How Tanium Customers Mitigated The Risks Of Recent Ransomware Attacks

Tanium has been used across some of the largest networks in the world to mitigate the risks of several recent vulnerabilities, including WannaCry, Intel AMT, and the HP Audio Driver Keylogger. For each vulnerability, we offered customers the freedom of choice to determine the best mitigation strategy for their business. Patching was an option, but...

“WannaCry” / “wcry” Ransomware Outbreak: How Tanium Can Help

At the first signs of what was to become a global ransomware attack on May 12, the endpoint detection and response (EDR) team at Tanium sprang into action to help our customers. Here, we provide guidance on how to use Tanium to quickly discover and mitigate the issues.  Corporations worldwide are being affected by a widespread ransomware attack which...

Intel AMT Vulnerability: How Tanium Can Help

When Intel revealed a critical security advisory May 1 addressing a flaw in its remote management system affecting millions of chipsets, the Technical Account Management team at Tanium sprang into action to help our customers. Here, TAM director Chris Kachigian reveals what this vulnerability means to your business and how to use Tanium to quickly...

How We Track Mean Time To Respond (4-part blog series)

This is the last in our four-part blog series illustrating how we track critical metrics. In this installment, Tanium SecOps Engineer Greg Pothier discusses how we respond to incidents, offers guidelines on mean time to respond, and explains why rapid response times are key for every business. We routinely use Tanium in our security hygiene...

How We Track Mean Time to Patch (4-part blog series)

This is the third of our four-part blog series exploring how we use the Tanium platform in our own organization. In this installment, SecOps Engineer Greg Pothier shares how to use Tanium and Splunk together to deliver patch management data, which CSOs and other security leaders can tap to assess risk potential. How useful would...

How We Track Critical Compliance Metrics (4-part blog series)

This is part two in our four-part blog series exploring how we use the Tanium platform in our own organization. In part one, we revealed how we track critical vulnerabilities. In this installment, SecOps Engineer Greg Pothier shares his story about how a routine compliance check revealed six new servers which had previously been un-assessed....

How We Track Critical Vulnerabilities (4-part Blog Series)

Thoughts from a CISO from Tanium on Vimeo. This is the first of a four-part blog series exploring how we use the Tanium platform in our own organization. In this installment, SecOps Engineer Greg Pothier shares his story about how a Mac patching issue was resolved for 376 machines, all before the morning coffee had...

5 Ways to Make Your Day in IT Operations Brighter

Your week is anything but routine. Monday starts early with an SEV1 outage. Tuesday, a critical patch is released addressing vulnerabilities to your network. On Wednesday, the CIO needs a security compliance report. Your mail server has degraded performance on Thursday. Friday is a security incident. Saturday is spent dealing with backup failures. Sunday always...

Empowering the Makers & Builders

I joined Tanium in 2012 as one of our first two Technical Account Managers (TAMs). Like so many working in tech, I’ve worn a bunch of IT hats over the years – from helpdesk to ops to security to software. As a security guy, I saw Tanium in its early stages of development, and I...

Who’s Sending My E-Mail?

Earlier this year, as part of our company-wide effort to conform to the Center for Internet Security (CIS) 20 Critical Security Controls, Tanium implemented a more restrictive configuration using Domain Based Message Authentication, Reporting, and Conformance (DMARC) for company emails. As expected, it significantly reduced the number of spam and phishing emails. But we also...

Behind the Hack: Mr. Robot Season 2 Finale

Check out more on the tech advisors to the Mr. Robot show. {Warning to readers: Contains major spoilers for the final episode of Mr. Robot season 2.} Show writer and technical producer Kor Adana came to me with a challenging request: to help craft the “Stage 2” hack that finally comes to light in the...

Stealing E-mails, Let Me Count the Ways

The recently publicized hack of the Democratic National Committee has brought an incredibly common form of data theft back into the spotlight: intrusions that target e-mails. The knee-jerk response to such breaches often advocates controls like message encryption and two-factor authentication. In reality, preventing, detecting, and responding to these attacks is much more complicated. An...

An Integrated Workflow: Investigating and Remediating a Mass-Malware Infection

I recently had the opportunity to help a customer use Tanium to investigate and respond to an outbreak of the “Ponik” malware. Ponik is a downloader that can retrieve and install additional malware, as well as steal credentials, from an infected system. Though Ponik is an example of commodity mass-malware, it presented a good opportunity...

Integrating Tanium & SCCM: Client Health

In my role at Tanium, I’m frequently confronted with complex IT environments. Every client situation is truly unique; however, one of the amazing things about Tanium is how well it adapts and actually thrives in chaotic enterprise networks. One aspect of this type of complexity is in the diversity of existing security and management solutions...

Introducing the PwC Threat Intelligence Stream Integration

Paul Bottomley, Cyber Threat Detection & Response Manager at PwC and Matt MacKinnon, Senior Director, Product Management at Tanium discuss the new PwC Threat Intelligence stream integration with the release of Tanium IOC Detect 2.4. One of Tanium’s core missions is to transform cumbersome manual processes into automated tasks that empower IT Security teams with more time,...

Hunting for Rogue PowerShell Profiles

During the earliest phases of an intrusion, attackers typically move to establish persistence on at least a subset of compromised systems. This might be to ensure that they can easily regain access to the victim environment, such as via a backdoor, or to keep other forms of malicious code running, such as a keystroke logger....

What’s Old is New: Detecting Office Macro Malware with Tanium

Years of InfoSec experience will tell you that security threats are cyclical. What is old will become new and what is new will eventually become old. We’ve seen proof of this from the re-emergence of devastating distributed denial of service attacks, massive malvertising campaigns, and more recently, macro-based malware attacks. For example, several of the...

Back to the Basics: Detecting Malicious Windows Services with Tanium

“The theme I really want you to take away [from this presentation] is: if you really want to protect your network, you really have to know your network.” TAO Chief, NSA, USENIX Enigma 2016 An essential part of “knowing your network” is tracking endpoint persistence mechanisms – the myriad of ways in which an operating...

Avoiding Incident Response Groundhog Day

Ever since I began my information security career, February 2nd has held a special place in my heart.  When that date arrives I can’t help but think of the movie “Groundhog Day” with Bill Murray, and if you’ve spent any reasonable stretch of time doing incident response, then that reference has caused a grim smile to...

Don’t Get Hijacked! Searching for DLL Load Order Attacks with Tanium

DLL Hijacking, commonly referred to as load order or search order hijacking, is a well-documented malware persistence technique that continues to elude detection and pose a significant challenge for investigators. For anyone unfamiliar with this technique, have no fear! In this post we will discuss a brief background of load order hijacking and introduce a...

Assessing What Matters in an EDR Solution

Looking back at 2015, it’s hard to dispute that the security industry has been flooded with Endpoint Detection and Response (EDR) products. Walk the sponsor floor at any conference or sample the white papers and marketing pitches from any vendor web site, and you’ll see the same claims repeated ad nauseam: “Prevent, Detect, and Respond”...

How to Rapidly Remedy the OpenSSH Vulnerability

Last week, Qualys published a security advisory exposing vulnerabilities (CVE-2016–0777 and 0778) in OpenSSH client versions 5.4 to 7.1. When exploited, these vulnerabilities can result in the theft of private key material. To eliminate the vulnerability, administrators can either patch OpenSSH with version 7.1p2 or configure existing SSH clients to disable the exploitable feature. Discovering...

How to Get to the Root of Certificate Security Risks

News recently broke about Dell shipping a self-signed root Certificate Authority (CA) certificate and its private key on a wide range of Windows-based systems. This provided an opportunity for attackers to use the CA to generate bogus certificates for popular websites, and subsequently intercept traffic to and from those sites on open networks (like a...

Tanium Incident Response Updates: WMI, Scheduled Tasks and Enhanced File Search

On Friday, October 30, Tanium released an updated version of our Incident Response module. I’m excited about several of the new capabilities introduced by this point update, including the ability to hunt for malicious WMI event consumers, conduct at-scale analysis of scheduled tasks and search for files at rest within seconds. In this post, I’ll...

Helping Communities Stay Protected While Connected

Smart government is truly the name of the game when it comes to cybersecurity. Though most media coverage focuses on Federal government issues, state and local governments have also been struggling with how to protect their citizens’ data while dealing with their own cyber attacks — sometimes in the face of severe budget constraints. The latest challenge...

Rethinking the Investigation Phase of the Endpoint Security Lifecycle: A Closer Look at Tanium Trace

A frequently-cited metric when examining the current state of incident detection and response is “dwell time.” Research consistently highlights a significant gap — often measured in months — between the time at which a compromise occurs and when the victim ultimately detects the intrusion. We can all agree this gap serves as a useful barometer for measuring the success...
Show more