Gaining organizational effectiveness
The four key organizational governance steps to maximizing the value that is delivered by Reveal are as follows:
- Develop a dedicated change management process. See Change management.
- Define distinct roles and responsibilities. See RACI chart.
- Track operational maturity. See Operational metrics.
- Validate cross-functional alignment. See Organizational alignment.
Develop a tailored, dedicated change management process for discovering sensitive data on endpoints, taking into account the new capabilities provided by Tanium.
- Update SLAs and align activities to key resources for Tanium Reveal activities across IT Security, IT Operations, and IT Risk and Compliance.
- Designate change or maintenance windows for various data identification scenarios; for example, implementing rules for CCPA, GDPR, PCI, PII, custom content, investigating alerts, and validating rules.
- Identify internal and external dependencies to your data identification process; for example, to support eDiscovery, or investigate insider threats and policy violations.
Create a Tanium Steering Group (TSG) for data identification activities to expedite reviews and approvals of processes that align with SLAs.
A RACI chart identifies the team or resource who is Responsible, Accountable, Consulted, and Informed, and serves as a guideline to describe the key activities across the security, risk/compliance, and operations teams. Every organization has specific business processes and IT organization demands. The following table represents Tanium’s point of view for how organizations should align functional resources against discovery of sensitive data. Use the following table as a baseline example.
|Task||IT Security||IT Operations||IT Risk/Compliance||Executive||Rationale|
Determine which default rules to use or which custom rules to create
|C||I||R/A||C||When Reveal is originally installed, there are default rules for PCI, HIPAA, GDPR, and CCPA. The Risk/Compliance team might have other items they need to track and will be accountable for defining those rules and labels. The security team will be consulted along with the CIO/CRO/CPO to ensure proper policy coverage.|
Investigate rule matches using direct endpoint connections
|R/A||I||R/A||-||Both the security and risk/compliance teams will investigate rule matches and are accountable for acting on the alert. The security team is more likely to connect to the endpoint for further investigation.|
Validate rule pattern matches
|R/A||I||R/A||-||Both the security and risk/compliance teams will validate rule pattern matches to confirm the matches or reject false positives and reduce noise to more accurately represent the alert.|
|Search for sensitive information that matches a search string in real-time||R/A||R||R/A||-||The security and risk/compliance teams will be accountable to define what data is sensitive; however, operations and the other two teams should have access to search for said data in real time.|
|Reporting through Tanium Trends or external systems; for example, a SIEM.||R/A||I||C/I||C/I||Reporting can be automated via Tanium Trends boards and/or integrated with other tools such as a SIEM via Tanium Connect for ease to digest, share with executives, or other owners that require action or remediation.|
Successful organizations use Tanium across functional silos as a common platform for high-fidelity endpoint data and unified endpoint management. Tanium provides a common data schema that enables security, operations, and risk/compliance teams to assure that they are acting on a common set of facts that are delivered by a unified platform.
In the absence of cross-functional alignment, functional silos often spend time and effort in litigating data quality instead of making decisions to improve sensitive data discovery.
Managing a data identification program successfully includes operationalization of the technology and measuring success through key benchmarking metrics. The four key processes to measure and guide operational maturity of your Tanium Reveal program are as follows:
|Usage||how and when Reveal is used in your organization|
|Automation||how automated Reveal is in your environment|
|Functional Integration||how integrated Reveal is, across IT security, IT operations, and IT risk/compliance teams|
|Reporting||how automated Reveal is and who the audience of Reveal reporting is|
In addition to the key Reveal processes, the four key benchmark metrics that align to the operational maturity of the Reveal program to achieve maximum value and success are as follows:
|Executive Metrics||Reveal Coverage||Endpoints with findings per rule||Validation needed|
|Description||Percentage of managed endpoints with Reveal installed. Without Reveal, there is no way to know if sensitive or prohibited information is present in files at rest.||Number of endpoints with hits/findings per rule. Rules are based on CCPA, GDPR, HIPAA, PII, PCI, and other custom criteria.||Shows the numbers of unvalidated hits/findings. Over time, as validations are created, this number should trend down.|
|Instrumentation||Trends panel showing where Reveal is installed.||Trends panel showing matches on endpoints.||Trends panel showing the trend - should trend down.|
|Why this metric matters||Without Reveal, there is no way to know if sensitive or prohibited information is present in files at rest.||There are many laws and regulations around the world a company must follow to protect personal data. These laws and regulations include CCPA, GDPR, HIPAA, PII, PCI, PHI, and several others. Failure to follow and/or enforce these standards can cost thousands to millions of dollars. There are also similar concerns about PCI, PII, and other sensitive information.||When rule hits are found, they are initially unconfirmed. The Reveal workflow includes an analysts reviewing those hits and creating validations - confirmed or rejected. Over time, this amount of work should go down as proper validations are created.|
Use the following table to determine the maturity level for Tanium Reveal in your organization.
|Process||Usage||Reveal module and action group configured, Tanium default rule sets deployed||Target rule sets by Computer Group based on what information is acceptable vs not acceptable on those endpoints||Custom rules created with provided patterns based on governance policies, e.g. customer specific account number. Rule matches investigated and data validated, Include filters and / or pattern / pattern proximity group to reduce false positives||Create rules based on custom patterns. Support for eDiscovery for use in legal proceedings||Taking action based on hits or label results, Identifying and investigating insider threats and policy violations|
|Automation||Manual||Manual||Email alert results with Tanium Connect||Email generic alert results with Tanium Connect||Email specific alert results with Tanium Connect tailored to type of data discovered|
|Functional integration||Direct Connect for direct endpoint connections||Tanium Enforce for device control / removable media, Tanium Threat Response||Tanium Connect, Reports on numbers of hits by endpoint or total aggregate to SIEM, Google Chronicle||Tanium Impact, Tanium Data Service||ITSM workflow|
|Reporting||Manual; via Reveal workbench / dashboard for operators only||Manual; Reveal workbench / dashboard for operators / peer group only||Automated; Trends Boards tailored to stakeholders ranging from Operator to Executive||Automated; Trends Boards tailored to stakeholders ranging from Operator to Executive and Legal||Automated; Trends Boards tailored to stakeholders ranging from Operator to Executive, Legal, and HR|
|Endpoints with findings||>50%||25-50%||15-24%||10-14%||0-9%|
|Validations needed||>= 60%||40-59%||20-39%||10-19%||0-9%|
Last updated: 1/20/2023 2:37 PM | Feedback