Benchmark overview

Use Tanium™ Benchmark to understand the state of your security program, compared to other Tanium Cloud customers. You can use the reports to communicate key trends, improvements, and industry benchmarks for executive and board-level reporting. By using Benchmark to continuously monitor endpoints, you can improve your compliance and risk posture.

Benchmarks

Use benchmark metrics to compare your environment to other Tanium customers. Benchmark data is collected from Tanium Cloud customers, where contractually allowed. This data is stored in aggregate and anonymized.

For each metric, the data is presented over time as a percentile value and by detailed data. You can compare your data to the benchmark values.

On the Benchmark home page, you can view the metrics as a Percentile Distribution or Percentile Over Time chart.

Percentile Distribution

The Percentile Distribution chart for each metric is a bell chart distribution of values across all Tanium customers, and shows the target benchmark percentile you selected, along with your current percentile for the metric. The 50% indicator is the median for this data set. The center of the curve in the chart shows the mean of the data set. In the following example, the target benchmark percentile is 50, and your value is in the 51st percentile.

Percentile Over Time

The Percentile Over Time chart is a time series representation of the data. In the following example, the straight line represents the target benchmark and the data points for this metric in your environment for the selected time period.

For more information about Benchmark metrics, see Reviewing benchmark data.

Risk score

The risk score is a numerical score that represents the overall risk of the enterprise based on data from every managed endpoint. The possible range for a risk score is 1-1000. A lower score indicates a lower risk for the enterprise or endpoint. Scores are categorized into low, medium, high, or critical:

  • Low: 1-250
  • Medium: 251-500
  • High: 501-750
  • Critical: 751-1000

The following formula is used to calculate the risk score for each managed endpoint:

(Risk Vectors x Endpoint Criticality) x (100% - Compensating Control %) = Endpoint Score

The results from all reporting managed endpoints are averaged, which results in the total score for the enterprise.

Benchmark uses the Tanium Data Service to include results for offline endpoints. For more information on the Tanium Data Service, see Tanium Console User Guide: Manage sensor results collection.

By default, data for the risk score is gathered from endpoints and stored every 2 hours throughout the day. The total score for the enterprise is calculated several times per day to update the charts on the Benchmark Overview page. The total score for the enterprise and the risk vector scores are stored as a data point once every 24 hours to preserve a daily record, which allows you to monitor changes over time. The Risk Metrics section on the Tanium Risk Score page breaks down the score for endpoints into specific categories and use cases so that you can quickly identify high risk endpoints. Click the title of a chart in the Risk Metrics section to open the Risk Detail page for that metric.screen capture of risk metrics charts


Factors that influence the risk score

Use data from Benchmark to determine actions that can decrease the overall risk score for your enterprise. Several factors influence the risk score for your environment. Some factors increase the score and others decrease it.

Risk vectors

Risk vectors assess the risk for your enterprise in specific categories by using data provided by Tanium solutions. These data points are used as part of the formula to calculate the risk score:

  • System Vulnerability
  • System Compliance
  • Administrative Access
  • Password Identification
  • Expired Certificates
  • Insecure SSL/TLS

For more information about each of these vectors, see Investigating risk vectors.

Endpoint criticality

Endpoint criticality is a level on an individual endpoint that is used to add context about the endpoint in the organization. Possible levels are Critical, High, Medium, and Low. These levels indicate the endpoint's importance in your environment.

The score for an endpoint is adjusted based on the criticality level:

  • Low: No adjustment to the score for the endpoint
  • Medium: (Default) Multiplies the score for the endpoint by 1.33
  • High: Multiplies the score for the endpoint by 1.67
  • Critical: Multiplies the score for the endpoint by 2

For example, if an endpoint has a score of 200, but the endpoint is flagged as critical, the score reported for that endpoint is 400.

Benchmark uses Tanium Criticality to manage criticality levels for endpoints. For more information, see Tanium Criticality User Guide: Criticality overview.

Compensating controls

Compensating controls are security best practices or configurations for hardware, operating systems, and storage that you can apply to endpoints to reduce the risk score for those endpoints.

For example, if the firewall is enabled for an endpoint, the score for that endpoint decreases by 6%. For more information, see Applying compensating controls.screen capture of Compensating Controls overview chart

Integration with other Tanium products

Benchmark has built in integration with Tanium™ Comply, Tanium™ Criticality, Tanium™ Impact, Tanium™ Patch, and Tanium™ Reveal. Other Tanium products provide benchmark metrics.

Comply

Comply provides data about endpoint vulnerabilities and compliance to Benchmark. To investigate the vulnerability or configuration compliance issues in Comply, open the Comply Findings page for specific endpoints, Common Vulnerabilities and Exposures (CVEs), or compliance check IDs from the System Vulnerability and System Compliance risk vector pages. For more information, see System Vulnerability and System Compliance.

Comply provides data for the High Severity Vulnerabilities benchmark.

Criticality

Assign and manage criticality levels for endpoints. Benchmark uses the criticality levels in endpoint risk score calculations. For more information, see Tanium Criticality User Guide: Assigning criticality to endpoints.

Deploy

If you have a license for the Deploy solution, Deploy provides data for the Software Update Compliance and Mean Time to Update metrics.

Enforce

If you have a license for the Enforce solution, Enforce provides the data for the Missing Antivirus, Out of Date Antivirus, Missing Disk Encryption, and Firewall Disabled metrics.

Impact

Impact provides data about administrative access for endpoints, users, and groups to Benchmark. You can open Impact from the Administrative Access risk vector page to analyze potential lateral movement for users, groups, and endpoints. For more information, see Administrative Access.

Impact provides the data for the Endpoint Impact Score and Impact Rating of Machines with Alerts metrics.

Patch

You can pivot to Patch to investigate specific Common Vulnerabilities and Exposures (CVEs) identified in the Highest Vulnerability Count by Highest CVE chart on the System Vulnerability risk vector page. For more information, see System Vulnerability.

Patch provides the data for the Patch Compliance and Mean Time to Patch metrics.

Reporting

Reporting provides detailed data for Benchmark metrics. For more information, see Tanium Reporting User Guide: Overview.

Reveal

Reveal provides data about unencrypted saved passwords or sensitive data on endpoints to Benchmark. You can open the associated Rules page in Reveal, where you can connect to one or more endpoints and investigate the finding, on the Password Identification risk vector page. For more information, see Password Identification.

Threat Response

If you have a license for the Threat Response solution, Threat Response provides the data for the Average Alerts per Day and Impact Rating of Machines with Alerts metrics.