Gaining organizational effectiveness
The five key organizational governance steps to maximizing the value that is delivered by Discover are as follows:
- Develop a dedicated change management process. See Change management.
- Define distinct roles and responsibilities. See RACI chart.
- Validate cross-functional alignment. See Organizational alignment.
- Develop a deployment plan. See Develop a deployment plan.
- Track operational maturity. See Operational metrics.
Develop a tailored, dedicated change management process for asset discovery, taking into account the new capabilities provided by Tanium.
Update SLAs and align activities to key resources for Tanium Discover activities across IT Security, IT Operations, and IT Risk / Compliance.
Designate change or maintenance windows for various asset discovery scenarios. Scanning activities, such as ARP, Ping, or Nmap scanning of the network, require planning and testing.
Identify internal and external dependencies to your asset discovery process, such as required network controls.
Create a Tanium Steering Group (TSG) for discovery activities to expedite reviews, and approvals of processes that align with SLAs.
A RACI chart identifies the team or resource who is Responsible, Accountable, Consulted, and Informed, and serves as a guideline to describe the key activities across the security, risk/compliance, and operations teams. Every organization has specific business processes and IT organization demands. The following table represents Tanium’s point of view for how organizations should align functional resources against finding unmanaged interfaces. Use the following table as a baseline example.
|Task||IT Security||IT Operations||IT Risk/Compliance||Executive||Rationale|
Determine Discover scanning types
|C||R/A||-||-||When you configure scanning activity, use careful planning, change control, and testing to measure the potential network impact.|
Analyze unmanaged interfaces
|C||R/A||-||-||After a scan runs, all interfaces across the network are reported as managed (Tanium Client installed) or unmanaged interfaces. This list is a baseline to review and start the labeling process.|
Identify manageable interfaces or create custom labels / ongoing label assessment
|C||R/A||-||-||The Discover Label Gallery contains pre-defined labels that you can import to apply to discovered interfaces. You can also create custom labels and apply to discovered interfaces.|
|Apply Client Deployment Services label / Identify unmanageable interfaces||C||R/A||-||-||Use Discover labels to target installation of the Tanium Client by Tanium Client Management. Labels can be applied automatically or manually by the administrator as needed.|
|Report status||C||R/A||C/I||C/I||Automate reporting with Trends boards, or integrate with other tools such as a SIEM or CMDB. Share reports that require action or remediation with executives or other owners.|
|Determine target interfaces for quarantine, deploy quarantine package, and manage||C||R/A||C/I||C/I||Plan and set up quarantine activity as applicable with a plan to manage, using the quarantined device report.|
|Ongoing review of quarantined device report||C||R/A||C/I||C/I||Set up a report and review the report as an ongoing activity.|
Successful organizations use Tanium across functional silos as a common platform for high-fidelity endpoint data and unified endpoint management. Tanium provides a common data schema that enables security, operations, and risk/compliance teams to assure that they are acting on a common set of facts that are delivered by a unified platform.
In the absence of cross-functional alignment, functional silos often spend time and effort in litigating data quality instead of making decisions to improve discovery of unmanaged interfaces.
Because Discover introduces some minimal network traffic, it is important to work with the correct stakeholders to understand how Discover is used in the environment.
- Evaluate discovery method options. See Running distributed scans
, Running centralized scans,and Reference: Data returned by profile type for all of the discovery method options and the data that gets returned by each discovery method.
- Define network exceptions and exclusions. Determine sensitive ports that should not be scanned and VPN networks to exclude. The list of VPN networks is often the same list as isolated subnets.
- Gather a list of subnets in the environment. This list is required to create a rollout plan
and configure centralized scanning. You also must have this list to define locations in Discover.
- Create a network rollout plan.
The simplest option is to select All Networks when you create a profile, and scan all networks at the same time.You can also scan by subnet. Get a listing of all client subnets in the environment and build a deployment plan for each subnet.
- Create an Amazon Web Services (AWS) rollout plan. Collect or create credentials in AWS to query the Discover API.
- Determine any networks that have no Tanium Clients installed, for centralized Nmap scanning.
- Determine the schedule for scanning and network tolerance.
- Determine if any servers require specific scan windows.
Managing an asset discovery program successfully includes operationalization of the technology and measuring success through key benchmarking metrics. The four key processes to measure and guide operational maturity of your Tanium Discover program are as follows:
|Usage||How and when Tanium Discover is used in your organization (example: is Discover supplemental for another legacy tool)|
|Automation||How Tanium Discover is automated across endpoints|
|Functional Integration||How Tanium Discover is integrated across IT security, IT operations, and IT risk/compliance teams (examples: automated client deployments, data sent to external destinations)|
|Reporting||How Tanium Discover is automated, and the audience of Discover reporting|
The key benchmark metrics that align to the operational maturity of the Tanium Discover program to achieve maximum value and success follow:
|Executive Metrics||Interfaces Managed||Mean Time to Managed|
|Description||Percentage of interfaces that are currently being managed by the Tanium platform, divided by the total number of discovered interfaces (not counting ignored interfaces).||Average number of days or hours to bring an endpoint under management, or to mark the interface as unmanaged or unmanageable.|
|Instrumentation||Managed / (Unmanaged + Managed)||For a managed client, calculate the time elapsed between when an endpoint was First Seen until it was First Managed.|
|Why this metric matters||If a given device is not managed by Tanium, the device cannot be secured and managed.||If a new device takes a long time to become managed, efficacy of Tanium tooling is limited and potential exposure to bad actors increases.|
Use the following table to determine the maturity level for Tanium Discover in your organization.
|Process||Usage||Discover is configured, initial unmanaged interfaces visible||Baseline visibility of unmanaged interfaces with Tanium Client||Discover used to audit and target installation of Tanium Client on unmanaged interfaces||Discover used to audit and take action on unmanaged interfaces||Discover used to audit and take action on unmanaged interfaces|
One or more profiles configured:
|Define and configure customized Level 3 or 4 Nmap profile||Base labels configured, Discover label gallery imported
||Custom locations configured for tracking and visual representation for responsible teams||Custom labels built based on an understanding of the network and client environment for tracking devices and interfaces in the environment that are unauthorized, built alerting workflow with Tanium Connect|
|Functional integration||N/A||Verification of settings to not cause false security alerts, tune settings for Nmap configuration||Trends boards imported, scanning gaps conducted of subnets||Automated installation of Tanium Client on unmanaged interfaces or previously managed interfaces based on labels||Real-time alerting configured to ticketing system, SIEM for data correlation and intelligence, and integration of Discover and Tanium Network Quarantine services to allow isolation of unauthorized interfaces|
|Reporting||Manual; Discover workbench dashboard for operators only||Manual; Discover workbench dashboard for operators and peer group only||Automated; Trends boards for operators and peer group only||Automated; Trends boards tailored to stakeholders ranging from operator to executive||Automated; Trends boards tailored to stakeholders ranging from operator to executive|
|Mean Time to Manage||> 30 days||8-30 days||1-7 days||1-24 hours||0-3 hours|
Last updated: 1/28/2021 8:31 AM | Feedback