Gaining organizational effectiveness

The four key organizational governance steps to maximizing the value that is delivered by Reveal are as follows:

Change management

Develop a tailored, dedicated change management process for discovering sensitive data on endpoints, taking into account the new capabilities provided by Tanium.

  • Update SLAs and align activities to key resources for Tanium Reveal activities across IT Security, IT Operations, and IT Risk and Compliance.
  • Designate change or maintenance windows for various data identification scenarios; for example, implementing rules for CCPA, GDPR, PCI, PII, custom content, investigating alerts, and validating rules.
  • Identify internal and external dependencies to your data identification process; for example, to support eDiscovery, or investigate insider threats and policy violations.
  • Create a Tanium Steering Group (TSG) for data identification activities to expedite reviews and approvals of processes that align with SLAs.

RACI chart

A RACI chart identifies the team or resource who is Responsible, Accountable, Consulted, and Informed, and serves as a guideline to describe the key activities across the security, risk/compliance, and operations teams. Every organization has specific business processes and IT organization demands. The following table represents Tanium’s point of view for how organizations should align functional resources against discovery of sensitive data. Use the following table as a baseline example.

Task IT Security IT Operations IT Risk/Compliance Executive Rationale

Determine which default rules to use or which custom rules to create

C I R/A C When Reveal is originally installed, there are default rules for PCI, HIPAA, GDPR, and CCPA. The Risk/Compliance team might have other items they need to track and will be accountable for defining those rules and labels. The security team will be consulted along with the CIO/CRO/CPO to ensure proper policy coverage.

Investigate rule matches using direct endpoint connections

R/A I R/A - Both the security and risk/compliance teams will investigate rule matches and are accountable for acting on the alert. The security team is more likely to connect to the endpoint for further investigation.

Validate rule pattern matches

R/A I R/A - Both the security and risk/compliance teams will validate rule pattern matches to confirm the matches or reject false positives and reduce noise to more accurately represent the alert.
Search for sensitive information that matches a search string in real-time R/A R R/A - The security and risk/compliance teams will be accountable to define what data is sensitive; however, operations and the other two teams should have access to search for said data in real time.
Reporting through Tanium Trends or external systems; for example, a SIEM. R/A I C/I C/I Reporting can be automated via Tanium Trends boards and/or integrated with other tools such as a SIEM via Tanium Connect for ease to digest, share with executives, or other owners that require action or remediation.
Tanium Reveal alert workflow (click image to enlarge)
Tanium Reveal real time search workflow (click image to enlarge)

Organizational alignment

Successful organizations use Tanium across functional silos as a common platform for high-fidelity endpoint data and unified endpoint management. Tanium provides a common data schema that enables security, operations, and risk/compliance teams to assure that they are acting on a common set of facts that are delivered by a unified platform.

In the absence of cross-functional alignment, functional silos often spend time and effort in litigating data quality instead of making decisions to improve sensitive data discovery.

Operational metrics

Reveal maturity

Managing a data identification program successfully includes operationalization of the technology and measuring success through key benchmarking metrics. The four key processes to measure and guide operational maturity of your Tanium Reveal program are as follows:

Process Description
Usage how and when Reveal is used in your organization
Automation how automated Reveal is in your environment
Functional Integration how integrated Reveal is, across IT security, IT operations, and IT risk/compliance teams
Reporting how automated Reveal is and who the audience of Reveal reporting is

Benchmark metrics

In addition to the key Reveal processes, the four key benchmark metrics that align to the operational maturity of the Reveal program to achieve maximum value and success are as follows:

Executive Metrics Reveal Coverage Endpoints with findings per rule Validation needed
Description Percentage of managed endpoints with Reveal installed. Without Reveal, there is no way to know if sensitive or prohibited information is present in files at rest. Number of endpoints with hits/findings per rule. Rules are based on CCPA, GDPR, HIPAA, PII, PCI, and other custom criteria. Shows the numbers of unvalidated hits/findings. Over time, as validations are created, this number should trend down.
Instrumentation Trends panel showing where Reveal is installed. Trends panel showing matches on endpoints. Trends panel showing the trend - should trend down.
Why this metric matters Without Reveal, there is no way to know if sensitive or prohibited information is present in files at rest. There are many laws and regulations around the world a company must follow to protect personal data. These laws and regulations include CCPA, GDPR, HIPAA, PII, PCI, PHI, and several others. Failure to follow and/or enforce these standards can cost thousands to millions of dollars. There are also similar concerns about PCI, PII, and other sensitive information. When rule hits are found, they are initially unconfirmed. The Reveal workflow includes an analysts reviewing those hits and creating validations - valid or invalid. Over time, this amount of work should go down as proper validations are created.

Use the following table to determine the maturity level for Tanium Reveal in your organization.

    Level 1
Level 2
Level 3
Level 4
Level 5
Process Usage Reveal module and action group configured, Tanium default rule sets deployed Target rule sets by Computer Group based on what information is acceptable vs not acceptable on those endpoints Custom rules created with provided patterns based on governance policies, e.g. customer specific account number. Rule matches investigated and data validated, Include filters and / or pattern / pattern proximity group to reduce false positives Create rules based on custom patterns. Support for eDiscovery for use in legal proceedings Taking action based on hits or label results, Identifying and investigating insider threats and policy violations
Automation Manual Manual Email alert results with Tanium Connect Email generic alert results with Tanium Connect Email specific alert results with Tanium Connect tailored to type of data discovered
Functional integration Direct Connect for direct endpoint connections Tanium Enforce for device control / removable media, Tanium Threat Response Tanium Connect, Reports on numbers of hits by endpoint or total aggregate to SIEM Tanium Impact, Tanium Data Service ITSM workflow
Reporting Manual; via Reveal workbench / dashboard for operators only Manual; Reveal workbench / dashboard for operators / peer group only Automated; Reports/Trends Boards tailored to stakeholders ranging from Operator to Executive Automated; Reports/Trends Boards tailored to stakeholders ranging from Operator to Executive and Legal Automated; Reports/Trends Boards tailored to stakeholders ranging from Operator to Executive, Legal, and HR
Metrics Endpoints managed 0-49% 50-65% 65-85% 85-95% 95-100%
Endpoints with findings >50% 25-50% 15-24% 10-14% 0-9%
Validations needed >= 60% 40-59% 20-39% 10-19% 0-9%