Tanium For Endpoint Security

Transcription

1 Tanium For Endpoint Security UC-TES

2 Tanium For Endpoint Security CONTENTS INTRODUCTION 3 Enforce: Maintain Security Hygiene To Minimize Attack Surface 4 Use Case: Continuous Endpoint Configuration Compliance 4 Use Case: Up-to-Date Patching For Windows Operating Systems 5 Use Case: Proactive Endpoint Protection 5 Detect: Root Out Known and Unknown Threats 6 Use Case: Automated Indicators Of Compromise (IOCs) Scanning 6 Use Case: Proactive Hunting For APTs, Data Leakage And Insider Threats 7 Investigate: Properly Scope Incidents Quickly And Completely 8 Use Case: Rapidly Triage And Investigate A Potentially Compromised System 9 Use Case: Use Newly-Discovered Leads To Scope A Compromise In Seconds 10 Remediate: Eliminate Attackers and Security Weaknesses With Precision And Efficiency 11 Use Case: Eliminate Malware And Restore Control Over Compromised Endpoints 11 Use Case: Deploy Emergency Security Updates For Critical Vulnerabilities 12 Use Case: Adjust Endpoint Protections to Block an In-Process Attacks 12 ABOUT TANIUM Tanium Endpoint Platform Tanium Modules

3 Many organizations now prepare with an understanding that cyber attacks will occur, and that relying on prevention strategies alone without considering the means to combat successful intrusions will ultimately lead to breaches and the eventual loss of intellectual property or sensitive data. Therefore, a popular metric to measure the effectiveness of a security program is how much time elapses between when an initial compromise occurs and when a successful remediation event takes place to expel attackers from the network also known as an incident s dwell time. We can all agree that minimizing this timeframe is critical to reducing the potential impact of attacks on business and infrastructure, yet research consistently shows compromises often remain unnoticed for months. Unfortunately this status quo persists, because security teams are burdened by point solutions that are too slow, too limited in capabilities, and too difficult to use. Not to mention, these solutions often rapidly degrade in reliability and accuracy when required to scale across large, distributed environments. As a result, already overextended security personnel spend even more time responding to alerts, forcing them to neglect threats and proper coordination across teams. 15-Second Visibility To Triage With Context Fast, Accurate, Complete Hunting At Scale PARTY HELP DESK SIEM IOCs 3 rd Focus on the Real Issues Quickly and Efficiently SECURITY 15 Seconds Quickly Answer: What, Where, How It Happened? and Is It Still Happening? Build Security Hygiene Into Operations Asset Management Configuration Management Patch Management Risk and Compliance Cost-Effective, Reliable Security Across the Enterprise IT OPERATIONS 15-Second Remediation At Scale 15 Seconds Fix Issues Quickly and Completely Tanium is the only platform that enables a closed-loop process for endpoint security spanning threat detection, investigation, remediation and ongoing enforcement of IT security hygiene across the organization with unprecedented speed and scale. This holistic approach to endpoint security is truly transformational, as it breaks down barriers across teams that can stall security and introduce business risk. In the pages that follow, we present use cases that show how the Tanium Endpoint Platform TM can help defend your enterprise from rapidly growing security threats. As you read, consider your organization s current and planned IT security projects. Are the tools currently in place serving all of your needs and priorities? Can they scale along with the increase in endpoints in your environment and if so, what is the cost to do so? And can your team detect threats in seconds, then quickly remediate them? Tanium has enhanced our approach to endpoint security, enabling our security team to execute actions and queries efficiently over hundreds of thousands of endpoints firm-wide. Tanium s unique architecture and platform approach provides us with the speed, scale and flexibility we require, with the opportunity to expand our use cases and further enhance its value to us over time. Rohan Amin, Global Chief Information Security Officer of JPMorgan Chase. 3

4 Enforce: Maintain Security Hygiene To Minimize Attack Surface The first step to effective threat and breach protection is to proactively reduce the attack vectors available to adversaries seeking to infiltrate the network. This begins with properly securing and hardening the endpoints, which fundamentally presents the widest attack surface area available for hackers to target. Enforcing good security hygiene enterprise-wide continues to elude virtually every IT security organization, because even though strict policies and security standards are often established, maintaining these over time across every endpoint on a global scale is simply impractical without complete endpoint visibility and control in seconds. WITH TANIUM 1. Locate endpoints out of compliance and take the corrective actions necessary to restore them to the desired state and configuration in seconds. 2. Complete patch cycles reliably, from distribution to deployment, at speeds 10,000 times faster than legacy solutions, and create effective breach-prevention patch strategies. 3. Security administrators can proactively take action to secure endpoints against common malware and known threats using operating-system and common third-party controls at enterprise-scale. Use Case: Continuous Endpoint Configuration Compliance To truly enforce continuous adherence to security policies on the endpoint, IT security administrators must be able to query and take action across every endpoint enterprise-wide in seconds. Visibility and control at this level of speed at scale is essential, because it enables an organization to maintain a state of universal compliance for their endpoints by being able to automatically make corrective changes as violations occur. Only with Tanium can you properly enforce good security hygiene throughout the environment, and ensure critical services are properly enabled and desired security controls remain in place at all times even across different operating systems and for endpoints both on and off the enterprise network. Consider these examples of endpoint configurations and security controls that are often difficult to enforce adherence to a desired standard or policy over time across every endpoint: Patch requirements for software such as Java, Adobe Flash and web browsers. AV agents are running and updated with the latest definitions. Policies for restricting open public network shares. Policies for establishing connections to external locations. Policies for applications that are not permissible on endpoints. Policies for connecting USB storage devices to machines containing sensitive data either currently or at any point in the past. Naming, permissions and password policies for administrator-level accounts. 4

5 Customer Spotlight A public sector customer needed to audit over 150,000 endpoints spread across 26 remote sites over WAN links for compliance against a departmental security protocol. Using its existing tooling and processes, this task took 2-3 days per location, saturated their WAN and produced 26 separate, immediately out-of-date reports totaling roughly 700 pages in length detailing outstanding areas of non-compliance. Using Tanium, this customer conducted this same audit across all 150,000+ endpoints in minutes and has turned this task into a routine daily review rather than an annual scramble. Use Case: Up-to-Date Patching For Windows Operating Systems Proactive patching for operating system security updates is perhaps the single most valuable enforcement activity an organization can perform to prevent against future attacks. Unfortunately, the overwhelming majority of attacks often exploits a weakness in systems where a patch addressing the vulnerability is available, and had been for months. This strongly indicates that most organizations still do not have a consistent patch deployment strategy or process. Unlike typical patch solutions, Tanium is capable of distributing and successfully completing patch cycles in minutes rather than hours or days, even across the largest global networks. In addition, Tanium provides the flexibility to customize alerting, scheduling, and rules to automatically include or exclude Windows patches based on their nature. Tanium s hallmark speed, scalability and flexibility minimize disruptions to end users, and provide the means to implement an ongoing patch strategy that enforces good security hygiene enterprise-wide. Customer Spotlight By deploying Tanium enterprise-wide on over 200,000 endpoints, a leading U.S. healthcare provider quickly realized their environment was missing over 5 million aggregate Windows OS patches despite having a legacy patch management solution in place dedicated for this task. Using Tanium, this customer was able to distribute and deploy the necessary patches to close this significant gap, verify success, and confidently establish an effective patching strategy to meet the challenging requirements at their scale. Use Case: Proactive Endpoint Protection Effective patching is a critical activity, but often specific endpoint protections are desired (or legislated via compliance regulations) to prevent commodity and other known threats from breaching the environment. With all endpoint technologies - and particularly endpoint protections (e.g. anti-virus, firewall, anti-exploit, etc) - deployment and management of agent health is a key concern. Virus definitions must be up to date, endpoint network and port firewall settings must be adjusted centrally, and software policies adapted to block known-bad. Tanium provides capability that can help to manage many third-party and operating system protection controls like anti-virus. Above and beyond managing deployment, Tanium can be used to specifically configure native-operating system controls such as Windows Firewall and Software Restriction Policy centrally through a policy-based workbench. Using this level of enterprise-wide control, coupled with the unique speed and scale of Tanium, organizations can ensure that they maximize coverage for endpoint protections and move quickly to block attacks when speed matters most. 5

6 Detect: Root Out Known And Unknown Threats Threat detection ultimately fails when there are too many siloed point solutions or threat intelligence feeds that are not actionable (due to speed and/or scale challenges) leading to serious issues being missed and teams deluged by so many alerts that they cannot respond to incidents in a timely fashion. WITH TANIUM 1. Automate IOC detection by scheduling regular scans at customizable intervals. 2. Accurately search for threats, vulnerabilities and anomalies in seconds across millions of endpoints via saved or ad-hoc queries. Use Case: Automated Indicators Of Compromise (IOCs) Scanning Organizations are increasingly spending more time and money gathering threat intelligence, expanding in-house threat analysis capabilities, and collaborating with industry peers through information-sharing exchanges. However, despite the wealth of information available to them, security teams still lack the means to leverage the intelligence and indicators of compromise (IOCs) obtained through these efforts. In many cases, organizations are only able to consume network-based IOCs, while accurate endpoint indicators and intelligence often go unutilized, because their existing IOC scanning tools suffer from one or more of the following common shortcomings: Too Slow take hours to search for IOCs on a single system, and days or weeks to search an entire environment. Too Inflexible lack broad indicator support or rely on proprietary schemas, forcing users to translate or discard IOCs. Too Unreliable can only search for a limited set of artifacts, reducing the likelihood of detecting compromises. The Tanium platform provides the ability to automatically scan for IOCs simple or complex with the same speed and scale as any other Tanium searches. As a result, organizations can more effectively leverage their significant investments in threat intelligence, and dramatically reduce the time between compromise and detection. Consider these differentiating factors that make Tanium an optimal platform for automated IOC scanning: Supports all of the major indicator formats, OpenIOC, Yara, and STIX. Automatically ingest indicators from TAXII streams, third-party providers, or internal repositories. Matches against dozens of artifact and attribute types, including file metadata, network activity, processes in memory, and the contents of the registry. Evaluate IOCs within seconds including complex indicators that implement Boolean logic. Search for IOCs against both current-state endpoint activity and historical data, such as short-lived network connections that are no longer active. Apply simple hash whitelists and blacklists for additional flexibility when searching for or alerting on running processes across an environment. Perform on-demand IOC scans or schedule automated scans at customizable intervals. Constrain scans with dynamic groups to target specific segments of the environment for example, high-criticality servers (e.g. domain controllers or databases), end-user systems owned by privileged administrators, or virtual machines. Generate tickets whenever an IOC hit occurs. 6

7 Customer Spotlight A state justice department was able to search for and detect Indicators of Compromise (IOCs) in less than 15 seconds, a job that previously took the agency days and weeks. Use Case: Proactive Hunting For APTs, Data Leakage And Insider Threats While automated IOC scanning with speed at scale is a tremendous asset for security teams, organizations must also consider their ability to uncover the unknown threats that codified threat intelligence fails to detect, such as targeted attacks or insider threats and data leakage. The most challenging aspect of proactive threat detection across large, globally distributed networks is to know where to begin, what to look for, and how to efficiently collect enough data and the right data to spot anomalies in seconds. Tanium allows users to conduct stacking and frequency analysis of search results in real-time to quickly identify outliers. Users can easily drill-down on systems of interest to gather more information and contextualize results. In addition to ad-hoc searches, users can also construct dashboards that continuously and automatically collect filtered data for incident hunting and detection. This same data can likewise be sent to a SIEM for archiving or additional correlation and analytics. The following examples illustrate just a few of the ways that Tanium can help proactively identify previously unknown threats and evidence of compromise across an environment: Identify the most and least common running processes, loaded libraries (DLLs), and drivers across the environment by stacking and comparing based on hash values, command lines, and file paths. Discover unknown, persistent malware via stack analysis of autoruns applications that automatically start up at user logon or boot time across all systems. Detect sequences of process execution and file creation consistent with common exploit techniques, such as those that target web browsers, plug-ins, and document files. Identify anomalous server services listening for inbound connections on systems exposed to the Internet. Detect atypical network traffic initiated by legitimate operating system processes that may be indicative of process injection or other forms of tampering. Track the usage of privileged accounts across workstations and servers, including local accounts that are often omitted from centralized monitoring and log aggregation. Identify malicious usage of Windows script interpreters, such as PowerShell, CScript, and WScript, which attackers often abuse to run malicious code and evade detection. Detect the use of scheduled tasks or Windows Management Instrumentation (WMI) to remotely execute commands or launch malware. Customer Spotlight During a 10,000 endpoint Tanium pilot, the security administrators for a major defense contractor discovered a number of unexpected outbound processes initiating encrypted HTTPS connections leaking protected data. 7

8 Investigate: Properly Scope Incidents Quickly And Completely As soon as suspicious activities or threats are detected, security teams must be able to assess what is at risk, identify the root cause, and formulate a remediation strategy. Many organizations still rely on endpoint forensic analysis tools that are slow and cumbersome to use, require a high degree of skill, and do not effectively scale to handle large, distributed networks. As a result, many investigations fail to adequately scope the impact of an incident or consume weeks or months to do so, which reduces the likelihood of successful and timely remediation prolonging the period of compromise and exposing the organization to continued risk. Many organizations currently rely on one or more of the following technologies for endpoint investigations and analyses: Centralized analysis of anti-virus or HIPS event logs, which are limited to signature-based, malware-centric detection of known threats. Event monitoring and correlation in a SIEM, which often contains abundant data from network devices but minimal data from endpoints. For example, many organizations only ingest security event logs from a limited set of servers due to the difficulty and overhead cost of event forwarding from all systems. Traditional remote forensic analysis tools that capture full disk and memory images may be suitable for single-host analysis but are time consuming, require a high degree of analysis skill, and not effective for rapid hunting and searches for evidence across all systems in an environment. Incident response tools that focus on centralizing a narrow window of historical forensic activity. While this capability is a useful addition to other investigative tools, it may not provide the ability to quickly search for latent artifacts (such as files at rest), or events that fall outside of the period of preserved history. Such solutions also often rely on significant hardware infrastructure and network resources required to transmit, store, and search this data. WITH TANIUM 1. Instantly connect to and conduct live forensic investigations on any endpoint. 2. Use kernel-level monitoring to preserve evidence of process execution, file system and registry changes, network connections, driver loads, and security events all including detailed metadata for timeline analysis, search, and filtering. 3. Acquire additional evidence, such as memory images, event logs, contents of the registry, and file system metadata for additional deep-dive analysis of suspicious systems. 4. Pivot to 15-second enterprise-wide searches across historical, current-state, and latent evidence from all systems using the leads found during deep-dive analysis. 8

9 Use Case: Rapidly Triage And Investigate A Potentially Compromised System Tanium provides direct access to both current and historical endpoint data suitable for incident response investigations. As a key part of these capabilities, Tanium records a variety of forensic artifacts that are not typically preserved by the operating system such as: Executed process paths, command lines, parent command lines, hashes, and user context. File creation, deletion, writes, and rename events with user and process context. Registry key/value creation, writes, and deletion events with user and process context. Network connections, including local and remote addresses and ports with user and process context. Loaded driver paths, hashes, and digital signature information. Security events stored independently of the native event log including logons, logoffs, changes to credentials, group membership and policies. Users can connect to a remote system and immediately search across this evidence, conduct timeline analysis, or take a snapshot of recent activity for offline review. No time-consuming evidence collection or post-processing is required. In addition to traditional search and timeline analysis, Tanium also provides interactive visualizations to further enhance evidence analysis. These visualizations include a process tree for examining parent-child process relationships, and an interactive timeline that depicts clusters of file, registry, network, and process events. If an analyst requires additional evidence, Tanium can connect to Windows, Mac, or Linux endpoints and acquire low-level forensic artifacts such as file system metadata, memory images, event logs, and auto-run mechanisms to name a few. With Tanium, analysts can quickly take an existing lead whether it is a timeframe of interest, a network address, file name, or hash and easily conduct triage on a system. Tanium thereby simplifies the steps needed to solve common investigative scenarios, such as: Identify the root cause, such as an exploit or other form of illicit access, which led to the installation of malicious software on a system. Determine why and what caused a system to communicate with a network address included in a security alert. Review the sequence of commands executed during attacker reconnaissance, lateral movement, or other command and control. Detect evidence of credential theft and misuse such as network or remote desktop logons initiated with stolen accounts. Identify the creation or transfer of temporary files such as stolen data that has been staged for exfiltration. 9

10 Use Case: Use Newly-Discovered Leads To Scope A Compromise In Seconds Once incident investigators have successful unraveled the extent of compromise on an individual system, they must then leverage their findings to assess the impact across the entire enterprise. This is a common point of failure for many organizations, since most endpoint detection and response solutions lack the speed, scalability, or ease-of-use required to efficiently scope an intrusion or designed to only search a limited set of collected data. Tanium is the only platform that provides the ability to search across historical, current-state, and latent data of all systems in an environment within seconds. In addition to ad-hoc and IOC hunting, Tanium can automatically link investigators to enterprise-wide searches generated based on forensic artifacts and findings. This can greatly accelerate the time required to triage complex incidents and ensure comprehensive remediation even across millions of endpoints. The following are just a few examples of typical findings on compromised systems that Tanium can query for and answer in seconds: Which computers have run a known-malicious process with a specific file name, directory, command line arguments, or hash? Which computers contain registry keys and values configured to load a malicious executable or DLL? Which computers contain active, recently created, or recently deleted files matching an attacker s preferred naming convention or path? What systems and processes have communicated with a known-malicious IP address? What process, registry, or file system activity has been performed on any system during a specific timeframe of interest by a known-compromised account? Where has a known-compromised local or domain account previously logged in? On what systems is the user currently active? Customer Story Following the news of a major breach, a public sector customer received a mandate to check every computer against a list of 120 MD5 hashes of malicious files within 30 days. This customer completed the entire process across over 100,000 endpoints and met the mandate in 4 hours. 10

11 Remediate: Eliminate Attackers And Security Weaknesses With Precision And Efficiency Often when security teams have completed their incident investigations and are ready to remediate issues and compromises, they are forced to handoff responsibilities to different administrators using a patchwork of tools to execute the task. This fragmentation in the remediation process results in overworked administrators creating bottlenecks, and fixes that often requires days to complete. WITH TANIUM A single user can immediately issue any corrective action as necessary across millions of endpoints. Teams have shared visibility ensuring every fix is properly executed and successful completion is verifiable in seconds ensuring endpoints are not recompromised over time. Incident responders can adjust endpoint protections to block known in-process attacks from spreading in seconds. Use Case: Eliminate Malware And Restore Control Over Compromised Endpoints Once an incident has been fully scoped, remediation must be executed swiftly and precisely to limit the time adversaries have to counteract corrective measures. Existing tools are either too slow or do not provide the necessary range of controls necessary to adapt to the rapidly evolving threat landscape and sophisticated techniques at attackers disposal. Using Tanium, incident responders can systematically quarantine every infected system to immediately restrict communication with only the Tanium server and prevent further attempts at lateral movement or data exfiltration. Unlike every other security solution, Tanium also allows administrators to further take direct corrective measures on the endpoint, either on-demand or on a routine basis, to kill viruses, worms, Trojans, bots, backdoors, and other such malware, and recover from incidents of any scale across distributed environments. Consider these examples of malware remediation actions the Tanium platform can perform and complete in seconds on one or more endpoints on the network: Kill malicious running processes. Repair autorun registry keys. Demote or delete local accounts with elevated permissions. Reset compromised user credentials. Uninstall rogue applications. Close unauthorized connections or open ports. 11

12 Use Case: Deploy Emergency Security Updates For Critical Vulnerabilities Accurately identifying machines that are susceptible to critical vulnerabilities or affected by faulty software updates on a global scale, and then subsequently deploying the necessary emergency patches often requires days or even weeks to complete using conventional patch management solutions. Prolonged exposure to critical vulnerabilities such as Heartbleed and Shellshock, which were actively exploited just hours after their disclosure, greatly heightens the risk for devastating breaches. Tanium empowers IT security teams to quickly assess the patch levels across operating systems and applications, including but not limited to Windows, Java and Adobe Flash, and fully deploy the necessary security updates enterprise-wide in minutes rather than weeks. Customer Spotlight In a severely bandwidth constrained environment, a Tanium public sector customer was able to deploy 1.2 million aggregate security patches during a 4-hour patch window while capping aggregate bandwidth at the server (the highest congestion point) to 250Mbps. Use Case: Adjust Endpoint Protections to Block an In-Process Attack Effective remediation entails more than just playing whack-a-mole with malware. Incident responders must move quickly (within seconds) to update endpoint protections (anti-virus, application control, and firewall) to ensure that known attacks are blocked against further spread. Tanium enables incident responders to move quickly from incident detection and investigation to taking action to proactively block an attack from spreading. Since with Cloud and the proliferation of mobile employees, the endpoint is the ultimate perimeter, network-based technologies have limited effectiveness. With Tanium, operating-system network controls like Windows Firewall can be updated to block a particular port or IP address such as a command and control site being used by an attacker. Tanium can also be used to update operating-system level application control like Windows Software Restriction Policy (SRP) to block malware or other prohibited software that might be known to be used as part of the attack. 12

13 About Tanium TANIUM ENDPOINT PLATFORM Serving as the central nervous system for enterprises and government organizations, the Tanium Endpoint Platform is the first and only platform that provides 15-second visibility and control to secure and manage every endpoint, even across the largest global networks. Tanium empowers security and IT operations teams to ask questions about the state of every endpoint across the enterprise in plain English, retrieve current and historical endpoint data and execute change as necessary, all within seconds. TANIUM MODULES In addition, purpose-built modules leverage the Tanium platform s patented linear-chaining architecture to deliver advanced features, workflows and reporting capabilities unique to the Tanium Endpoint Platform. Tanium Incident Response TM Tanium Incident Response provides a broad set of capabilities to hunt, contain and remediate threats and vulnerabilities across every endpoint with unparalleled speed and scalability. Tanium IOC Detect TM Tanium IOC Detect evaluates complex indicators of compromise (IOC), which may contain dozens of artifact and attribute types like file metadata, network activity, processes in memory and registry content, on endpoints across networks of any size in seconds. In addition, Tanium IOC Detect enables security teams to perform on-demand IOC scans or schedule automated scans at customizable intervals, and also easily consolidate threat intelligence data from multiple TAXII streams, third-party providers, or internal repositories. Tanium Patch TM Tanium Patch automates patch management for Windows operating systems with speed, reliability, and ease of use without requiring an expensive and complex supporting infrastructure to scale. Tanium Patch gives administrators patch status visibility and reporting across every endpoint in their enterprise, and also facilitates automated workflows tailored to specific needs through customizable rules, views and dynamic groups. Tanium Protect TM Tanium Protect enables organizations to more effectively leverage commonly deployed native operating system controls (e.g anti-virus, firewall, application control, etc.) by simplifying and improving the effectiveness of their management. Tanium Protect empowers customers to seamlessly move from investigating their environment to taking proactive action to protect against threats - instantly. Tanium Trace TM Tanium Trace helps incident response teams take an initial lead, quickly search, filter and visualize forensic data, and piece together the story about what happened on an endpoint in a given point in time. By monitoring the Windows kernel for system activity and continuously recording forensic evidence, Tanium Trace not only expedites analysis of a single endpoint, but also leverages the same data to identify compromised systems enterprise-wide in seconds. To learn more contact Tanium today: sales@tanium.com 13