Gaining organizational effectiveness

The four key organizational governance steps to maximizing the value that is delivered by Deploy are as follows:

Change management

Develop a tailored, dedicated change management process for software management, taking into account the new capabilities provided by Tanium.

  • Update SLAs with elevated expectations, from software identification to software deployment.
  • Identify key resources in your organization to review and approve software, to achieve effective software deployment results (example, aligned to an organizational-specific RACI chart).
  • Align activities to key resources for Tanium software management activities across IT Security, IT Operations, and IT Risk/Compliance teams.
  • Designate change or maintenance windows for all software management scenarios (example: emergency upgrades to general software, to achieve optimized software management efficacy).
  • Create a Tanium steering group (TSG) for software management activities, to expedite reviews and approvals of processes that align with SLAs.

RACI chart

A RACI chart identifies the team or resource who is Responsible, Accountable, Consulted, and Informed, and serves as a guideline to describe the key activities across the security, risk/compliance, and operations teams. Every organization has specific business processes and IT organization demands. The following table represents Tanium’s point of view for how organizations should align functional resources against patch management. Use the following table as a baseline example.

Task IT Security IT Operations IT Risk/Compliance Executive Rationale

Deploy new or update existing corporate software

See Standard Deploy install/update workflow.

I A/R I - Deployment of existing, approved corporate software and updating software versions is owned by the operations team. Include predefined notifications so that the security and risk/compliance teams are informed.

Deploy newly introduced corporate software

See Standard Deploy install/update workflow.

C A/R I - Deployment of newly introduced corporate software is owned by the operations team. Include predefined notifications so that the security team is consulted and team risk/compliance team is informed.

Update or remove software due to threat intel /vulnerability

See Standard threat intel/vulnerability update/remove workflow.

A R C I Updating or removal of corporate software that could be a threat to the environment is executed by the operations team, while the security team is ultimately accountable because the threat is deemed a risk to the environment. The risk/compliance team is consulted to ensure complete update or removal. The executive team is informed of the progress.
Testing of new or updated software I A/R C - New corporate software should be tested to ensure compliance to current standards. The operations team owns the execution and responsibility of testing, with consultation from the risk/compliance team. The security team is informed that new software can be deployed.
User acceptance testing (UAT) and deployment to production I A/R C - New corporate software should be tested to ensure compliance to current standards before deployment to production. The operations team owns the execution and responsibility of testing, with consultation from the risk/compliance team. The security team is informed that new software is being deployed.
Publish optional software to the Self Service application I A/R I - The operations team is responsible and accountable for offering the user the Self Service application with the ability to add or remove software as the user chooses. The risk/compliance and security teams are informed of the options that are presented to the user.
Reporting metrics/dashboard of deployment or removal C A/R C I The operations team is responsible and accountable for the deployment or removal process, consulting with the security and risk/compliance teams on any questions or concerns. The executive team is informed of key metrics that impact the environment.
Figure  1:  Standard Deploy install/update workflow
Figure  2:  Standard threat intel/vulnerability update/remove workflow

Organizational alignment

Successful organizations use Tanium across functional silos as a common platform for high-fidelity endpoint data and unified endpoint management. Tanium provides a common data schema that enables security, operations, and risk/compliance teams to assure that they are acting on a common set of facts that are delivered by a unified platform.

In the absence of cross-functional alignment, functional silos often spend time and effort in litigating data quality instead of making decisions to improve software management.

Operational metrics

Deploy maturity

Managing a software management program successfully includes operationalization of the technology and measuring success through key benchmarking metrics. The four key processes to measure and guide operational maturity of your Tanium Deploy program are as follows:

Process Description
Usage how and when Tanium Deploy is used in your organization
Automation how automated Tanium Deploy is, across endpoints
Functional Integration how integrated Tanium Deploy is, across IT security, IT operations, and IT risk/compliance teams
Reporting how automated Tanium Deploy is and who the audience of software management reporting is

Benchmark metrics

In addition to the key software deployment processes, the four key benchmark metrics that align to the operational maturity of the Tanium Deploy program to achieve maximum value and success are as follows:

Executive Metrics Deploy Coverage Endpoints Missing Software Updates Released Over 30 Days Mean Time to Deploy Software Software Installed by Self Service User Request
Description Number of endpoints in each of these categories:
  • Optimal: Endpoints where Deploy is operational
  • Needs Attention: Endpoints that do not have the Deploy tools installed, are not targeted by a profile, or do not have a supported version of the Tanium Client installed
  • Unsupported: Endpoints with an operating system version that is not supported by Deploy
Percentage of endpoints that require an update. Average number of days it takes to install or upgrade software on workstations. Percentage of software that is installed through the Self Service Client application.
Instrumentation

Uses the Deploy - Coverage Status sensor to determine the endpoints where Deploy is optimal, needs attention, or unsupported.

Number of endpoints that are reporting at least one software application that is eligible for an update for more than 30 days / number of endpoints managed by Deploy.

The time it takes from software availability date to software installation date averaged by system, in the last three months.

Number of successful deployments through self-service / the total number of successful deployments on an endpoint in the last three months.

Why this metric matters

Low percentage of Optimal against total manageable endpoints indicates that Deploy is not being used to its full potential and maximum ROI is not being achieved because you are covering only part of the environment.

You cannot deploy software and update 3rd party applications to devices that are not under management (member of the Deploy action group). You also cannot provide full visibility of your environment without the tools being installed.

High percentage indicates lack of 3rd party update process or current process is not working. High percentage indicates configuration drift and could indicate a wider issue(for example, all users have admin rights).

Package gallery can also provide insight into the overall state of the environment before import.

If it takes you too long to deploy software and validate that it was applied, you are at risk of being exploited by the vulnerabilities that are addressed by that software.

Tanium is great at sending the software catalog and deployments and getting visibility of the enterprise. Package building is simple and quick with Deploy and even more so with using the package gallery and starting with a pre-built template to edit or test directly.

A moderate percentage means that users are installing software on their own without the use of IT resources like a help desk.

A high percentage indicates too much dependency on user-installed applications and implies that administrative software installations are down, which can show a lack of control of software installations.

A low or zero number indicates that either the feature is underused or not used at all.

Use the following table to determine the maturity level for Tanium Deploy in your organization.

    Level 1
(Needs improvement)
Level 2
(Below average)
Level 3
(Average)
Level 4
(Above average)
Level 5
(Optimized)
Process Usage Deploy configured; Known common software imported from the Tanium Package Gallery Piloting deployment of new software; Creating packages and bundles; Deploy is used by exception Deploy is used for software updates, new software, and removal of software to audit legacy tooling Deploy is used as the default tooling for software updates, new software deployment, and removal of software; Legacy tooling is used for audit Deploy is used as the default tooling for software updates, new software deployment, and removal of software; Legacy tooling is sunset
Automation Manual Manual Partially automated (>50% of software deployment process automated) Partially automated (>75% of software deployment process automated); Software available on endpoint for end user self service Fully automated (>90% of patch deployment process automated); Software available on endpoint for end user self service
Functional integration Consult with software packaging or deployment teams and application owners Consult with software packaging or deployment teams and application owners Consult with help desk or support and IT Leadership or peers in enterprise vulnerability management and threat management Deploy, Connect, and Trends integrated into enterprise vulnerability management, threat management, and asset management tools, such as Flexera and ServiceNow Deploy, Connect, and Trends integrated into enterprise vulnerability management, threat management, and asset management tools, such as Flexera and ServiceNow; Approval workflow integration for tracking of licensed applications
Reporting Manual; Reporting for Operators only Manual; Reporting for Operators and peer group only Automated; Reporting for Operators and peer group only Automated; Reporting tailored to stakeholders ranging from Operator to Executive Automated; Reporting tailored to stakeholders ranging from Operator to Executive
Metrics Deploy Coverage 0-92% 93-94% 95-96% 97-98% 99-100%
Endpoints Missing Software Updates Released Over 30 Days > 15% 11-15% 6-10% 2-5% 0-1%
Mean Time to Deploy Software > 30 days 26-30 days 21-25 days 15-20 days 1-14 days
Software Installed by Self Service User Request 0-19% 76-100% 51-75% 36-50% 20-35%