Gaining organizational effectiveness

The four key organizational governance steps to maximizing the value that is delivered by Impact are as follows:

Develop a dedicated change management process. See Change management.
Define distinct roles and responsibilities. See RACI chart.
Track operational maturity. See Operational metrics.
Validate cross-functional alignment. See Organizational alignment.

Change management

Develop a tailored, dedicated change management process to monitor and remediate possible lateral movement activities and overly permissive administrative privileges, taking into account the new capabilities provided by Tanium.

Update SLAs with elevated expectations for Tanium Impact activities across IT Security, IT Operations, and IT Risk/Compliance.
Identify key resources in the organization to monitor asset privileges to reduce the attack surface and achieve the desirable Mean Impact Rating.
Align activities to key resources for risk monitoring of endpoints, users and Active Directory (AD) groups across IT Security, IT Operations, and IT Risk/Compliance.
Identify business critical assets for risk monitoring prioritization.
Create a Tanium steering group (TSG) to expedite reviews and approvals of processes that align with SLAs that are associated with risk.

RACI chart

A RACI chart identifies the team or resource who is Responsible, Accountable, Consulted, and Informed, and serves as a guideline to describe the key activities across the IT Security, IT Risk/Compliance, and IT Operations teams. Every organization has specific business processes and IT organization demands. The following table represents Tanium's point of view for how organizations should align functional resources against risk mitigation. Use the following table as a baseline example.

Task	IT Security	IT Operations	IT Risk/Compliance	Executive	Rationale
Impact coverage of domain-joined endpoints See Asset monitoring workflow (click image to enlarge).	C	A/R	C	-	The IT Operations team owns the Tanium platform and is accountable and responsible for the deployment of the Tanium agent, including the Impact module. Tanium agent coverage is essential to understand potential lateral movement across the environment. IT Operations consults with the IT Security and IT Compliance teams on the coverage to identify gaps.
Identify and monitor business critical endpoints	A	R	C	I	The IT Security team monitors business critical endpoints to ensure actions can be taken to reduce risk prior to being compromised. The IT Operations team identifies business critical assets and consults with the IT Compliance team to ensure accurate identification of those business critical endpoints. The Executive team is informed to monitor risk.
Identify and monitor users and AD groups with administrative rights to critical endpoints	A/R	C	C	I	The IT Security team identifies and monitors users with administrative rights to critical endpoints to analyze and remediate associated risks. The IT Security team consults with the IT Operations and IT Compliance teams to verify the criticality of endpoints, the privileges of users, and the coverage of Impact. The Executive team is informed in the assessment of potential lateral movement for assets.
Monitor the mean impact rating for endpoints, users, and groups	A/R	R	R	C	The IT Security team monitors the mean impact rating for all endpoints, users, and groups so action can be taken if risk levels are too high. The IT Operations and IT Compliance teams verify asset criticality, ensure Impact coverage, and take necessary actions to reduce the mean impact rating over time. The Executive team is consulted on acceptable risk levels and the actions taken to reduce risk.
Assess lateral movement from a compromised asset See Compromised asset workflow (click image to enlarge).	A/R	R	C	I	The IT Security team is accountable and responsible for discovering the indicator of compromise, assessing lateral movement paths, scoping the incident, and mitigating the threat. The IT Operations team is responsible for remediation actions, such as patching vulnerabilities, with direction from the IT Security team. The IT Compliance team is consulted throughout the process to monitor risk and remediation efforts. The Executive team is informed of the discovery and remediation of the threat.

Asset monitoring workflow (click image to enlarge)

Compromised asset workflow (click image to enlarge)

Operational metrics

Impact maturity

Managing enterprise risk successfully includes operationalization of the technology and measuring success through key benchmarking metrics. The four key processes to measure and guide operational maturity of your Impact program for lateral movement are as follows:

Process	Description
Usage	how and when Impact is used in your organization; is Impact the only tool used to provide an overview of administrative access rights with domain-joined Windows endpoints
Automation	how automated Impact is, across endpoints
Functional Integration	how integrated Impact is, across IT Security, IT Operations, and IT Risk/Compliance teams
Reporting	how automated Impact is; what is the frequency and who is the audience of Impact-related reporting

Benchmark metrics

In addition to the key Impact processes, the two key benchmark metrics that align to the operational maturity of the Impact program to achieve maximum value and success are as follows:

Executive Metrics	Impact Coverage
Description	Returns the number of endpoints in each of these categories: Initializing: Endpoints where Impact tools are installing Optimal: Endpoints where Impact is operational Needs attention: Endpoints that do not have the Python tools installed or do not have a supported version of the Tanium Client installed Unsupported: Endpoints with an operating system version that is not supported by Impact For steps to investigate endpoints that are categorized as Needs Attention or Unsupported, see Monitor and troubleshoot Impact Coverage. For operating system and Tanium Client versions supported by Impact, see Requirements.
Instrumentation	Uses the Impact - Coverage Status sensor to determine the endpoints where Impact is optimal, needs attention, and is unsupported.
Why this metric matters	If you do not have Impact running on all of your endpoints, you do not have insight into the administrative rights in your organization's Active Directory environment and their potential impact if compromised.

Executive Metrics

Impact Coverage

Description

Returns the number of endpoints in each of these categories:

Initializing: Endpoints where Impact tools are installing
Optimal: Endpoints where Impact is operational
Needs attention: Endpoints that do not have the Python tools installed or do not have a supported version of the Tanium Client installed
Unsupported: Endpoints with an operating system version that is not supported by Impact

For steps to investigate endpoints that are categorized as Needs Attention or Unsupported, see Monitor and troubleshoot Impact Coverage.

For operating system and Tanium Client versions supported by Impact, see Requirements.

Instrumentation

Uses the Impact - Coverage Status sensor to determine the endpoints where Impact is optimal, needs attention, and is unsupported.

Why this metric matters

If you do not have Impact running on all of your endpoints, you do not have insight into the administrative rights in your organization's Active Directory environment and their potential impact if compromised.

Use the following table to determine the maturity level for Impact in your organization.

		Level 1 (Initializing)	Level 2 (Progressing)	Level 3 (Intermediate)	Level 4 (Mature)	Level 5 (Optimized)
Process	Usage	Impact is not fully or correctly configured and not active	Impact is configured and active, but lacks enough coverage (<70%) for sensors to correctly execute. Leverage default Tanium Criticality levels for prioritization of investigation.	Impact is configured and active, but lacks enough coverage (<70%) for sensors to correctly execute. Create custom rules for Tanium Criticality levels of prioritization.	Impact is configured, active, and coverage >95%. Create rules for low, medium, high, and critical Tanium Criticality levels for prioritization.	Impact is configured, active, and 100% of endpoints are covered. Create rules for all Tanium Criticality levels for endpoints, users, and groups in the environment.
	Automation	Manual	Manual	Manual	Manual	Manual
	Functional integration	Impact is functionally siloed within the IT Security team	Impact is functionally siloed within the IT Security team and only used to assess a breach	The IT Security team uses Impact to monitor the potential for lateral movement	Impact is integrated between the IT Security, IT Compliance and IT Operations teams to assess the potential for lateral movement	Impact is fully integrated across the IT Security, IT Compliance and IT Operations teams to assess the potential for lateral movement and take actions to proactively reduce risk
	Reporting	Unused	Ad hoc; Reporting tailored to stakeholders on request	Consistent; Reporting tailored to stakeholders on cadence	Automated; Reporting tailored to stakeholders ranging from Operator to Executive	Automated; Reporting tailored to stakeholders ranging from Operator to Executive
Metrics	Impact Coverage¹	0-49%	50-69%	70-94%	95-99%	100%
¹ Coverage refers to the percentage of endpoints with the Tanium Client installed.

Organizational alignment

Successful organizations use Tanium across functional silos as a common platform for high-fidelity endpoint data and unified endpoint management. Tanium provides a common data schema that enables security, operations, and risk/compliance teams to assure that they are acting on a common set of facts that are delivered by a unified platform.

In the absence of cross-functional alignment, functional silos often spend time and effort in litigating data quality instead of making decisions to reduce the attack surface.