Risk overview

Tanium Risk provides real-time data, automation and intelligence so that you can make informed decisions faster with a comprehensive assessment of endpoint risk​. Use this data to prioritize actions with intelligent risk scoring based on operational and security metrics​. Risk provides reports to communicate key trends, improvements and industry benchmarks for executive and board-level reporting. By using Risk to continuously monitor endpoints, you can improve your compliance and risk posture.

Risk score

The risk score is a numerical score that represents the overall risk of the enterprise based on data from every managed endpoint. The possible range for a risk score is 1-1000. A lower score indicates a lower risk for the enterprise or endpoint. Scores are categorized into low, medium, high, or critical:

  • Low: 1-250
  • Medium: 251-500
  • High: 501-750
  • Critical: 751-1000

The following formula is used to calculate the risk score for each managed endpoint:

(Risk Vectors x Endpoint Criticality) x (100% - Compensating Control %) = Endpoint Score

The results from all reporting managed endpoints are averaged, which results in the total score for the enterprise.

Risk uses the Tanium Data Service to include results for offline endpoints. For more information on the Tanium Data Service, see Tanium Console User Guide: Manage sensor results collection.

By default, data for the risk score is gathered from endpoints and stored every 2 hours throughout the day. The total score for the enterprise is calculated several times per day to update the charts on the Risk Overview page. The total score for the enterprise and the risk vector scores is stored as a data point once every 24 hours to preserve a daily record, which allows you to monitor changes over time. The Risk Metrics section of the Risk Overview page breaks down the score for endpoints into specific categories and use cases so that you can quickly identify high risk endpoints. Click the title of a chart in the Risk Metrics section to open the Risk Detail page for that metric.screen capture of risk metrics charts


Factors that influence the risk score

Use data from Risk to determine actions that can decrease the overall risk score for your enterprise. Several factors influence the risk score for your environment. Some factors increase the score and others decrease it.

Risk vectors

Risk vectors assess the risk for your enterprise in specific categories by using data provided by Tanium solutions. These data points are used as part of the formula to calculate the risk score:

  • System Vulnerability
  • System Compliance
  • Administrative Access
  • Password Identification
  • Expired Certificates
  • Insecure SSL/TLS

For more information about each of these vectors, see Investigating risk vectors.

Endpoint criticality

Endpoint criticality is a level on an individual endpoint that is used to add context about the endpoint in the organization. Possible levels are Critical, High, Medium, and Low. These levels indicate the endpoint's importance in your environment.

The score for an endpoint is adjusted based on the criticality level:

  • Low: No adjustment to the score for the endpoint
  • Medium: (Default) Multiplies the score for the endpoint by 1.33
  • High: Multiplies the score for the endpoint by 1.67
  • Critical: Multiplies the score for the endpoint by 2

For example, if an endpoint has a score of 200, but the endpoint is flagged as critical, the score reported for that endpoint is 400.

Risk uses Tanium Criticality to manage criticality levels for endpoints. For more information, see Tanium Criticality User Guide: Criticality overview.

Compensating controls

Compensating controls are security best practices or configurations for hardware, operating systems, and storage that you can apply to endpoints to reduce the risk score for those endpoints.

For example, if the firewall is enabled for an endpoint, the score for that endpoint decreases by 6%. For more information, see Applying compensating controls.screen capture of Compensating Controls overview chart

Integration with other Tanium products

Risk has built in integration with Tanium™ Comply, Tanium™ Criticality, Tanium™ Impact, Tanium™ Patch, and Tanium™ Reveal.

Comply

Comply provides data about endpoint vulnerabilities and compliance to Risk. To investigate the vulnerability or configuration compliance issues in Comply, open the Comply Findings page for specific endpoints, Common Vulnerabilities and Exposures (CVEs), or compliance check IDs from the System Vulnerability and System Compliance risk vector pages. For more information, see System Vulnerability and System Compliance.

Criticality

Assign and manage criticality levels for endpoints. Risk uses the criticality levels in endpoint score calculations. For more information, see Tanium Criticality User Guide: Assigning criticality to endpoints.

Impact

Impact provides data about administrative access for endpoints, users, and groups to Risk. You can open Impact from the Administrative Access risk vector page to analyze potential lateral movement for users, groups, and endpoints. For more information, see Administrative Access.

Patch

You can pivot to Patch to investigate specific Common Vulnerabilities and Exposures (CVEs) identified in the Highest Vulnerability Count by Highest CVE chart on the System Vulnerability risk vector page. For more information, see System Vulnerability.

Reveal

Reveal provides data about unencrypted saved passwords or sensitive data on endpoints to Risk. You can open the associated Rules page in Reveal, where you can connect to one or more endpoints and investigate the finding, on the Password Identification risk vector page. For more information, see Password Identification.