Several years ago I was asked by Tanium to present at a couple of their regional user conferences. My topic was open ended and I chose to talk about my then favorite module, and still very high on the list, Tanium Asset. To help present the idea of why I loved Tanium Asset so much I started talking about Smaug the Destroyer from The Hobbit and a major problem he and other dragons have; other than being evil flying fire breathing lizards. The dilemma he faced was what to do whit all his amassed wealth. Does he simply hoard it or does he find a way to put it to use. Does he sleep on it like a bed, swim in it like Scrooge McDuck, constantly count it? Or does he take it to a bank where it can be invested to generate more wealth, donate it to charity to relieve suffering, maybe start a business employing many workers and generating more income for not only himself but others around him, like the citizens of Lake Town. If he keeps it he never really grows or learns, he becomes too obsessed with it, but learning to let go could allow him to become a better and much improved dragon.
We all know the answer, he hoarded it and then added to it. He was not happy unless he had all the treasures, it was never enough, he always needed more, and heaven forbid someone ask for any of it. Even a simple little thing like the Arkenstone. And we all know how it ended for him, being raided by a bunch of dwarves, having multiple armies gather around his mountain, and eventually being shot and killed by Bard. The most tragic part, ignoring the fact that he still an evil flying fire breathing dragon, is that if he simply shared some if his wealth none of the events would have unfolded like they did.
Years ago, I found that I was acting like Smaug, without being an evil flying fire breathing lizard, in regards to the data that Tanium generated. In the early release of Tanium, the historical data was stored in a database table called the Archive Database. Working with this data was difficult and time consuming. The act of turning on data gathering into this table was easy, a simple checkbox that said archive the results of this report. But it took time to build the table and then retrieving the data was absolutely awful. This led to me hoarding as much data as possible, of course the end result was that I was causing more issues due to sheer size the table was growing too.
Picture this – reports are due the evening of the first Wednesday of the month for the previous months statistics. I have turned on the archiving of specific data for these reports. On Tuesday morning I kiss my wife goodbye and go to work, reminding her it’s reporting time so I will be non-communicative for the next two days while at work. I get settled into my desk and open Excel and launch the Tanium plug-in. I tell Excel to start pulling the data for report 1 from the Tanium Archive Database and cross my fingers it doesn’t lock up, wait up to 10 minutes, SUCCESS, no lockups and I have data, I save the spreadsheet, open a new tab, pull data for report 2. FAILURE, Excel freezes, I close it, reopen it, and try again. Attempt 2 is success, move on to tab 3, FAILURE, but crap, I forgot to save after report 2, so pull report 2 again and pray it doesn’t lock up, success, save, report 3, save, report 4, failure, report 4, failure, report 4, success, save, report 5, and so on. By the time I am done pulling data it is about time to go home and see my family. Day 2, I now have all the data but management wants it in easy to ready pivot tables, not 35,000+ rows of data per sheet. So I open a new spreadsheet and start doing v-lookups, I have data from report 1 but I need to combine it with data from report 3 to make a whole report. About lunch time I have completed combining the data and it is now in large spreadsheets that only an accountant or data scientist could love. After lunch I start creating the pivot tables and charts that will end up being the actual report. The report is done. End of the day hits and I email the report off. I can now talk to my wife and kids again.
Thursday, the bosses are happy with the report but want one more column of data – crap – back to the spreadsheets to add in that one more column. Done, report sent, they are happy, until lunch time… We need a report that covers this entirely new area, please send it by end of day. I go look, it is not data we have ever gathered before, Tanium is great at pulling live data, but not historic data, no system can go back in time to find out what Suzies computer was like when she went on maternity leave 2 weeks ago and won’t be back for 2 months. They want historic data, I cry. I start the new data gathering and click the button to send it to the archive database. I send them the report with live data we have gathered since lunch time and explain we will have global data overnight and hit 90% of the machines by Monday morning but won’t have 100% for some time.
Due to how reporting days go every time I get any request for data, I now click the button that says to send it to the archive database. The bad news is that this makes the system slower due to ever increasing data storage. But I can create the reports needed for management so whatever, I am not crying at the end of the day anymore. I turn into Smaug and whenever I see a piece of data I hoard it, the database becomes massive and overwhelming. I fear that it is too much data and may become tempting to armies and little dwarves but there is no such thing as too little data anymore. I want, no, I need it all.
Enter Bard from Lake Town, known as Jim and Allen, my TAM’s from Tanium. They inform me that we need to update the platform from 6.0 to 6.5 but unfortunately the Archive Database (my Arkenstone or Precious) is not compatible with Tanium 6.5. I resisted the upgrade for months, there was always a reason (excuse) as to why it wasn’t time yet. They eventually figured out what my real reason was and assured me that they had an answer on the way. Enter Tanium Asset – a way to gather and store data without the need for a bulky 5 TB (yes, a single 5 terabyte archive database – no wonder our system was so slow) database. We performed the upgrade, and I went into Asset, I cried again, but this time tears of joy. I think I even saw beams of light over the datacenter where our servers were housed and heard angels singing on the conference call.
Now report days went from 2 days minimum to just a few hours, data could manipulated to get exactly what I needed at a moments notice. However, we still had to kick start the data gathering and Suzie being on maternity leave again would still cause problems since her system is turned off for several months. Life is good.
All of this to say we are sometimes our own worst enemy, do we ever turn into Smaug the Destroyer and hoard our data, do we have projects we can’t turn over or let go, do we cherish a little too much that application that is aging out, I know one guy whose Arkenstone was a chair, when he left the company he took his chair with him, and prior to that it was bad news if someone ever sat in it to talk to his neighbor when he was away from his desk. It took 2 account managers a lot of time and effort to get me to realize that I was single handedly keeping us from moving forward and being able to bring in a much improved Tanium experience. Hopefully I don’t ever have to go through that again.
Find your perfect cybersecurity solution.
Foresite Cybersecurity offers a variety of solutions to help organizations find gaps, manage risk, and stay secure.
