Succeeding with Threat Response

Follow these best practices to achieve maximum value and success with Tanium Threat Response. These steps align with the key benchmark metrics: increasing the Threat Response coverage across endpoints and reducing the mean times to investigate and remediate threats.

steps to succeeding with Threat Response steps to succeed with Thjreat Response

Step 1: Gain organizational effectiveness

Develop a dedicated Change management process.

Define distinct roles and responsibilities in a RACI chart.

Validate cross-functional Organizational alignment.

Track Operational metrics.

 

 

 

 

Step 2: Install Tanium modules

Install Tanium Threat Response. See Installing Threat Response.

Install Tanium Trends. See Tanium Trends User Guide: Installing Trends.

Install Tanium Reputation. See Tanium Reputation User Guide: Installing Reputation.

Install Tanium Protect. See Tanium Protect User Guide: Installing Protect.

Install Tanium Connect. See Tanium Connect User Guide: Installing Connect.

Install Tanium Direct Connect. See Tanium Direct Connect User Guide: Installing Direct Connect.

Install Tanium Impact. See Tanium Direct Connect User Guide: Installing Direct Connect.

 

 

 

Step 3: Configure Threat Response

Create computer groups for use in Threat Response profiles. See Tanium Console User Guide: Create computer groups.

Set the service account credentials.

Import and configure Threat Response with custom settings.

Modify module configurations to suit deployment schedules and requirements. See Creating configurations.

Configure Threat Intelligence sources. See Adding intel.

Import Intel documents. See Create intel documents.

Label Intel documents for inclusion in Threat Response configurations. See Label intel.

Create Intel configurations. See Create intel configurations.

Configure filters and exclusions. See Create indexing and hashing exclusions.

Create Engine configurations. See Create engine configurations.

Create Recorder configurations. See Create recorder configurations.

Create Index configurations. See Create index configurations.

Create profiles. See Creating profiles.

Step 4: Deploy Profiles

Threat Response Tools and intel deploy automatically on a schedule when you deploy profiles to endpoints. See Deploy a profile.

 

 

 

 

 

 

Step 5: Configure Live Response

Create Live Response destinations. See Collecting data from endpoints.

Create Live Response collections. See Collecting files from endpoints: Collections.

Generate Live Response packages. See Collecting files from endpoints: Collect data from endpoints.

 

 

 

 

 

Step 6: Configure Direct Connect for live connections

Connect to live endpoints. See Connecting to live endpoints and exploring data.

Browse the file system on endpoints. See Connecting to live endpoints and exploring data.

Collect snapshots and download saved evidence. See Manage snapshots.

 

 

 

 

Step 7: Configure Connect for reputation questions

Configure reputation data in Connect. See Set up the reputation service.

 

 

 

 

 

 

Step 8: Monitor Threat Response Metrics

Review recorded data for tuning and performance improvements.  For more information see Create filers.

 

 

 

 

Step 9: Review Operational Metrics from alerts and intel and tune settings as required

Modify signals for performance. See Reference: Authoring Signals.

Create suppression rules to minimize false positives. See Managing alerts.

 

 

 

 

 

Step 10: Review Trends Metrics

From the Trends menu, click Boards and then click Threat Response to view the Threat Response - Alerts and Threat Response - Deployment boards.

The next steps become cyclical where the advised actions are either hunting for indicators of compromise or responding to existing events.

 

 

 

Step 11: Use Enterprise Hunting dashboard or Interact questions to perform searches through the environment

Identify outliers or events of interest. See Searching across the enterprise.

Use live connections or Live Response to gather evidence and verify suspicious activity and possible interaction with other systems. See Connecting to live endpoints and exploring data and Collecting data from endpoints.

Remediate endpoints to either resolve issues entirely, or preserve data for further investigation. See Remediate alerts in Tanium Protect and Initiate a Response Action from an alert.

Review findings from threat hunting exercises.

 

 

 

Step 12: Review generated alerts from deployed intelligence

Confirm the validity of an alert.

Use live connections or Live Response to gather evidence and verify the suspiciousness of activity and possible interaction with other systems. See Connecting to live endpoints and exploring data and Collecting data from endpoints.

Remediate endpoints to either resolve issues entirely, or preserve data for further investigation. See Remediate alerts in Tanium Protect and Initiate a Response Action from an alert.

Review findings from alert-based investigation. Modify existing intel to increase detection fidelity, codify findings into new intelligence to allow ongoing automated detections, generate saved questions to enable future searches, and configure Connect to output relevant data to SIEM for ongoing analysis.

Step 1: Gain organizational effectiveness

Develop a dedicated Change management process.

Define distinct roles and responsibilities in a RACI chart.

Validate cross-functional Organizational alignment.

Track Operational metrics.

 

 

 

 

Step 2: Configure Threat Response

Create computer groups for use in Threat Response profiles. See Tanium Console User Guide: Create computer groups.

Set the service account credentials.

Import and configure Threat Response with custom settings.

Modify module configurations to suit deployment schedules and requirements. See Creating configurations.

Configure Threat Intelligence sources. See Adding intel.

Import Intel documents. See Create intel documents.

Label Intel documents for inclusion in Threat Response configurations. See Label intel.

Create Intel configurations. See Create intel configurations.

Configure filters and exclusions. See Create indexing and hashing exclusions.

Create Engine configurations. See Create engine configurations.

Create Recorder configurations. See Create recorder configurations.

Create Index configurations. See Create index configurations.

Create profiles. See Creating profiles.

Step 3: Deploy Profiles

Threat Response Tools and intel deploy automatically on a schedule when you deploy profiles to endpoints. See Deploy a profile.

 

 

 

 

 

 

Step 4: Configure Live Response

Create Live Response destinations. See Collecting data from endpoints.

Create Live Response collections. See Collecting files from endpoints: Collections.

Generate Live Response packages. See Collecting files from endpoints: Collect data from endpoints.

 

 

 

 

 

Step 5: Configure Direct Connect for live connections

Connect to live endpoints. See Connecting to live endpoints and exploring data.

Browse the file system on endpoints. See Connecting to live endpoints and exploring data.

Collect snapshots and download saved evidence. See Manage snapshots.

 

 

 

 

Step 6: Configure Connect for reputation questions

Configure reputation data in Connect. See Set up the reputation service.

 

 

 

 

 

 

Step 7: Monitor Threat Response Metrics

Review recorded data for tuning and performance improvements.  For more information see Create filers.

 

 

 

 

Step 8: Review Operational Metrics from alerts and intel and tune settings as required

Modify signals for performance. See Reference: Authoring Signals.

Create suppression rules to minimize false positives. See Managing alerts.

 

 

 

 

 

Step 9: Review Trends Metrics

From the Trends menu, click Boards and then click Threat Response to view the Threat Response - Alerts and Threat Response - Deployment boards.

The next steps become cyclical where the advised actions are either hunting for indicators of compromise or responding to existing events.

 

 

 

Step 10: Use Enterprise Hunting dashboard or Interact questions to perform searches through the environment

Identify outliers or events of interest. See Searching across the enterprise.

Use live connections or Live Response to gather evidence and verify suspicious activity and possible interaction with other systems. See Connecting to live endpoints and exploring data and Collecting data from endpoints.

Remediate endpoints to either resolve issues entirely, or preserve data for further investigation. See Remediate alerts in Tanium Protect and Initiate a Response Action from an alert.

Review findings from threat hunting exercises.

 

 

 

Step 11: Review generated alerts from deployed intelligence

Confirm the validity of an alert.

Use live connections or Live Response to gather evidence and verify the suspiciousness of activity and possible interaction with other systems. See Connecting to live endpoints and exploring data and Collecting data from endpoints.

Remediate endpoints to either resolve issues entirely, or preserve data for further investigation. See Remediate alerts in Tanium Protect and Initiate a Response Action from an alert.

Review findings from alert-based investigation. Modify existing intel to increase detection fidelity, codify findings into new intelligence to allow ongoing automated detections, generate saved questions to enable future searches, and configure Connect to output relevant data to SIEM for ongoing analysis.

Last updated: 8/12/2020 2:46 PM | Feedback