Windows 10 Migration: Uncovering Hidden ROI

Egon Rinderer Posted on 08.02.17 — by Egon Rinderer

In the last of our three-part series on Windows 10 migration, Egon Rinderer, Senior Director of Technical Account Management at Tanium, explores the many ways to achieve ROI by using Tanium in your Windows 10 migration.

ROI isn’t typically the first thing you think of during an operating system migration. Let’s face it, in most circumstances, the migration team is concerned with simply succeeding on time and on budget. Yet, in our experience helping Tanium customers through the Windows 10 migration process, we’ve uncovered four key areas of hidden ROI. These results make your Windows 10 migration not only a smart technology decision, but a smart business move as well.

To date, Tanium has been used to migrate hundreds of thousands of endpoints to Windows 10.  This work has given us hundreds of thousands of opportunities to fine-tune our content and make it ever more valuable to users. We have learned a great deal during these endeavors about the biggest roadblocks customers face during a mass migration event, and how Tanium can be leveraged to overcome them. Using Tanium in your migration process gives you the opportunity to:

  1. Minimize early hardware attrition, which can save millions of dollars in the near term.
  2. Reclaim and reuse software licenses after making accurate utilization assessments.
  3. Identify unauthorized, high-cost platform software so it can be removed.
  4. Enable and centrally manage all the OS-native security point capabilities in Windows 10, so you can save money by reducing your third-party security point product stack.

In Part 1 of this series, we shared our learnings about how to reduce the time and effort required to complete Phase 1 – the pre-migration phase. In Part 2, we revealed the ways Tanium can help during Phase 2, the migration phase, and Phase 3, the post-migration phase. The the real fun for us, though, comes in sharing with users all the hidden sources of ROI we can help uncover. 

Minimizing Early Hardware Attrition

Early hardware attrition as a result of Windows 10 migration was quickly identified by our clients as a major money waster. Customers would run a system inventory/rationalization/compatibility check and find an average of 20% of their enterprise endpoints failed to meet minimum hardware specs for one reason: insufficient free disk space. We found this to be driven primarily by two factors:

  1. Customers are creating ever larger Windows Imaging File Format (WIM) files for OS distribution. The bigger the file, the more disk space needed.
  2. Customers had enormous amounts of wasted disk space on endpoints, reducing the overall free space available for said WIM.

What we have observed in working with customers is that many are taking the “Everything AND the kitchen sink” approach to creating their WIM. They want the WIM to work on every single endpoint in the enterprise and have everything necessary built right in. This creates the need to include drivers for each and every make/model/version of hardware. It means including every application that could possibly be needed for any machine. You name it, it gets thrown into the mix.

The practice is understandable. It makes life easier to have everything on the endpoint you might need, because there’s no easy way to surgically target and deliver only what is actually needed. The result? We’ve seen WIM files in excess of 30 GB, 40 GB, even 50 GB. Think about the impact to the network in a large enterprise when files of this size are to be distributed to each and every endpoint. It simply isn’t feasible.

As for wasted space, this is one of my favorite problems we are able to solve, because it’s a simple one. There are a finite number of things (about 20, in fact) representing the most common causes of wasted disk space. Things like System Center Configuration Manager (SCCM) cache bloat and stale user profiles are incredibly common. These things collectively waste gigs and gigs of space on end-user endpoints, and the data involved is of essentially zero value. Profile data has the double-whammy effect of having negative impact during actual migration. If you migrate a machine with 20 user profiles on it, do you migrate all 20 of those profiles, along with all of their data, to the newly provisioned operating system? If a profile — and related user data — on an endpoint hasn’t been accessed in two years, why migrate it? There is zero reason to do so.

For all 20 or so of those “space waster” checks, Tanium has the ability to remediate the issues (clean out caches, ignore-do not migrate, etc.) in seconds. We have found, in practice, we can generally reduce the early hardware attrition number from the 20% range to very low single digits. In a large enterprise, this represents millions of dollars in real savings.

Software Reclamation And Reuse

In Part 1, we explored how Tanium can help you monitor real-world application usage so you can determine whether or not to invest time migrating a particularly difficult piece of software. You can apply this same capability to determine how pay-per-play software is actually being used across your enterprise.

We find substantial ROI in license reclamation for our customers using this method. Let’s pick on Microsoft Visio for this example.Visio is a fine piece of software. It just happens to top the list of underutilized software we find during audits. Here’s how this plays out in most enterprises, based on our experience. A user, let’s call him Bob, gets an email with a Visio attachment. Unaware that he can access a free Visio Viewer, Bob installs the corporate copy of Visio using the enterprise license key. Bob downloads the email attachment, opens it, and replies, “Looks great!” Bob never touches Visio again. Nevertheless, at the end of each year, you pay for his license during true-up. When this process repeats itself in large enterprises, license creep eats away at limited budget.

Think about the number of licensed applications across a large enterprise. It’s nice to imagine it as a well-controlled software distribution workflow with a storefront, automated approval process, license tracking, and so on. The reality is usually more akin to the Wild West.

Enter Tanium. The same capability used to determine true utilization of software tagged for mapping and migration can cast its gaze upon Visio, Project, or any other target of cost-reduction you fancy. You’ll quickly find out that, even though you have tens of thousands of copies installed under your corporate license, 85% are used once a year or less. This is a real-world average we’ve observed while working with our customers.

If you’re a Tanium customer, perform the following exercise:

  1. Find out how many copies of Microsoft SQL Server you have licensed in your enterprise.
  2. Run the following query: “Get SQL Server Edition from all machines.”

Is there a delta? If Microsoft audits you, will you be writing a check?

This same question applies to the utilization of extremely expensive platform software products. Perhaps you have 80 copies of SQL installed and legitimately licensed, but 20% of them sit idle. It’s easy to find the answer with Tanium, using data which is not only valuable during a migration but can save you considerable dollars in the long run.

Reduce Third-Party Security Point Products

In the past, point security products such as antivirus (AV), host-intrusion prevention systems (HIPS), execution control, and firewall were sold as individual point products. In the past decade, vendors recognized a need for central management add-ons, and began producing and selling these. Vendors would call this cobbled-together mess of kernel hooking terribleness a “platform,” and bill it as necessary due to a lack of similar capabilities native to the operating system.

Enter Windows 10. While not a cure-all for point-tool chaos, it marks a major shift for Microsoft. The company has started over with its point products. While some (AV, firewall, basic execution control) have been around a good while, the latest revisions — and, in some cases, complete rewrites — are world class.

Windows native antivirus has been rewritten from the ground up. AppLocker takes the rudimentary capabilities found in Software Restriction Policies (SRP) to an entirely new level of maturity. Future capabilities, such as Windows Information Protection, will bring a full-blown HIPS tool to Windows, natively integrated into the OS — complete with data tagging for the purposes of process communication limiting, copy/paste control, and more.

Centralized management and policy deployment has always hampered Microsoft’s ability to drive adoption of advanced security of capabilities. There is a very short list of vendors who want to manage Enhanced Mitigation Experience Toolkit (EMET), SRP, AppLocker, AV, and firewall rules and policies via Active Directory Group Policy Objects (AD GPOs).

Tanium’s Protect module addresses the need for centralized management by acting as a centralized management point for these OS-native point security capabilities. Remember, as we develop new content for Tanium, we don’t need an additional agent. The very same Tanium agent you use to track application usage and inventory systems for Windows 10 migration readiness can also be used to manage the native security capabilities, patch your endpoints, and conduct a forensic investigation. As an added benefit to this, you get robust integration across modules in Tanium.

Here’s an example. Let’s say you’ve migrated half of your enterprise to Windows 10 when the next version of WannaCry hits. You’ve got a mixed environment of Windows 7, 8, and 10. You download a standard Indicator of Compromise (IOC), load it into Tanium’s IOC Detect, and scan your enterprise for the ransomware in real time. Go ahead and schedule rescans on that. After all, it only takes about a minute to run on all 450,000 of your endpoints. For this example, let’s suppose there is no patch available for this new iteration of malware, so you’re left with few options for mitigation. You are armed with some simple knowledge: you have some command-and-control (C2) IP addresses, and some information about the executables (file hash, etc.) in the exploit.

Using Tanium Protect, you can quickly (in less than a minute) create a new policy to deliver the following rules to all of your Windows endpoints, as well as validate enforcement on an ongoing basis. You can:

  1. Block TCP communication to the known C2 addresses.
  2. Establish preemptive execution blocking on the known binaries based on hash/size of the file using SRP or AppLocker respectively (to cover Windows 7 through 10)

Total time to complete and distribute and validate enforcement of this new policy? Less than five minutes. Should you find new evidence in the future via IOC detect, or perhaps some new IOC elements via Tanium Trace on a box that is exploited in some other manner, you can act on it.  Simply select the relevant finding in Trace and deploy a new Protect rule on the spot.

While this may not seem at first like an ROI-related example, it is when you consider it in the context of your third-party point solution stack. How much are you paying annually for those point solutions? Does a combination of Windows point capabilities offer sufficient coverage to allow you to displace your third-party solutions if you had a central management framework through which to control the MS stack? How about once you move to Windows 10 and you have the new best-of-breed hardware security integrated capabilities, such as SecureBoot, TPM, etc.?

At some point there is a threshold at which that third-party stack becomes passé. With the adoption of Windows 10, you will see that shift take place in terms of raw capabilities. What’s required to tip the scales? Centralized management and integration across incident response, IOC detection, and forensic toolsets. Tanium is that catalyst, and the ROI is inarguable. You’re paying an annual bill to someone right now for a point security stack you likely feel locked into. Delete that bill, and you have your hard ROI.

Windows 10 Migration: The Bottom Line

The first three examples above are based on data that is there, waiting for you to tap for the purposes of ROI when Tanium is installed. It requires zero additional effort on the part of the Windows 10 migration team. It is collected by Tanium for the purposes of information amplification in support thereof. It would be silly not to make use of it to drive ROI if you, in fact, have it at the ready.

The fourth example requires a bit more consideration, but the rewards are clear. Reducing the size of your security point-tool stack, and maximizing the capabilities of the new Windows 10 security features, is a clear business benefit with implications far beyond your initial migration.

Thanks for reading. This wraps up our three-part series on Windows 10 migration.

Learn More:

Like what you see? Click here and sign up to receive the latest Tanium news and learn about our upcoming events.