Gaining organizational effectiveness

The five key organizational governance steps to maximizing the value that is delivered by Discover are as follows:

Change management

Develop a tailored, dedicated change management process for asset discovery, taking into account the new capabilities provided by Tanium.

  • Update SLAs and align activities to key resources for Tanium Discover activities across IT Security, IT Operations, and IT Risk / Compliance.

  • Designate change or maintenance windows for various asset discovery scenarios. Scanning activities, such as ARP, Ping, or Nmap scanning of the network, require planning and testing.

  • Identify internal and external dependencies to your asset discovery process, such as required network controls.

  • Create a Tanium Steering Group (TSG) for discovery activities to expedite reviews, and approvals of processes that align with SLAs.

RACI chart

A RACI chart identifies the team or resource who is Responsible, Accountable, Consulted, and Informed, and serves as a guideline to describe the key activities across the security, risk/compliance, and operations teams. Every organization has specific business processes and IT organization demands. The following table represents Tanium’s point of view for how organizations should align functional resources against finding unmanaged interfaces. Use the following table as a baseline example.

Task IT Security IT Operations IT Risk/Compliance Executive Rationale

Determine Discover scanning types

C R/A - - When you configure scanning activity, use careful planning, change control, and testing to measure the potential network impact.

Analyze unmanaged interfaces

C R/A - - After a scan runs, all interfaces across the network are reported as managed (Tanium Client installed) or unmanaged interfaces. This list is a baseline to review and start the labeling process.

Identify manageable interfaces or create custom labels / ongoing label assessment

C R/A - - The Discover Label Gallery contains pre-defined labels that you can import to apply to discovered interfaces. You can also create custom labels and apply to discovered interfaces.
Apply Client Deployment Services label / Identify unmanageable interfaces C R/A - - Use Discover labels to target installation of the Tanium Client by Tanium Client Management. Labels can be applied automatically or manually by the administrator as needed.
Report status C R/A C/I C/I Automate reporting with Trends boards, or integrate with other tools such as a SIEM or CMDB. Share reports that require action or remediation with executives or other owners.
Determine target interfaces for quarantine, deploy quarantine package, and manage C R/A C/I C/I Plan and set up quarantine activity as applicable with a plan to manage, using the quarantined device report.
Ongoing review of quarantined device report C R/A C/I C/I Set up a report and review the report as an ongoing activity.
Figure  1:  Standard Discover workflow
Figure  2:  Discover Quarantine Workflow

Organizational alignment

Successful organizations use Tanium across functional silos as a common platform for high-fidelity endpoint data and unified endpoint management. Tanium provides a common data schema that enables security, operations, and risk/compliance teams to assure that they are acting on a common set of facts that are delivered by a unified platform.

In the absence of cross-functional alignment, functional silos often spend time and effort in litigating data quality instead of making decisions to improve discovery of unmanaged interfaces.

Develop a deployment plan

Because Discover introduces some minimal network traffic, it is important to work with the correct stakeholders to understand how Discover is used in the environment.

  • Evaluate discovery method options. See Running distributed scans, Running centralized scans, and Reference: Data returned by profile type for all of the discovery method options and the data that gets returned by each discovery method.
  • The default settings for discovery methods, including both level 3 and 4 Nmap scans, have never caused a problem in a known Tanium customer network.
  • Define network exceptions and exclusions. Determine sensitive ports that should not be scanned and VPN networks to exclude. The list of VPN networks is often the same list as isolated subnets.
  • Gather a list of subnets in the environment. This list is required to create a rollout plan and configure centralized scanning. You also must have this list to define locations in Discover.
  • Create a network rollout plan. The simplest option is to select All Networks when you create a profile, and scan all networks at the same time. You can also scan by subnet. Get a listing of all client subnets in the environment and build a deployment plan for each subnet.
  • Create an Amazon Web Services (AWS) rollout plan. Collect or create credentials in AWS to query the Discover API.
  • Determine any networks that have no Tanium Clients installed, for centralized Nmap scanning.
  • Determine the schedule for scanning and network tolerance.
  • Determine if any servers require specific scan windows.

Operational metrics

Discover maturity

Managing an asset discovery program successfully includes operationalization of the technology and measuring success through key benchmarking metrics. The four key processes to measure and guide operational maturity of your Tanium Discover program are as follows:

Process Description
Usage How and when Tanium Discover is used in your organization (example: is Discover supplemental for another legacy tool)
Automation How Tanium Discover is automated across endpoints
Functional Integration How Tanium Discover is integrated across IT security, IT operations, and IT risk/compliance teams (examples: automated client deployments, data sent to external destinations)
Reporting How Tanium Discover is automated, and the audience of Discover reporting

Benchmark metrics

The key benchmark metrics that align to the operational maturity of the Tanium Discover program to achieve maximum value and success follow:

Executive Metrics Endpoints Managed (%) Mean Time to Managed (hours)
Description Percentage of interfaces that are currently being managed by the Tanium platform, divided by the total number of discovered interfaces (not counting ignored interfaces). Average number of hours to bring an endpoint under management, or to mark the interface as unmanaged or unmanageable.
Instrumentation Managed / (Unmanaged + Managed) For a managed client, calculate the time elapsed between when an endpoint was First Seen until it was First Managed.
Why this metric matters If a given device is not managed by Tanium, the device cannot be secured and managed. If a new device takes a long time to become managed, efficacy of Tanium tooling is limited and potential exposure to bad actors increases.

Use the following table to determine the maturity level for Tanium Discover in your organization.

    Level 1
(Needs improvement)
Level 2
(Below average)
Level 3
(Average)
Level 4
(Above average)
Level 5
(Optimized)
Process Usage Discover is configured, initial unmanaged interfaces visible Baseline visibility of unmanaged interfaces with Tanium Client Discover used to audit and target installation of Tanium Client on unmanaged interfaces Discover used to audit and take action on unmanaged interfaces Discover used to audit and take action on unmanaged interfaces
Automation

One or more profiles configured: 

  • Level 1 passive scan: Address Resolution Protocol (ARP)
  • Level 2 scan: Ping
Define and configure customized Level 3 or 4 Nmap profile Base labels configured, Discover label gallery imported

Set up centralized Nmap scanning profiles for any gaps in network
Custom locations configured for tracking and visual representation for responsible teams Custom labels built based on an understanding of the network and client environment for tracking devices and interfaces in the environment that are unauthorized, built alerting workflow with Tanium Connect
Functional integration N/A Verification of settings to not cause false security alerts, tune settings for Nmap configuration Trends boards imported, scanning gaps conducted of subnets Automated installation of Tanium Client on unmanaged interfaces or previously managed interfaces based on labels Real-time alerting configured to ticketing system, SIEM for data correlation and intelligence, and integration of Discover and Tanium Network Quarantine services to allow isolation of unauthorized interfaces
Reporting Manual; Discover workbench dashboard for operators only Manual; Discover workbench dashboard for operators and peer group only Automated; Trends boards for operators and peer group only Automated; Trends boards tailored to stakeholders ranging from operator to executive Automated; Trends boards tailored to stakeholders ranging from operator to executive
Metrics Endpoints Managed < 50% 50-65% 65-85% 85-95% 95-100%
Mean Time to Manage > 30 days 30 days 1-7 days 1-24 hours 0-3 hours