Gaining organizational effectiveness
There are four key organizational governance steps to maximizing the value delivered by Threat Response to enable time to value:
- Develop a dedicated change management process. See Change management.
- Define distinct roles and responsibilities. See RACI chart.
- Track operational maturity. See Operational metrics.
- Validate cross-functional alignment. See Organizational alignment.
Develop a tailored, dedicated change management process to set up any Endpoint Detection & Response (EDR) tools for a streamlined process using Tanium Threat Response.
- Update service level agreements and align activities to key resources for Tanium Threat Response where applicable. For example, see Maturity / Metrics and RACI
Designate change or maintenance windows for various scenarios, where applicable. For example, setting up a Reputation source, integration with a SIEM, Log Solution, or SOAR solution.
Identify internal and external dependencies to EDR process. For example, to achieve effective integrations with a SIEM, Log Solution, or SOAR Solution.
Create a Tanium Steering Group (TSG) for discovery activities to expedite reviews and approvals of processes that align with SLAs / EDR processes, as applicable.
A RACI chart identifies the team or resource who is Responsible, Accountable, Consulted, and Informed, and serves as a guideline to describe the key activities across the security, risk/compliance, and operations teams. Every organization has specific business processes and IT organization demands. The following table represents Tanium’s point of view for how organizations should align functional resources against patch management. Use the following table as a baseline example.
|Task||SOC (Detection & Alerts) / L1||Hunting Team / L2||Incident Response (IR)||CISO||C-Level||Rationale|
Unstructured Threat Investigation
|C/I||R/A||C/I||-||-||One of three starts to an investigation. For example, you have a hypothesis or are not sure of specific indicators to look for. You have not yet identified a problem and use Enterprise Hunting or other tools to investigate and understand a problem.|
|R/A||C/I||C/I||I||-||One of three starts to an investigation wherein a known target has been identified; for example, malware X or attacker Y uses this capability or technique for malicious intent in the environment. Use one of four techniques (Index, Incident Response Sensors, Live Connection, or Tanium Questions) to understand this known target. For example, use Tanium questions to show malware and what is relevant to that technique. You might not have a specific indicator or file you are looking for, but you know the attacker will put unusual things in outruns such as a technique - but not an indicator - and use for known target for questions.|
Enterprise Hunting: Index, Incident Response Sensors, Tanium Questions, Live Connections
|CI||R/A||R/A||-||-||Using Tanium questions to gather enterprise-wide data to establish a hypothesis and establish what is normal activity.|
|Establish what is normal activity||R/A||R/A||R/A||-||-||Use autoruns to establish normal activity from abnormal activity. For example, if a network has 10 devices that all demonstrate the same conditions, or establish that 9 out of 10 are normal. Something might only be available on one endpoint demonstrating a need for investigation. If you have identified what is normal or abnormal, go to establishing the hypothesis of the activity; for example, an attacker created an autorun.|
|Establish hypothesis of activity||C/I||R/A||R/A||I||-||When you have established what is normal versus abnormal, you can establish a hypothesis of the activity and conduct additional hunting for more information or establish suspicious activity to take action or remediation.|
|Additional hunting required||I||R/A||R/A||-||-||While working through what is normal versus abnormal activity, and establishing a hypothesis to perform actions or remediate, you might conduct additional hunting to understand the behavior.|
|Reputation and third-party validation||R/A||C/I||C/I||-||-||The reputation services provide the capability to compare information from the enterprise against lists of known bad at scale. The reputation service and Threat Response integrate to automatically search for relevant artifacts and then create IOCs from any malicious reputations discovered in the environment and then scan them to establish exposure.|
|Establish suspicious activity||R/A||R/A||R/A||I||I||When the suspicious activity has been established, decide on a course of action that might require further monitoring or investigation, or remediate the suspicious activity using Tanium and/or external tools.|
|Further Investigation: Live Connection||C/I||R/A||R/A||-||-||Further investigations might be required to establish the real cause of any activity discovered in the previous steps. This might be performed entirely in the Tanium platform or by gathering information for analysis in 3rd party applications.|
|Further Investigation: Live Response||C/I||R/A||R/A||-||-||Further investigations might be required to establish the real cause of any activity discovered on the previous steps. This might be performed entirely in the Tanium platform or by gathering information for analysis in 3rd party applications.|
|Further Investigation: Questions||R/A||R/A||R/A||-||-||Further investigations might be required to establish the real cause of any activity discovered on the previous steps. This might be performed entirely in the Tanium platform or by gathering information for analysis in 3rd party applications.|
|Select Action/Actions||R/A||R/A||R/A||I||-||Apply established process for further action or discuss and establish new course of action for previously undocumented activity.|
|Remediation: Operational Modules||C/I||C/I||C/I||-||-||When a suspicions activity has been established, and an action identified, remediation can be conducted using Tanium Operational Modules. This may often be outside of the realm of responsibility of the security organization who needs to hand off the requirement to the operations team or might involve some level of security team involvement in actions such as quarantining while further action is performed.|
|Remediation: Security/Risk Modules||R/A||C/I||C/I||-||-||When suspicious activity has been established, and an action identified, remediation can be conducted using Tanium Security Modules through Threat Response. For example, use built-in actions to kill processes, quarantine endpoints, delete files and folders, delete registry keys, or use Tanium Protect for application whitelisting, firewall configuration, or security policy management.|
|Remediation: External Tools||C/I||C/I||C/I||I/R/A||I||When suspicious activity has been established, and an action identified, remediation can be conducted using third-party capabilities and/or external organizations. This might often be outside the realm of responsibility of the security organization who need to hand off the requirement to the operations team or might involve some level of security team involvement in actions like quarantining while further action is performed.|
|Previously established suspicious activity||R/A||C/I||C/I||-||-||One of three starts to detection activity; for example, use Tanium Signals, YARA rules, and or IOC/STIX to validate alerts and identify true positives to further investigate and identify false positives to modify or remove intelligence and redeploy alerts.|
|Threat Intelligence: Tanium Signals||R/A||C/I||C/I||-||-||Install and deploy threat intelligence and then monitor systems for alerts from the environment.|
|Threat Intelligence: YARA Rules||R/A||C/I||C/I||-||-||Install and deploy threat intelligence and then monitor systems for alerts from the environment.|
|Threat Intelligence: IOC/STIX||R/A||C/I||C/I||-||-||Install and deploy threat intelligence and then monitor systems for alerts from the environment.|
|Validate Alerts: True Positive > Investigate||R/A||R/A||R/A||-||-||Activity that results as part of Threat Intelligence activities to validate an alert as a true positive and further investigate. This can result in escalation to higher levels.|
|Validate Alerts: False Positive > Modify/Remove Intelligence and Redeploy||R/A||R/A||R/A||-||-||SOC/L1 activity to analyze alert data and validate an alert as a false positive. This results in an action to modify or remove intelligence or to redeploy threat intelligence. Control of Threat Intelligence is often the responsibility of hunting or incident response teams.|
|Action on Results: Create Enterprise Hunting Question or Intelligence||C/I||R/A||R/A||I||-||Create alerts based on intelligence, hunting, or detection activities for automation. For example, Saved questions, alerts, or signals. Use the enterprise hunting dashboard to ask a saved question and have the results sent to SIEM or reputation tool.|
Successful organizations use Tanium across functional silos as a common platform for high-fidelity endpoint data and unified endpoint management. Tanium provides a common data schema that enables security, operations, and risk / compliance teams to assure that they are acting on a common set of facts that are delivered by a unified platform.
In the absence of cross-functional alignment, functional silos often spend time and effort in litigating data quality instead of making decisions on how to manage software and hardware assets.
Managing an Enterprise Detection Response (EDR) program successfully includes operationalization of the technology and measuring success through key benchmarking metrics. The four key processes to measure and guide operational maturity of your Tanium Threat Response program are as follows:
|Usage||how and when Tanium Threat Response is used in your organization|
|Automation||how automated Tanium Threat Response is, across endpoints|
|Functional Integration||how integrated Tanium Threat Response is, across IT security, IT operations, and IT risk or compliance teams|
|Reporting||how automated Tanium Threat Response is and who the audience of Threat Response reporting is|
In addition to the key EDR processes, the three key benchmark metrics that align to the operational maturity of the Tanium Threat Response program to achieve maximum value and success are as follows:
|Executive Metrics||Threat Response Coverage||Mean Time to Investigate Threats||Mean Time to Remediate Threats|
|Description||The percentage of endpoints that are running Threat Response tools.||The average number of days to perform analysis of threats.||The average number of days to remediate threats.|
The number of endpoints with an active Threat Response profile.
The time it takes from an Alert was received, to when remediation work on the detected alert begins.
|The time it takes to author an Action or Protect Remediation Policy status to resolve applicable Alerts.|
|Why this metric matters||If you are not including the entirety of your estate when searching for specific activity, then you are at risk.||The more quickly you can evaluate the risk associated with a given activity, the more quickly you can begin remediating a threat.||The more quickly you can remediate a threat, the more you can contain the associated damage.|
Use the following table to determine the maturity level for Tanium Threat Response in your organization.
|Process||Usage||Threat Response installed and basic profile configurations applied.
Enables use of Threat Response questions and investigations.
|Multiple profiles configured and Live Response Destinations configured and tested. Users understand Signals syntax basics.
Enables forensics data collection and tailoring of Signals to the environment.
|Multiple configurations created & reused between profiles. Recorder filters created. Index exclusions created. and threat intelligence testing process created. Multiple custom Live Response configurations created and regularly tested.
Enables specific forensic data collection for different needs.
|Tuned deployment strategy for profiles and intel documents and sources.
Recorder filters created for specific profiles or devices. Index exclusions created for specific profiles and devices.
Enables better performance of Threat Response on endpoints.
|Generating YARA rules, IOCs, Signals and sharing through the Threat Response community.
Enables development and application of customized intel for given industry vertical and industry specific information sharing and analysis centers (ISACs).
|Automation||Some intelligence applied||Additional threat intelligence applied and intel sources added, for example, a subscription to a TAXII source has been configured.||Enterprise hunting questions have been set up and used. A reputation provider source has been set up and used with blacklists and whitelists configured. A history of making live connections and saving evidence has been established.||Process for reviewing and removing or modifying intel and saved questions has been set up and used for Reputation and custom signals have been created. Using snapshots and saved evidence for indicator generation and Response Actions being used.||Linking intel documents to MITRE ATT&CK framework or SOAR solution.|
|Functional integration||N/A||Trends Boards imported and / or integration with Reputation provider.||3rd Party Reputation source set up and Incident Response content imported.||Tanium Connect, SIEM / Log Solution integrated. For example, Splunk and Yara rules set up or Splunk integration set up.||Creating remediation policies through Tanium Protect and integration with a SOAR solution to automate data collection and performing actions.|
|Reporting||Manual; through Threat Response workbench or dashboard for operators only.||Manual; Threat Response integration with Tanium Trends||Automated; exporting data through file, email, or SQL to feed reports.||Automated; using SIEM / Log Solution; for example, Splunk including the Tanium Splunk application.||Automated; using a SOAR solution for a holistic view of activity|
|Metrics||Threat Response Coverage (% of Total)||0-30%||31-60%||61-80%||81-90%||>90%|
|Mean Time to Investigate Threat (time)||>45 days||31-45 days||15-30 days||8-14 days||0-7 days|
|Mean Time to Remediate Threat (time)||>45 days||31-45 days||15-30 days||8-14 days||0-7 days|
Last updated: 10/16/2020 2:08 PM | Feedback