On the Hunt with Modern Cyber Hunters

Team Tanium Posted on 07.27.15 — by Team Tanium

Q&A with David Damato and Kris McConkey


Tanium Chief Security Officer David Damato and PwC UK Cyber Security Partner Kris McConkey have spent their careers on the front lines of the fight against cyber criminals within the networks of the world’s largest companies and institutions. With Tanium and PwC partnering to revolutionize how security and IT operations teams detect and respond to intrusions, we sat down with Dave and Kris to talk shop…and how their new partnership will change the game.

Why Tanium? What do PwC customers gain from Tanium’s capabilities?

Kris McConkey: We regularly get called into client environments to deal with breaches, and whenever we ask for specific data are often told that our client doesn’t have the visibility or any method to actually go in and glean specific artifacts from their endpoints. Where they do, it can often take hours or days to gather the digital breadcrumbs that help us pinpoint where intruders are lurking in an environment. We were dealing with multi-continent espionage intrusions, amongst other incidents, and generally finding that we needed to move away from the concept of having fly-to-site teams to deal with every issue. We needed something that helped us deal with incident analysis at scale because we are dealing with some of the world’s largest organizations. We wanted something that enables much more remote investigation and real time analysis of corporate environments.

So, we started looking for solutions in the endpoint threat detection space. We looked at quite a few and found that Tanium is really the only one that is flexible enough to let us do all of what we wanted in an environment: being able to extract all the telemetry from an environment for analysis in other solutions we have developed and watch what’s actually happening on the endpoints; and also push all of the threat intelligence and signatures that we generate into the an IT estate and actually have the endpoints go and do some of that analysis and searching for us.

We immediately latched on to the flexibility of the Tanium platform. We generally consider ourselves “power users” and are able to design a lot of custom stuff. A lot of the other solutions were too closed for our liking.

David Damato: Having performed and led consulting services during the past decade, I understand that each consulting engagement is unique. As a result, consultants need to be armed with tools that allow tremendous flexibility in order to address each customer’s unique set of challenges. Tanium provides such flexibility: it supports a wide range of standards, development of custom content, and integration with other tools via a well documented API. Kris and his team at PwC are already taking advantage of this flexibility and architecture to provide tailored solutions for their clients.

I relate to the challenges faced by PwC and their clients. Organizations are asking for help with investigating complex incidents and looking for ways to gain better visibility into the risks within their environments. The Tanium platform allows PwC’s experts to quickly unlock endpoint artifacts, which weren’t previously available. This new visibility and speed at which critical data can be obtained provides Kris and his team with a competitive advantage over other consultancies relying on the previous generation of endpoint technology.

How have you seen the threat landscape change during your career? What keeps you up at night?

Dave: Honestly, the threat landscape hasn’t changed significantly — that’s the problem. Despite attacker tactics remaining relatively similar to breaches observed five or ten years ago, we’re seeing more breaches today than three or four years ago.

What is most concerning is the speed at which attackers operate today. Most attackers understand how to quickly gain a foothold in an environment and move laterally in a very short period of time. What now takes hours used to take days or weeks. As a result, organizations have to be able to detect and resolve attacks very quickly — one of the reasons why Tanium’s speed and ability to take action on an endpoint speaks to our customers.

Kris: If you think about the timeline of APT intrusions, it’s really been a problem for both the US and UK now for over 10 years, with the scale of the issue increasing significantly and affecting many other countries during that timeframe. The bit that has been very interesting, and perhaps surprising, is seeing more and more players getting in on the game. In November 2014, we were tracking groups distributed between 12 countries. In the last 9 months alone, that list has grown by an additional 8 countries.

It’s interesting watching more and more of this activity actually happening by new players entering the market. There’s a lot of the old players and they’re still successful with the old tricks, just as Dave says, but some of the really advanced stuff is quite scary whenever you realize the extent of it.

What surprises you the most when working on the front line of data breaches?

Kris: Well, one of the most exciting aspects of our job is the thrill of the chase. When a client knows they have an intruder in their network but don’t know where — when perhaps they’ve been tipped off by a government agency — those first few hours or days of hunting, in an unfamiliar network, finding evidence of where the bad guys are hiding and determining which threat actor it is, is fast-paced and intense.

What’s surprising is how some of these guys react whenever you find them. We’ve seen a comprehensive shift in some threat actors’ behaviour once they’ve realised that we found them. Dave will have seen it as well on multiple cases, instances of them trying to work out how the heck we are finding them so they can take some sort of evasive action. It’s a bit of a reminder that what we’re doing is the digital equivalent of hand-to-hand combat. It literally is human versus human.

Dave: I’m still surprised by the ease with which attackers are able to breach networks without detection. Most organizations are relying on solutions like antivirus or network sensors to detect attacks. I think we all realize antivirus is not very effective. But, I also think organizations fail to realize network sensors can’t determine what actually happened on an endpoint and are not designed to examine encrypted traffic, which can be anywhere from 20% to 50% of your Internet traffic.

Organizations need to focus on the endpoint. It’s the source of all the information you need. If you can obtain that information quickly and at scale, you can answer virtually any question. How many hosts do I have on my network? Are they patched? What is the state of their security controls? Do we see any suspicious activity on an endpoint? If so what happened and what action do we need to take? That’s why we see a lot of organizations realizing the value of Tanium.

Orion (Tanium co-founder and CTO) recently said: “The idea of a perimeter around your network has completely dissolved.” Do you agree?

Kris: Completely agree. That’s one of the most significant things that’s changed, even in the last 5 years, when it comes to organizations. Looking at how they defend their assets, there was a clear perimeter 5 years ago. Everything was nicely inside an organization’s four walls and that’s what they had to protect to keep the bad guys outside and let those with appropriate access inside. But with remote working, mobile workforces, bring your own device, etc. it genuinely means it’s difficult for organizations to have full visibility of where things are.

Dave: Absolutely, five or ten years ago every asset would be company owned and stationary, making it easy to define networks and perimeters. Today, we have mobile phones, tablets, cloud services, and cheap and portable storage. Devices and data are no longer bound to the confines of a well defined network, surrounded by walls. This is why we see organizations struggle with answering simple questions about the number, type, or security of devices on their networks. They just don’t know because everything is changing so quickly. This is certainly an area that we continue to help our customers solve using our unique architecture.

What does the IT organization need to do to have a better resilience towards cybersecurity?

Dave: Being resilient towards cyber security means having the ability to react to an incident and quickly adapt. In response to most incidents, IT will be responsible for completing a remediation — a series of actions designed to quickly remove an attacker or security weaknesses from an environment. This could mean patching a vulnerability, securing local administrative accounts, modifying host-based firewalls, or removing malware. Using the Tanium platform, these actions can be expedited allowing for a more resilient response to adverse security events.

Proactively, IT should be focused on what is often referred to security hygiene. This includes installing the latest patches, identifying unauthorized changes to secure configurations, and tracking assets. Many breaches are the result of misconfigurations, unmanaged assets, or unpatched systems — IT can have a huge impact on preventing incidents if they have the right visibility into these areas, which are critical for improved security resilience. We certainly see many of our customer’s IT organizations using Tanium to address these areas, in cooperation with their security team.

Kris: IT generally — whenever it comes to security — needs the ability to do a few things very well. There are a lot of things that can get by with doing it in a sort of ad hoc way, but there’s some stuff that absolutely are core. That is primarily the ability to instrument in real time what’s happening in their organization, the ability to understand historically what has happened in their organization i.e. Tanium Trace, and the ability to take remedial action and enforce things in real time as well. So, if you identify the specific threat actor, for example, it is exploiting a vulnerability in a specific program, being able to determine in near real time which programs are vulnerable to that and then actually apply the patch.

Most organizations across those three or four different areas probably take days or weeks in each of them. Having a program like Tanium in place that can help you bring all of those down to minutes, something most IT operations would be crying out for.

How do customers react when you deliver news of an intrusion?

Kris: Some of them deal with it as a technical issue and consider that whenever they’ve got rid of the malware and they’ve reset some user accounts and that’s the end of the story. We’re seeing more and more organizations actually treat this like a business issue that it is, which is what data did we lose, how does that affect our future business plans, who do we need to tell about that, what are our legal, regulatory and ethical obligations of telling people what we’ve lost, if we’ve lost anything.

I think the more mature clients, particularly whenever we’re helping them deal with a fresh intrusion, are realizing that there is a bit of a difference between where we view an attacker as having success and where the attacker views themselves as having success. So at the point that an attacker gets into a network, they actually haven’t got what they came for. They were probably tasked with getting some specific data. So we have a period of opportunity between when they get in and when they get what they came for where organizations have the ability to find and kick them out of the network. That timeframe is when the visibility Tanium provides is incredibly useful. Once these guys get in, they try to be as stealthy as possible as they move around the network. When you take away that ability to be stealthy, you start lighting up their movements a lot better. That means a greatly reduced ‘dwell time’ for intrusions.

Dave: Each client responds differently to an incident. You hope that the reaction is planned — the organization has an IR plan in place and is able to quickly assemble all relevant stakeholders. Prepared organizations also have ready access to information about endpoints, networks, logs, and other information that may need to be required during the investigation. Organizations who aren’t prepared do not often have a very good understanding of their environment, log data, or key stakeholders. As a result, unprepared organizations often experience protracted incidents. We see Tanium helping clients prepare for incidents with unparalleled visibility into all endpoints — ensuring organizations aren’t searching for answers after an incident is declared.

What does Tanium do better than competitors to secure a company?

Dave: Many security vendors focus on solving a single challenge — maybe it’s finding malware or patching systems. The challenge with security is that there isn’t one fix. There are a number of tasks that need to be performed by a limited supply of smart people and controlled by mature processes.

Unlike these point solutions, Tanium is a platform. It provides 15 second visibility across all endpoints, even in the largest organizations. This speed and flexibility allows organizations to solve many security challenges, not just one. The platform can be used to search for varying IOC formats, monitor for anomalous behavior, patch endpoints, monitor configurations, discover unmanaged assets, or investigate and respond to an incident.

The speed and simplicity of the platform also enables small teams to be more efficient, by more quickly gaining access to required information, automating key tasks, and spending less time supporting a complex architecture associated with typical hub and spoke architecture. The available API and ability to develop new content, also allows organizations to integrate the platform with existing processes and other point solutions.

We’re already seeing ways in which PwC is using the platform to differentiate themselves from their competitors. Kris and his team use our IR tools and Trace module to collect evidence and monitor attacker activity, faster than was previously possible. Searching for a file or collecting all running processes now takes seconds, as opposed to days. Likewise, PwC also has instant visibility into vulnerabilities, misconfigurations, and user permissions, which enables them to quickly remediate an attack.

If you had one piece of advice for the CEO of a major multinational regarding cybersecurity what would it be?

Kris: Understand what data your organization fundamentally relies on, how that data flows around the organization, what systems are involved and where they are. At that point, you can start developing a comprehensive picture of what threat actors might want access to those systems or data and how they would be likely to gain it, so that you can tailor your defences and security investment appropriately.

Dave: Nearly all CEOs I speak with are concerned about security but don’t always have the subject matter expertise to ask their reports the right questions about the state of security in their organization. I always recommend CEOs and board members ask the following basic questions in order to gauge the state of security in their organization:

  1. What is the most important data retained by the organization and where does it reside?
  2. Provide at least three different scenarios in which an attacker could steal previously described, important data.
  3. What safeguards have you implemented in order to prevent attackers from stealing important data, in the previous scenarios?
  4. When was the last internal penetration test performed? What were the findings from the last internal penetration test performed in the network and how were these addressed?
  5. When was the last time a tabletop incident response exercise was performed? What were the findings and how were these addressed?

Can you tell us more about PwC’s “Tanium Accelerators”?

Kris: For the most part, the Tanium Accelerators program is designed and very much aligned to how we [PwC] use Tanium ourselves on client engagements.

The first accelerator is effectively a threat intelligence feed. We are able to take all of the research that we do, all of the new intel that we glean from incident response engagements, and use that in a way so that Tanium is automatically able to use it and deploy it.

The second is effective access to the content that PwC has written for Tanium. Our primary use is on threat detection and investigations. We’ve written a lot of custom packages for Tanium that let us pull back practically every forensics artifact that they would want to access during an investigation. Then users have the ability to write custom content for customer requests, as well.

The third allows remote hunting team services on incidence response. If organizations don’t have mature threat hunting teams or incident response teams and they want to outsource that function, we can effectively sit on top Tanium and sweep their environment to identify stuff that their existing security technology is missing.

Fourth, things that are slightly more traditional consulting services — process design, workflow management, integration with different teams and systems, whether that’s a CMDB system, vulnerability management system, or a seam solution.

Lastly, where PwC actually has quite a unique capability in the market, is PwC’s own law firm. Some of the world’s leading data privacy and protection experts have used this service: we have the ability to provide legal advice to clients and effectively do data privacy impact assessments to help them get the most out of their Tanium license. They can use Tanium without tripping over any privacy and protection regulations in their countries.