Gaining organizational effectiveness

The four key organizational governance steps to maximizing the value that is delivered by Impact are as follows:

Change management

Develop a tailored, dedicated change management process to monitor and remediate possible lateral movement activities and overly permissive administrative privileges, taking into account the new capabilities provided by Tanium.

  • Update SLAs with elevated expectations for Tanium Impact activities across IT Security, IT Operations, and IT Risk/Compliance.
  • Identify key resources in the organization to monitor asset privileges to reduce the attack surface and achieve the desirable Mean Impact Rating.
  • Align activities to key resources for risk monitoring of endpoints, users and Active Directory (AD) groups across IT Security, IT Operations, and IT Risk/Compliance.
  • Identify business critical assets for risk monitoring prioritization.
  • Create a Tanium steering group (TSG) to expedite reviews and approvals of processes that align with SLAs that are associated with risk.

RACI chart

A RACI chart identifies the team or resource who is Responsible, Accountable, Consulted, and Informed, and serves as a guideline to describe the key activities across the IT Security, IT Risk/Compliance, and IT Operations teams. Every organization has specific business processes and IT organization demands. The following table represents Tanium's point of view for how organizations should align functional resources against risk mitigation. Use the following table as a baseline example.

Task IT Security IT Operations IT Risk/Compliance Executive Rationale

Impact coverage of domain-joined endpoints

See Asset monitoring workflow.

C A/R C - The IT Operations team owns the Tanium platform and is accountable and responsible for the deployment of the Tanium agent, including the Impact module. Tanium agent coverage is essential to understand potential lateral movement across the environment. IT Operations consults with the IT Security and IT Compliance teams on the coverage to identify gaps.

Identify and monitor business critical endpoints

A R C I The IT Security team monitors business critical endpoints to ensure actions can be taken to reduce risk prior to being compromised. The IT Operations team identifies business critical assets and consults with the IT Compliance team to ensure accurate identification of those business critical endpoints. The Executive team is informed to monitor risk.

Identify and monitor users and AD groups with administrative rights to critical endpoints

A/R C C I The IT Security team identifies and monitors users with administrative rights to critical endpoints to analyze and remediate associated risks. The IT Security team consults with the IT Operations and IT Compliance teams to verify the criticality of endpoints, the privileges of users, and the coverage of Impact. The Executive team is informed in the assessment of potential lateral movement for assets.
Monitor the mean impact rating for endpoints, users, and groups A/R R R C The IT Security team monitors the mean impact rating for all endpoints, users, and groups so action can be taken if risk levels are too high. The IT Operations and IT Compliance teams verify asset criticality, ensure Impact coverage, and take necessary actions to reduce the mean impact rating over time. The Executive team is consulted on acceptable risk levels and the actions taken to reduce risk.
Assess lateral movement from a compromised asset

See Compromised asset workflow.

A/R R C I The IT Security team is accountable and responsible for discovering the indicator of compromise, assessing lateral movement paths, scoping the incident, and mitigating the threat. The IT Operations team is responsible for remediation actions, such as patching vulnerabilities, with direction from the IT Security team. The IT Compliance team is consulted throughout the process to monitor risk and remediation efforts. The Executive team is informed of the discovery and remediation of the threat.
Figure  1:  Asset monitoring workflow
Figure  2:  Compromised asset workflow

Operational metrics

Impact maturity

Managing enterprise risk successfully includes operationalization of the technology and measuring success through key benchmarking metrics. The four key processes to measure and guide operational maturity of your Impact program for lateral movement are as follows:

Process Description
Usage how and when Impact is used in your organization; is Impact the only tool used to provide an overview of administrative access rights with domain-joined Windows endpoints
Automation how automated Impact is, across endpoints
Functional Integration how integrated Impact is, across IT Security, IT Operations, and IT Risk/Compliance teams
Reporting how automated Impact is; what is the frequency and who is the audience of Impact-related reporting

Benchmark metrics

In addition to the key Impact processes, the two key benchmark metrics that align to the operational maturity of the Impact program to achieve maximum value and success are as follows:

Executive Metrics Impact Coverage
Description Returns the number of endpoints in each of these categories:
  • Initializing: Endpoints where Impact tools are installing
  • Optimal: Endpoints where Impact is operational
  • Needs attention: Endpoints that do not have the Python tools installed or do not have a supported version of the Tanium Client installed
  • Unsupported: Endpoints with an operating system version that is not supported by Impact

For steps to investigate endpoints that are categorized as Needs Attention or Unsupported, see Monitor and troubleshoot Impact Coverage.

For operating system and Tanium Client versions supported by Impact, see Requirements.

Instrumentation Uses the Impact - Coverage Status sensor to determine the endpoints where Performance is optimal, needs attention, and is unsupported.
Why this metric matters If you do not have Impact running on all of your endpoints, you do not have insight into the administrative rights in your organization's Active Directory environment and their potential impact if compromised.

Use the following table to determine the maturity level for Impact in your organization.

    Level 1
(Needs improvement)
Level 2
(Below average)
Level 3
(Average)
Level 4
(Above average)
Level 5
(Optimized)
Process Usage Impact is not fully or correctly configured and not active Impact is configured and active, but lacks enough coverage (<70%) for sensors to correctly execute Impact is configured and active, but lacks enough coverage (<70%) for sensors to correctly execute Impact is configured, active, and coverage >95% Impact is configured, active, and 100% of endpoints are covered
Automation Manual Manual Manual Manual Manual
Functional integration Impact is functionally siloed within the IT Security team Impact is functionally siloed within the IT Security team and only used to assess a breach The IT Security team uses Impact to monitor the potential for lateral movement Impact is integrated between the IT Security, IT Compliance and IT Operations teams to assess the potential for lateral movement Impact is fully integrated across the IT Security, IT Compliance and IT Operations teams to assess the potential for lateral movement and take actions to proactively reduce risk
Reporting Unused Ad hoc; Reporting tailored to stakeholders on request Consistent; Reporting tailored to stakeholders on cadence Automated; Reporting tailored to stakeholders ranging from Operator to Executive Automated; Reporting tailored to stakeholders ranging from Operator to Executive
Metrics Impact Coverage1 0-49% 50-69% 70-94% 95-99% 100%
1 Coverage refers to the percentage of endpoints with the Tanium Client installed.

Organizational alignment

Successful organizations use Tanium across functional silos as a common platform for high-fidelity endpoint data and unified endpoint management. Tanium provides a common data schema that enables security, operations, and risk/compliance teams to assure that they are acting on a common set of facts that are delivered by a unified platform.

In the absence of cross-functional alignment, functional silos often spend time and effort in litigating data quality instead of making decisions to reduce the attack surface.