Gaining organizational effectiveness
The four key organizational governance steps to maximizing the value that is delivered by Impact are as follows:
- Develop a dedicated change management process. See Change management.
- Define distinct roles and responsibilities. See RACI chart.
- Track operational maturity. See Operational metrics.
- Validate cross-functional alignment. See Organizational alignment.
Develop a tailored, dedicated change management process to monitor and remediate possible lateral movement activities and overly permissive administrative privileges, taking into account the new capabilities provided by Tanium.
- Update SLAs with elevated expectations for Tanium Impact activities across IT Security, IT Operations, and IT Risk/Compliance.
- Identify key resources in the organization to monitor asset privileges to reduce the attack surface and achieve the desirable Mean Impact Rating.
- Align activities to key resources for risk monitoring of endpoints, users and Active Directory (AD) groups across IT Security, IT Operations, and IT Risk/Compliance.
- Identify business critical assets for risk monitoring prioritization.
- Create a Tanium steering group (TSG) to expedite reviews and approvals of processes that align with SLAs that are associated with risk.
A RACI chart identifies the team or resource who is Responsible, Accountable, Consulted, and Informed, and serves as a guideline to describe the key activities across the IT Security, IT Risk/Compliance, and IT Operations teams. Every organization has specific business processes and IT organization demands. The following table represents Tanium's point of view for how organizations should align functional resources against risk mitigation. Use the following table as a baseline example.
|Task||IT Security||IT Operations||IT Risk/Compliance||Executive||Rationale|
Impact coverage of domain-joined endpoints
|C||A/R||C||-||The IT Operations team owns the Tanium platform and is accountable and responsible for the deployment of the Tanium agent, including the Impact module. Tanium agent coverage is essential to understand potential lateral movement across the environment. IT Operations consults with the IT Security and IT Compliance teams on the coverage to identify gaps.|
Identify and monitor business critical endpoints
|A||R||C||I||The IT Security team monitors business critical endpoints to ensure actions can be taken to reduce risk prior to being compromised. The IT Operations team identifies business critical assets and consults with the IT Compliance team to ensure accurate identification of those business critical endpoints. The Executive team is informed to monitor risk.|
Identify and monitor users and AD groups with administrative rights to critical endpoints
|A/R||C||C||I||The IT Security team identifies and monitors users with administrative rights to critical endpoints to analyze and remediate associated risks. The IT Security team consults with the IT Operations and IT Compliance teams to verify the criticality of endpoints, the privileges of users, and the coverage of Impact. The Executive team is informed in the assessment of potential lateral movement for assets.|
|Monitor the mean impact rating for endpoints, users, and groups||A/R||R||R||C||The IT Security team monitors the mean impact rating for all endpoints, users, and groups so action can be taken if risk levels are too high. The IT Operations and IT Compliance teams verify asset criticality, ensure Impact coverage, and take necessary actions to reduce the mean impact rating over time. The Executive team is consulted on acceptable risk levels and the actions taken to reduce risk.|
|Assess lateral movement from a compromised asset||A/R||R||C||I||The IT Security team is accountable and responsible for discovering the indicator of compromise, assessing lateral movement paths, scoping the incident, and mitigating the threat. The IT Operations team is responsible for remediation actions, such as patching vulnerabilities, with direction from the IT Security team. The IT Compliance team is consulted throughout the process to monitor risk and remediation efforts. The Executive team is informed of the discovery and remediation of the threat.|
Managing enterprise risk successfully includes operationalization of the technology and measuring success through key benchmarking metrics. The four key processes to measure and guide operational maturity of your Impact program for lateral movement are as follows:
|Usage||how and when Impact is used in your organization; is Impact the only tool used to provide an overview of administrative access rights with domain-joined Windows endpoints|
|Automation||how automated Impact is, across endpoints|
|Functional Integration||how integrated Impact is, across IT Security, IT Operations, and IT Risk/Compliance teams|
|Reporting||how automated Impact is; what is the frequency and who is the audience of Impact-related reporting|
In addition to the key Impact processes, the two key benchmark metrics that align to the operational maturity of the Impact program to achieve maximum value and success are as follows:
|Executive Metrics||Impact Coverage|
|Description||Returns the number of endpoints in each of these categories:
For steps to investigate endpoints that are categorized as Needs Attention or Unsupported, see Monitor and troubleshoot Impact Coverage.
For operating system and Tanium Client versions supported by Impact, see Requirements.
|Instrumentation||Uses the Impact - Coverage Status sensor to determine the endpoints where Performance is optimal, needs attention, and is unsupported.|
|Why this metric matters||If you do not have Impact running on all of your endpoints, you do not have insight into the administrative rights in your organization's Active Directory environment and their potential impact if compromised.|
Use the following table to determine the maturity level for Impact in your organization.
|Process||Usage||Impact is not fully or correctly configured and not active||Impact is configured and active, but lacks enough coverage (<70%) for sensors to correctly execute||Impact is configured and active, but lacks enough coverage (<70%) for sensors to correctly execute||Impact is configured, active, and coverage >95%||Impact is configured, active, and 100% of endpoints are covered|
|Functional integration||Impact is functionally siloed within the IT Security team||Impact is functionally siloed within the IT Security team and only used to assess a breach||The IT Security team uses Impact to monitor the potential for lateral movement||Impact is integrated between the IT Security, IT Compliance and IT Operations teams to assess the potential for lateral movement||Impact is fully integrated across the IT Security, IT Compliance and IT Operations teams to assess the potential for lateral movement and take actions to proactively reduce risk|
|Reporting||Unused||Ad hoc; Reporting tailored to stakeholders on request||Consistent; Reporting tailored to stakeholders on cadence||Automated; Reporting tailored to stakeholders ranging from Operator to Executive||Automated; Reporting tailored to stakeholders ranging from Operator to Executive|
|1 Coverage refers to the percentage of endpoints with the Tanium Client installed.|
Successful organizations use Tanium across functional silos as a common platform for high-fidelity endpoint data and unified endpoint management. Tanium provides a common data schema that enables security, operations, and risk/compliance teams to assure that they are acting on a common set of facts that are delivered by a unified platform.
In the absence of cross-functional alignment, functional silos often spend time and effort in litigating data quality instead of making decisions to reduce the attack surface.
Last updated: 10/29/2020 1:11 PM | Feedback