Threat actors have unlimited time (and often extensive resources) to think of creative ways to infiltrate systems so it takes some equally creative thinking to create a suitable defense while staying within an organization’s budget. Foresite Lead Tanium Engineer, Thomas Mark, explains how creative, flexible thinking can make the most of your cybersecurity investment in this Insider Insights blog.
It’s Christmas morning and I am eagerly awaiting my turn to open my big gift. I rip apart the wrapping paper and there it is – Lego set 6987: Message Intercept Base, a masterpiece of Lego from the 80’s. I remember reading the instructions and building it to look just like the picture on the box and then playing with for a long while. At least 20-30 minutes, which for someone my age was a long long time. Then I looked over at my other Lego, grabbed these pieces from the knights and dragons set, those pieces from the pirates sets and other random pieces to make the best thing ever; Moon Castle Base. An imposing edifice that could sit high atop the moons craters and be able to see the dreaded Space Boat Pirates as they made their attack from the dark side of the moon. Luckily Moon Castle Base was protected by the majestic and noble knights riding their fearsome dragons. Who would win? The dread pirates or the fearless knights. An epic battle oft repeated and enjoyed. Over the years the treasure chest changed rooms, the booby traps evolved, and the figurines slowly changed from pirates and knights to wizards and storm troopers. The castle changed with each tear down and rebuild but never again was it built back to the original picture on the box.
I imagine the designers of those Lego sets never pictured Moon Castle Base and the hoards of armies that would terrorize it or its gallant defenders. I am positive they knew, and even planned on, those pieces being used to build so much more then what the picture on the box showed.
As a Tanium engineer I have seen this same exact scenario play out countless times. A module is purchased, say the Deploy module, and a use case is developed for it. Tests are conducted and then it is time to put it into production. Applications are pushed out to endpoints and updates scheduled. At the end of the day it is a great tool and effective, and it is built to look like the picture on the box. A piece of work used just liked the designers built it for.
From building blocks to build-your-own security
But just like the Lego artists from days gone by the Tanium developers want its user base to find other ways to use it. At one place the Deploy module was used to keep managed software titles installed and their versions up to date. However, it was also used to find and remove applications that were on the company’s blacklist. Software they did not manage nor did they want anyone to have on their computers due to security issues. In Tanium Comply not only did they scan for CVE’s but they also created custom benchmark scripts that tracked Windows Defender and 14 points of its configuration including last quick and full scan dates. This allowed the Defender SME instant access to the status on each machine and a summary of the enterprise Defender health. This was not ‘in the picture on the box’ when they bought Tanium Comply but it is certainly something that was encouraged. You can also use Tanium Integrity Monitor to monitor and alert for changes to key files and registry keys but you could also set a watchlist for security or configuration registry keys that may drift, or even verify that the reg.pol file that is supposed to change every day is actually changing.
Building flexibility with Tanium
Over the years I have found many use cases for Tanium that were not in the picture on the box, the use cases are not always found in the user documents or guides. But they are there, and they are meant to be found and developed on your own. Some of what we have found to be helpful is listed below. Often I will tell a new customer to go find their Windows desktop build guide documentation and start searching in Tanium to see if anything has drifted from the original build. Is Adobe Reader still installed, is that registry key still set to 2, did someone turn off or find a way to uninstall Windows Defender? All of these can be found using Tanium core. After you have reviewed and audited your build guide go into your change requests that came out after the build guide and see if your change requests are still in effect on all your machines. Chances are you will find many systems that have drifted from the original build that need put back on course.
The great thing that Tanium further adds is ways to remediate the drift that occurs. If you need to change the registry key back then hop into Tanium Enforce and create a new rule, is a service not turned on – use Tanium Interact to set it to Start and Automatic. Tanium Enforce is a powerful tool to set policies but in its absence Tanium Interact can often double as a backup. Have applications that need updated – Tanium Deploy can help with that, missing security patches? Slide into Tanium Patch.
When I am working with a new Tanium customer, I don’t have a definitive list of features. I don’t want to put any limits on their thinking. We often want to organize our tools into different “boxes”, Tanium is a platform and just because a task is not in the picture on the box, doesn’t mean that Tanium cannot help. Tanium core is a powerful tool using only the sensors that Tanium provides but is even more powerful when you create your own sensors and packages. The sky is the limit, or rather Moon Castle Base and your imagination is the limit.
Thinking outside the Tanium Box
When given Tanium to use and report on a company’s systems I like to say now that you have Tanium, now what? You bought it with a handful of use cases in mind, you have your own picture on the box, but it can do so much more. Here are some other items that many not be in the picture you have in your mind:
- Antivirus service – it is configured and is it running? One place ran a report on the service status and found that 25% of the system users had a found a way to stop the Defender service and set the start mode to manual – AV no longer worked on 25% of their machines, a scary thought.
- Do you have DLP or Proxy software running on your machines? Is it there and working? Tanium can find out.
- Do you have a list of applications that are required for all machines? Are they there AND are they running the supported and managed version?
- Are there titles that are absolutely forbidden? Apple stopped development of QuickTime in 2016 due to Windows supporting the custom formats since 2009. It is amazing how many installations of it still occur though.
- Do you actively manage and control local administrator rights? Tanium can help find where someone has slipped through and is an admin when they shouldn’t be.
- IS someone using the recycle bin as a storage folder? Tanium can find out how large it is and help identify who needs to clear it out.
- Are your hard drives too full? Blocking new patches from downloading and installing? Tanium can find machines with low disk space.
- Does an employee leave their machine on for the night when they go home? Is it up to date on reboots? Many patches require a reboot to finish installing them, un-rebooted machine may be an unpatched machine.
Foresite for Tanium Management
Foresite Cybersecurity has the knowledge, experience, and team to help you make the most out of your Tanium products. Contact us today to learn more.
Thomas Mark
Throughout his career, Thomas has bridged the gap between IT and the business through analyzing data to bring about positive ROI. His work has included supporting applications and software to enable a more successful business while becoming an experienced liaison for stakeholders, IT, business units, and business partners. Thomas is a certified Tanium Operator and Administrator and is currently the Lead Tanium Engineer for Foresite Cybersecurity.
