Gaining organizational effectiveness
There are four key organizational governance steps to maximizing the value delivered by Threat Response to enable time to value:
- Develop a dedicated change management process. See Change management.
- Define distinct roles and responsibilities. See RACI chart.
- Track operational maturity. See Operational metrics.
- Validate cross-functional alignment. See Organizational alignment.
Change management
Develop a tailored, dedicated change management process to set up any incident response tools for a streamlined process using Tanium Threat Response.
- Update service level agreements and align activities to key resources for Tanium Threat Response where applicable. For example, see Maturity / Metrics and RACI
-
Designate change or maintenance windows for various scenarios, where applicable. For example, setting up a Reputation source, integration with a SIEM, Log Solution, or SOAR solution.
-
Identify internal and external dependencies to incident response process. For example, to achieve effective integrations with a SIEM, Log Solution, or SOAR Solution.
-
Create a Tanium Steering Group (TSG) for discovery activities to expedite reviews and approvals of processes that align with SLAs / incident response processes, as applicable.
RACI chart
A RACI chart identifies the team or resource who is Responsible, Accountable, Consulted, and Informed, and serves as a guideline to describe the key activities across the security, risk/compliance, and operations teams. Every organization has specific business processes and IT organization demands. The following table represents Tanium’s point of view for how organizations should align functional resources against patch management. Use the following table as a baseline example.
| Task | SOC (Detection & Alerts) / L1 | Hunting Team / L2 | Incident Response (IR) | CISO | C-Level | Rationale |
|---|---|---|---|---|---|---|
|
Unstructured Threat Investigation |
C/I | R/A | C/I | - | - | One of three starts to an investigation. For example, you have a hypothesis or are not sure of specific indicators to look for. You have not yet identified a problem and use Enterprise Hunting or other tools to investigate and understand a problem. |
|
Known Target/Hypothesis |
R/A | C/I | C/I | I | - | One of three starts to an investigation wherein a known target has been identified; for example, malware X or attacker Y uses this capability or technique for malicious intent in the environment. Use one of four techniques (Index, Incident Response Sensors, Live Connection, or Tanium Questions) to understand this known target. For example, use Tanium questions to show malware and what is relevant to that technique. You might not have a specific indicator or file you are looking for, but you know the attacker will put unusual things in outruns such as a technique - but not an indicator - and use for known target for questions. |
|
Enterprise Hunting: Index, Incident Response Sensors, Tanium Questions, Live Connections |
CI | R/A | R/A | - | - | Using Tanium questions to gather enterprise-wide data to establish a hypothesis and establish what is normal activity. |
| Establish what is normal activity | R/A | R/A | R/A | - | - | Use autoruns to establish normal activity from abnormal activity. For example, if a network has 10 devices that all demonstrate the same conditions, or establish that 9 out of 10 are normal. Something might only be available on one endpoint demonstrating a need for investigation. If you have identified what is normal or abnormal, go to establishing the hypothesis of the activity; for example, an attacker created an autorun. |
| Establish hypothesis of activity | C/I | R/A | R/A | I | - | When you have established what is normal versus abnormal, you can establish a hypothesis of the activity and conduct additional hunting for more information or establish suspicious activity to take action or remediation. |
| Additional hunting required | I | R/A | R/A | - | - | While working through what is normal versus abnormal activity, and establishing a hypothesis to perform actions or remediate, you might conduct additional hunting to understand the behavior. |
| Reputation and third-party validation | R/A | C/I | C/I | - | - | The reputation services provide the capability to compare information from the enterprise against lists of known bad at scale. The reputation service and Threat Response integrate to automatically search for relevant artifacts and then create IOCs from any malicious reputations discovered in the environment and then scan them to establish exposure. |
| Establish suspicious activity | R/A | R/A | R/A | I | I | When the suspicious activity has been established, decide on a course of action that might require further monitoring or investigation, or remediate the suspicious activity using Tanium and/or external tools. |
| Further Investigation: Live Connection | C/I | R/A | R/A | - | - | Further investigations might be required to establish the real cause of any activity discovered in the previous steps. This might be performed entirely in the Tanium platform or by gathering information for analysis in 3rd party applications. |
| Further Investigation: Live Response | C/I | R/A | R/A | - | - | Further investigations might be required to establish the real cause of any activity discovered on the previous steps. This might be performed entirely in the Tanium platform or by gathering information for analysis in 3rd party applications. |
| Further Investigation: Questions | R/A | R/A | R/A | - | - | Further investigations might be required to establish the real cause of any activity discovered on the previous steps. This might be performed entirely in the Tanium platform or by gathering information for analysis in 3rd party applications. |
| Select Action/Actions | R/A | R/A | R/A | I | - | Apply established process for further action or discuss and establish new course of action for previously undocumented activity. |
| Remediation: Operational Modules | C/I | C/I | C/I | - | - | When a suspicions activity has been established, and an action identified, remediation can be conducted using Tanium Operational Modules. This may often be outside of the realm of responsibility of the security organization who needs to hand off the requirement to the operations team or might involve some level of security team involvement in actions such as quarantining while further action is performed. |
| Remediation: Security/Risk Modules | R/A | C/I | C/I | - | - | When suspicious activity has been established, and an action identified, remediation can be conducted using Tanium Security Modules through Threat Response. For example, use built-in actions to kill processes, quarantine endpoints, delete files and folders, delete registry keys, or use Tanium Enforce for application allowlisting, firewall configuration, or security policy management. |
| Remediation: External Tools | C/I | C/I | C/I | I/R/A | I | When suspicious activity has been established, and an action identified, remediation can be conducted using third-party capabilities and/or external organizations. This might often be outside the realm of responsibility of the security organization who need to hand off the requirement to the operations team or might involve some level of security team involvement in actions like quarantining while further action is performed. |
| Previously established suspicious activity | R/A | C/I | C/I | - | - | One of three starts to detection activity; for example, use Tanium Signals, YARA rules, and or IOC/STIX to validate alerts and identify true positives to further investigate and identify false positives to modify or remove intelligence and redeploy alerts. |
| Threat Intelligence: Tanium Signals | R/A | C/I | C/I | - | - | Install and deploy threat intelligence and then monitor systems for alerts from the environment. |
| Threat Intelligence: YARA Rules | R/A | C/I | C/I | - | - | Install and deploy threat intelligence and then monitor systems for alerts from the environment. |
| Threat Intelligence: IOC/STIX | R/A | C/I | C/I | - | - | Install and deploy threat intelligence and then monitor systems for alerts from the environment. |
| Validate Alerts: True Positive > Investigate | R/A | R/A | R/A | - | - | Activity that results as part of Threat Intelligence activities to validate an alert as a true positive and further investigate. This can result in escalation to higher levels. |
| Validate Alerts: False Positive > Modify/Remove Intelligence and Redeploy | R/A | R/A | R/A | - | - | SOC/L1 activity to analyze alert data and validate an alert as a false positive. This results in an action to modify or remove intelligence or to redeploy threat intelligence. Control of Threat Intelligence is often the responsibility of hunting or incident response teams. |
| Action on Results: Create Enterprise Hunting Question or Intelligence | C/I | R/A | R/A | I | - | Create alerts based on intelligence, hunting, or detection activities for automation. For example, Saved questions, alerts, or signals. Use the enterprise hunting dashboard to ask a saved question and have the results sent to SIEM or reputation tool. |
Organizational alignment
Successful organizations use Tanium across functional silos as a common platform for high-fidelity endpoint data and unified endpoint management. Tanium provides a common data schema that enables security, operations, and risk / compliance teams to assure that they are acting on a common set of facts that are delivered by a unified platform.
In the absence of cross-functional alignment, functional silos often spend time and effort in litigating data quality instead of making decisions on how to manage software and hardware assets.
Operational metrics
Threat Response maturity
Managing an incident response program successfully includes operationalization of the technology and measuring success through key benchmarking metrics. The four key processes to measure and guide operational maturity of your Tanium Threat Response program are as follows:
| Process | Description |
|---|---|
| Usage | how and when Tanium Threat Response is used in your organization |
| Automation | how automated Tanium Threat Response is, across endpoints |
| Functional Integration | how integrated Tanium Threat Response is, across IT security, IT operations, and IT risk or compliance teams |
| Reporting | how automated Tanium Threat Response is and who the audience of Threat Response reporting is |
Benchmark metrics
In addition to the key incident response processes, the three key benchmark metrics that align to the operational maturity of the Tanium Threat Response program to achieve maximum value and success are as follows:
| Executive Metrics | Threat Response Coverage | Mean Time to Investigate Threats | Mean Time to Remediate Threats |
|---|---|---|---|
| Description | The percentage of endpoints that are running Threat Response tools. | The average number of days to perform analysis of threats. | The average number of days to remediate threats. |
| Instrumentation |
The number of endpoints with an active Threat Response profile. |
The time it takes from an Alert was received, to when remediation work on the detected alert begins. |
The time it takes to author an Action or Enforce Remediation Policy status to resolve applicable Alerts. |
| Why this metric matters | If you are not including the entirety of your estate when searching for specific activity, then you are at risk. | The more quickly you can evaluate the risk associated with a given activity, the more quickly you can begin remediating a threat. | The more quickly you can remediate a threat, the more you can contain the associated damage. |
Use the following table to determine the maturity level for Tanium Threat Response in your organization.
| Level 1 (Initializing) |
Level 2 (Progressing) |
Level 3 (Intermediate) |
Level 4 (Mature) |
Level 5 (Optimized) |
||
|---|---|---|---|---|---|---|
| Process | Usage |
Threat Response installed; deployment profiles applied. Use of Threat Response questions and investigations. Components configured or in use: Index, Recorder, Detect. |
Some Tanium Signals deployed; understanding of Tanium Signals syntax basics. Live Response Destinations configured and tested. Tanium IR Quarantine tested with default configuration. Components in use: Index, Recorder, Detect, Live Response, Trends. |
Threat intelligence testing process created; tailoring Tanium Signals to the environment. Process injection alerting enabled. Multiple custom Live Response forensic data collection configurations created. Tanium IR Quarantine custom configuration setup and tested. Default Recorder filters implemented. Using Quick Scans and Background Scanning for Threat Response Intel. Components in use: Index, Recorder, Detect, Live Response, Trends, IR Content, Reputation. |
Tuned deployment strategy for profiles and intel documents, including intel testing and promotion. Process injection alerting enabled and tuned. Creation of suppression rules for Tanium Signals to reduce false positives. Threat Response Alert triage and remediation using Response Actions Custom Recorder filters. Enables longer data retention, less noise when investigating events, and better performance of THR on endpoints. Components in use: Index, Recorder, Detect, Live Response, Trends, IR Content, Reputation, Connect, SIEM / Log Solution Integration, Tanium Impact |
Proactive hunting for malicious activity (through Enterprise Hunting or Incident Response Sensors). Process injection alerting enabled and tuned. Generating custom YARA rules, IOCs, and Tanium Signals and sharing through the Threat Response community. Enables development and application of customized intel for given industry vertical and industry specific information sharing and analysis centers (ISACs). Components in use: Index, Recorder, Detect, Live Response, Trends, IR Content, Reputation, Connect, SIEM / Log Solution Integration, Tanium Enforce. |
| Automation | Some intelligence applied and imported (For example, a few Tanium Signals, OpenIOC Intel, etc.) | Additional threat intelligence applied, and intel sources added. Ex: out of the box Tanium Signals, OpenIOCs, and a subscription to a TAXII source has been configured to automate searching for malicious behavior. | Tanium Reputation and Tanium Connect saved question configured to automatically feed hashes to Reputation Providers. |
Automated Threat Response scanning of malicious hashes found via Reputation providers.
Using the Threat Response API to automate tasks. |
Integration with a SOAR Solution to automate evidence gathering, response actions, intel management (adding/removing/scanning), remediation, etc.) | |
| Functional integration | N/A | Trends Boards imported and / or integration with Reputation provider. | Threat Response is configured to surface alerts from Windows Defender and/or Deep Instinct. | Tanium Connect, SIEM / Log Solution integrated. Ex: Splunk and Yara rules set up or Splunk integration set up. | Creating remediation policies through Tanium Enforce and integration with a SOAR solution to automate data collection and performing actions. | |
| Reporting | Manual; through Threat Response workbench or dashboard for operators only. | Manual; Threat Response integration with Tanium Trends. | Automated; exporting data through file, email, or SQL to feed reports. | Automated; using SIEM / Log Solution; Ex: Splunk including the Tanium Splunk application. | Automated; using a SOAR solution for a holistic view of activity. | |
| Metrics | Threat Response Coverage (% of Total) | 0-60% | 61-70% | 71-85% | 86-94% | >95% |
| Mean Time to Investigate Threat (time) | >45 days | 31-45 days | 15-30 days | 8-14 days | 0-7 days | |
| Mean Time to Remediate Threat (time) | >45 days | 31-45 days | 15-30 days | 8-14 days | 0-7 days | |
| Historical Lookback Time | 0 - 7 days | 8 - 14 days | 15 - 30 days | 31 - 45 days | >45 days |
Last updated: 9/25/2023 11:30 AM | Feedback