Investigating risk vectors

Risk vectors, which assess the risk for your enterprise in specific categories, determine part of the overall risk score. To review the formula for the risk score, see Risk score.

Risk continuously monitors endpoints for changes and updates the reports, tables, and charts to reflect those changes. Once every 24 hours a snapshot is taken to preserve a daily record of the score at that time, which allows you to monitor changes over time.

If an endpoint does not have the necessary tools to calculate the score for a vector, the score for that vector on the endpoint defaults to 0. For more information, see Risk Vector Calculation Issues.

View risk vector overview

1. View the contribution to the total risk score from each risk vector. On the Risk Overview page, click Help and then click Risk Score.
2. View the score for each risk vector. From the Risk Overview page, go to the Risk Vectors section.
3. Click a category to open the page for that vector for further investigation. The page for each vector has charts to show detailed information about the riskiest managed endpoints for that vector.
4. From the Risk Vector page, you can switch between vector pages with the dropdown menu. Select a computer group to refine the data on the page to that group. When you select a computer group, all scores for that group are calculated on demand. The available computer groups are those that are configured in the Reporting service.

   Only managed endpoints contribute to the risk score.

Review System Vulnerability

The System Vulnerability vector uses data from Tanium Comply to determine which endpoints are not patched against documented Common Vulnerabilities and Exposures (CVEs) and the severity of the vulnerabilities on the endpoint. The maximum score for this vector is 40% of the total score.

1. From the Risk Overview page, go to the Risk Vectors section. Click System Vulnerability.
2. Review system vulnerability over time. The System Vulnerability Over Time chart shows the change in the average system vulnerability score for your enterprise over the past 90 days. Monitor this chart to determine how the system vulnerability score changes as you patch CVEs or new vulnerabilities are announced.
3. View the endpoints with the highest number of detected vulnerabilities. Click the Endpoints tab to show the Endpoints by Endpoint Criticality and Vulnerability chart. This chart shows the endpoints that have the highest number of detected vulnerabilities. Remediate the vulnerabilities on these endpoints to reduce the risk that they present.

   
   

4. Click the CVEs tab to show the Highest Vulnerability Count by Highest CVE chart. This chart shows the endpoints with the highest CVE ratings, grouped by CVE.

   
   

5. You can use Comply to explore the vulnerabilities on endpoints, and then use Patch to remediate the vulnerabilities. On the Endpoints or CVEs tab, select one or more endpoints or CVEs and click Explore in Comply to investigate the vulnerability findings for those endpoints or specific CVEs. On the CVEs tab, select one or more CVEs and click Remediate in Patch to open the Patches page for that CVE.

   
   

For more information, see Comply User Guide: Filter vulnerability findings and Patch User Guide: Create lists from the Patches view.

Review System Compliance

The System Compliance vector uses data from Tanium Comply to assess the compliance state of endpoints:

• Of all the compliance checks that have been run against the endpoint, what is the ratio of pass to fail?
• How compliant is the endpoint when measured against the defined compliance policy for the organization?

To reduce risk, establish and preserve secure configurations for endpoints and software (operating systems and applications) to meet organizational security policies and standards. The maximum score for this vector is 20% of the total score.

1. From the Risk Overview page, go to the Risk Vectors section. Click System Compliance.
2. Review system compliance over time. The System Compliance Over Time chart shows the change in the average system compliance score for your enterprise over the past 90 days. Monitor this chart to determine how the compliance score changes as you secure configurations on endpoints.
3. View the endpoints with the highest number of compliance failures. Click the Summary tab to show the Endpoints by Compliance Rule Failures chart. This chart shows the endpoints that have the highest number of compliance failures.

   
   
   
   

4. Click the Total Failures tab to show the Endpoints by Compliance Rule Failures chart. This chart shows the endpoints that have the highest number of compliance failures.

   
   
   
   

5. Click the Rule Failures tab to show the Compliance Rule Failures by Failed Endpoint Count chart. This chart shows the compliance rules that have the highest number of failed endpoints.

   
   
   
   

6. You can use Comply to explore the compliance failures on endpoints, and then use Enforce to update the configuration for endpoints. On any tab, select one or more endpoints or compliance check IDs and click Explore in Comply to investigate the compliance findings for those endpoints or specific compliance checks.

   
   

For more information, see Comply User Guide: Filter compliance findings and Enforce User Guide: Creating policies.

Review Administrative Access

The Administrative Access vector uses data from Tanium Impact to analyze the potential lateral movement for an endpoint if it is compromised, including outbound impact, inbound impact, direct control, and indirect control. For more information, see Impact User Guide: Credential dumping and lateral movement.

To reduce risk, implement the least-privilege model on endpoints and limit administrative access whenever possible to prevent attackers from obtaining elevated privileges and limit potential lateral movement. For more information, see Impact User Guide: Reference: Remediation resources. The Administrative Access vector gathers data only from domain-joined managed Windows endpoints. The maximum score for this vector is 20% of the total score.

1. From the Risk Overview page, go to the Risk Vectors section. Click Administrative Access.
2. Review administrative access over time. The Administrative Access Over Time chart shows the change in the average administrative access score for your enterprise over the past 90 days. Monitor this chart to determine how the administrative access score changes as you secure endpoints.
3. Click the Summary tab to show the Endpoints by Impact Rating chart. This chart shows the endpoints that have the highest impact rating.

   
   
   
   

4. Click the Endpoints tab to show the Endpoints by Impact Rating and Endpoint Criticality chart. This chart shows the endpoints that have the highest impact and criticality ratings.

   
   
   
   

5. Click the Groups tab to show the Top 20 Groups by Impact Rating, Direct and Indirect Control chart. This chart shows the groups that have the highest impact and criticality ratings.

   
   
   
   

6. Click the Users tab to show the Top 20 Users by Impact Rating, Direct and Indirect Control chart. This chart shows the users that have the highest impact and criticality ratings.

   
   
   
   

7. Click Explore in Impact to open Impact, where you can analyze potential lateral movement for users, groups, and endpoints.

   
   

For more information, see Impact User Guide: Identifying high impact users, endpoints, and groups.

Review Password Identification

The Password Identification vector uses data from Tanium Reveal to check for unencrypted saved passwords or sensitive data on the endpoint.

To reduce risk, limit access to sensitive data, such as authentication credentials, and ensure that passwords are not stored in plain-text to prevent attackers and insider threats from accessing those credentials and gaining unauthorized access to endpoints and data. The maximum score for this vector is 10% of the total score.

1. From the Risk Overview page, go to the Risk Vectors section. Click Password Identification.
2. Review the endpoints where unencrypted files with saved passwords were found. The Password Identification section of this page shows the number of endpoints with unencrypted files with saved passwords. The Endpoints by Confirmed Visible Passwords chart shows the endpoints on where visible passwords were found.

   Only validated matches impact the risk score. For more information, see Validating pattern matches.

   
   
   
   
   
   

3. Click Explore in Reveal to open the associated Rules page in Reveal, where you can connect to one or more endpoints and investigate the finding.

   
   

For more information on investigating rule matches using Reveal, see Reveal User Guide: Investigating rule matches.

Review Expired Certificates

The Expired Certificates vector uses data from Tanium Core Content sensors to check for expired SSL or TLS certificates in use on the endpoint.

Expired Transport Layer Security (TLS) and Secure Socket Layer (SSL) certificates are security issues because organizations cannot validate certificate revocation status to confirm trust in those certificates. The maximum score for this vector is 5% of the total score.

1. From the Risk Overview page, go to the Risk Vectors section. Click Expired Certificates.
2. Review expired certificates over time. The Expired Certificates Over Time chart shows the change in the average expired certificates score for your enterprise over the past 90 days. Monitor this chart to determine how the expired certificates score changes as you update certificates on endpoints.
3. Click the Summary tab to show the Endpoints with Expired Certificates by Endpoint Criticality and Score chart. This chart shows the endpoints that have the highest number of expired certificates, weighted by endpoint criticality.

   
   
   
   

4. Click the Certificates by Ports tab to show the Endpoints with Expired Certificates by Port chart. This chart shows the endpoints that have the highest risk score and the detected TCP ports on the endpoint.

   
   
   
   

Review Insecure SSL/TLS

The Insecure SSL/TLS vector uses data from Tanium Core Content sensors to check for insecure SSL or TLS certificates in use on the endpoint.

To reduce risk, update any insecure or outdated transport layer security protocols (SSLv3, TLSv1) that can expose enterprise assets to man-in-the-middle attacks and expose sensitive data to attackers through browser exploitation. The maximum score for this vector is 5% of the total score.

1. From the Risk Overview page, go to the Risk Vectors section. Click Insecure SSL/TLS.
2. Review insecure TLS/SSL over time. The Insecure TLS/SSL Over Time chart shows the change in the average insecure certificates score for your enterprise over the past 90 days. Monitor this chart to determine how the expired certificates score changes as you update certificates on endpoints.
3. Click the Summary tab to show the Endpoints with Insecure Transport Security Protocols by Endpoint Criticality and Score chart. This chart shows the endpoints that have the highest number of insecure certificates, weighted by endpoint criticality.

   
   
   
   

4. Click the Protocol/Port tab to show the Endpoints with Detected Protocols chart. This chart shows the endpoints that have the highest overall risk scores and are currently using insecure and outdated transport layer security protocols (SSLv3, TLSv1) to secure communications.