOC Detect question. Use connect to push this data to IR Response team, or to Splunk. But realtime data is ephemeral. You may want to look at Trace to take advantage of cached data. The EPMSaaS trace window is 30 days. Finally, you use IR Gatherer to obtain additional forensic evidence. 22

23 We can add to IOC as desired. IOC DB, individual MD5 Hash, Yara rules With OpenIOC: Match metadata from endpoint forensic artifacts: File system, Registry, Network, Memory, Logs Yara: Match contents of files, memory against patterns 23

24 IR Gatherer is a package of tools to collect comprehensive forensic triage / live response evidence Volatile (in memory) artifacts Non volatile (on disk) artifacts Deployed as an action, implemented for: Windows Linux Mac OS X 24

25 Trace gives you the ability to search historical data not just real time. You can create and save searches for ad hoc use or use CONNECT to periodically send results to or Splunk. 25

26 Trace Tree View provides interface to walk program execution backwards and forwards complete with the command that executes next/prev in sequence. Trace Records: Process execution File & directory Registry Network connection information Security Based on current audit policy Driver loads 26

27 You can save the trace file for offline forensic review. Load them up and get the same tree view functionality. 27

28 Why are we talking about Tanium? Tanium s speed, scale, and coverage are unprecedented in the industry: A single server can communicate with a million+ endpoints in seconds. Tanium provides the ability to ask natural language questions to retrieve and visualize data, take actions, and integrate endpoint data into external systems. With a single server Tanium supports multiple use cases: Security Hygiene and Compliance, Endpoint Detection and Response, IT Asset Visibility, and IT Operations Management. 12 of the top 15 banks, and 6 of the top 10 retailers use Tanium. How is Tanium protecting me? Can Tanium help me do my job better? 28