Risk overview

Tanium Risk provides real-time data, automation and intelligence so that you can make informed decisions faster with a comprehensive assessment of endpoint risk​. Use this data to prioritize actions with intelligent risk scoring based on operational and security metrics​. Risk provides reports to communicate key trends, improvements and industry benchmarks for executive and board-level reporting. By using Risk to continuously monitor endpoints, you can improve your compliance and risk posture.

Risk score

The risk score is a numerical score that represents the overall risk of the enterprise based on data from every endpoint. The possible range for a risk score is 1-1000. A lower score indicates a lower risk for the enterprise or endpoint. Scores are categorized into low, medium, high, or critical:

  • Low: 1-250
  • Medium: 251-500
  • High: 501-750
  • Critical: 751-1000

This formula is used to calculate the risk score for each endpoint:

(Risk Vectors x Asset Criticality) x (100% - Compensating Control %) = Endpoint Score

The results from all reporting endpoints are averaged, which results in the total score for the enterprise.

Risk uses the Tanium Data Service to include results for offline endpoints. For more information on the Tanium Data Service, see Tanium Console User Guide: Manage sensor results collection.

Data for the risk score is gathered from endpoints and stored every 2 hours throughout the day. The total score for the enterprise is calculated several times per day to update the charts on the Risk Overview page. The total score for the enterprise and the risk vector scores is stored as a data point once every 24 hours to preserve a daily record, which allows you to monitor changes over time. The Risk Metrics section of the Risk Overview page breaks down the score for endpoints into specific categories and use cases so that you can quickly identify high risk endpoints. Click the title of a chart in the Risk Metrics section to open the Risk Detail page for that metric.screen capture of risk metrics charts


Factors that influence the risk score

Use data from Risk to determine actions that can decrease the overall risk score for your enterprise. Several factors influence the risk score for your environment. Some factors increase the score and others decrease it.

Risk vectors

Risk vectors assess the risk for your enterprise in specific categories by using data provided by Tanium solutions. These factors are used as part of the formula to calculate the risk score:

  • System Vulnerability
  • System Compliance
  • Administrative Access
  • Password Identification
  • Expired Certificates
  • Insecure SSL/TLS

For more information about each of these vectors, see Investigating risk vectors.

Asset criticality

Asset criticality is a rating on individual endpoints used to assess an endpoint’s impact to the overall risk score. Higher criticality ratings for a particular endpoint increase the risk score if vulnerabilities are found. Possible values are critical, high, medium, and low. These values indicate the endpoint's importance in your environment. For example, a mission critical Domain Controller server should be assigned a critical value.

By default, all endpoints are assigned a medium criticality. As a best practice, adjust the criticality values for specific endpoints. For more information, see Assign asset criticality.

Compensating controls

Compensating controls are security best practices or configurations for hardware, operating systems, and storage that you can apply to endpoints to reduce the risk score for those endpoints.

For example, if the firewall is enabled for an endpoint, the score for that endpoint decreases by 6%. For more information, see Applying compensating controls.screen capture of Compensating Controls overview chart

Integration with other Tanium products

Risk has built in integration with Tanium™ Comply, Tanium™ Impact, Tanium™ Patch, and Tanium™ Reveal.

Comply

Comply provides data about endpoint vulnerabilities and compliance to Risk. You can open the Comply Findings page for specific endpoints, CVEs or compliance check IDs from the System Vulnerability and System Compliance risk vector pages to investigate the vulnerability or configuration compliance issues in Comply. For more information, see System Vulnerability and System Compliance.

Impact

Impact provides data about administrative access for endpoints, users, and groups to Risk. You can open Impact from the Administrative Access risk vector page to analyze potential lateral movement for users, groups, and endpoints. For more information, see Administrative Access.

Patch

You can pivot to Patch to investigate specific CVEs identified in the Highest Vulnerability Count by Highest CVE chart on the System Vulnerability risk vector page. For more information, see System Vulnerability.

Reveal

Reveal provides data about unencrypted saved passwords or sensitive data on endpoints to Risk. You can open the associated Rules page in Reveal, where you can connect to one or more endpoints and investigate the finding, on the Password Identification risk vector page. For more information, see Password Identification.