Data-driven cyber risk management using Tanium

By Paul Bottomley, Endpoint Hunt Lead, and
Wietze Beukema, Endpoint Hunt Senior Analyst

Data-driven cyber risk management

A new approach to cyber risk management is needed. Our data-driven solution to identify, validate, measure and track risk over time assembles a set of powerful interactive dashboards that enrich endpoint data collected using Tanium. This single visualisation layer presents broad sets of telemetry in the form of impactful metrics and data points, that can be cut, sliced, and filtered in a number of ways, and tracked over time in a repeatable way.

Our solution is underpinned by the following five features:

1. Asset identification: Asset qualification is the foundation of this model. Organisations need to understand what assets are connected to their network, both known (“managed”) and unknown (“unmanaged”), and at a deeper level, attributes of these endpoints such as operating system (including vendor support status), business functionality, domain, and geographic location. But more importantly, augmenting this data with asset criticality and business impact information to provide focus.
2. Threat actor tracking: Understanding threat actors known to target your sector. This includes understanding their Tactics, Techniques and Procedures (TTPs) and how they manifest on the endpoint and network. It also involves understanding the methods (and subsequent indicators of compromise) that can be used to detect the attacker breaching the network, moving laterally across systems, finding their targets, and acquiring and exfiltrating data.
3. Security and hygiene (risk) indicators: This concept consists of a range of different things, but at its core, involves identifying operating system and application vulnerabilities, configuration drift away from a standard (for example Center for Internet Security), critical applications that are not installed and operational, out-of-date antivirus definitions, etc.
4. Remediation: Applying controls to address risk indicators. An important concept is prioritisation – how do you address issues and in what order? For example, it would be of high importance to address a critical vulnerability (Common Vulnerability Scoring System (CVSS) v3.0 score 9.0-10.0) that has a known public exploit available that exists on a web-facing endpoint.
5. Measure, report and track: A consistent set of metrics, tracked over time, for management teams to report upwards to articulate an organisation’s risk position, how it is changing over time, and where further investment is required.

Asset identification

An example of the first concept, asset identification, can be seen on our Managed Endpoints dashboard, one of twelve dashboards our IT and Cyber Risk Visualisation service offers.

By combining asset data collected using Tanium with Configuration Management Database (CMDB) data, it is possible to establish what ‘role’ each endpoint has within your IT estate, and how critical it is to your business. This allows you to prioritise the assets most important to your organisation, rather than looking at all your assets as though they were equal.

You may also want to look at your data based on tags you have assigned to endpoints within Tanium. Some organisations use these tags to distinguish endpoints based on their criticality, geographic location, whether they are development or production machines, applications running on the endpoint, and so on. Being able to get the latest tag mapping and filter all other Tanium output using this datapoint provides a quick and flexible way to slice your data. Once again, this filter is available on every dashboard.

Threat actor tracking

As well as internal enrichment sources, ‘external’ information is just as important. An example of this is taking a closer look at Common Vulnerabilities and Exposures (CVEs) and TTPs used by attackers targeting your sector. These actors are more likely to target your organisation too, so at a minimum you should consider what methods they have used in the past and take preventative measures.

An example of this can be seen on our Signals dashboard, which shows the behavioural rules (Tanium Signals) that have generated alerts. We implemented a MITRE ATT&CK® visualisation to show how these alerts and TTPs align. If we correlate this with data from our Threat Intelligence team for your sector, we get a subset of alerts that should probably be prioritised. Combine this with your internal role/criticality mapping, and you get a much richer understanding of the risk such alerts impose.

Tanium Signals provide important real-time insights on actual, observable threats within your estate, as we have previously written about in the Signal the ATT&CK blog series.

Security and hygiene (risk) factors

An example of the third concept, security and hygiene (risk) indicators, can be seen on our Vulnerabilities dashboard, which is all about CVEs identified on your estate.

A key factor in determining the impact a CVE might have is the CVSS score, which plays a prominent role on this dashboard. Because all dashboards are fully interactive, it is possible to search for specific CVEs, highlight multiple vulnerabilities on the scatter plot or filter on CVSS score. A breakdown of CVSS severity versus endpoint role and criticality, as can be seen in the top right corner, helps focus your attention on the vulnerabilities that matter most.

Other helpful ways of looking at your data, for example considering CVE year to distinguish old and new vulnerabilities, or CVE vendor to identify where you need to improve patching, can give unique insights that are hard or impossible to get by looking at the raw data.

Another example of enriching your data with external data points is the Public Exploit angle, for which we automatically look up CVEs against a database of publicly available exploits. These vulnerabilities have the highest potential of being abused by attackers, and are therefore something you may want to consider when comparing the real risk a vulnerability poses.

Once you combine all these tools together, you can really see the most serious vulnerabilities posing the biggest threat to your environment. Perhaps you want to filter CVEs that are present on your most valuable assets, have a CVSS score of 8.0 and above, have a public exploit available and are internet facing. Using your current tooling and methods, would you be able to find these CVEs with the same ease?

Remediation

To remediate the CVE issues found, as per the fourth concept, we have a dedicated Patching dashboard focusing on fixing Microsoft vulnerabilities. Once again, public data sources are leveraged to provide more context. By using real-time information from the Microsoft Security Updates API, it is possible to see which patches should be installed to resolve the highest number of vulnerabilities.

If you are familiar with Microsoft patches (‘KBs’), you will be aware that sometimes there are multiple patches available to fix the same vulnerability. By looking at all available patches across your entire estate, it is possible to work out which patches will address the most vulnerabilities.

The green tree map in the bottom left corner contains a rectangle for each eligible patch: the bigger the rectangle, the more vulnerabilities it will fix. For example, in the animation above, after filtering on Microsoft CVEs with the highest severity level, we see that over 5,500 of the 17,000 vulnerabilities can be addressed by installing just 7 patches.

Similar to all other pages, further drilling this down will give even more environment-specific insights, e.g. by filtering on endpoint criticality, business unit, region, and so on.

Measure, report and track

The only way to tell your board you’re making progressis by tracking your risk, our fifth concept. Every dashboard has a time filter that looks at the same page in the past, which makes comparing results easier. A good example of this is the Patching Efficacy dashboard, which shows detailed charts and metrics reflecting the ‘real’ state of your patching efforts. Once again, through filtering and drilling down, it is possible to see, for example, if you are meeting your service level agreements (SLAs) for resolving critical vulnerabilities on your most important assets, to determine how well you’re doing at resolving a specific CVE, or to compare how well different business units are doing at patching.

In summary, having dedicated tooling that allows you to identify and assess the risk of the real cyber threats your organisation is facing, by being able to quantify this in a way that reflects the nuances of your IT estate, as well as measuring, reporting and tracking this over time, is instrumental when getting a handle on your cyber security risk.

Combining Tanium’s rich data sets with our powerful models, methodology and dashboards, it is possible to achieve all of the above in a simple and accessible dashboard.

If you want to see more, we’re more than happy to give you a full demonstration or provide you access to our demo environment. Please reach out to us to learn more.