The importance of response in endpoint security products
~ Tanium that realizes real-time response ~
Macnica was awarded Most Dedicated Partner of the Year 2019 as the partner who contributed the most to Tanium business (sales, marketing, collaboration plans, etc.) in 2019.
real-time response
Why is it important?
Malware (Emotet, IcedID, etc.), which is prevalent these days, spreads rapidly in the environment when infected. After infection, the number of terminals that need to be dealt with tends to increase, and it is extremely important to grasp infected terminals in real time. If it is not possible to grasp infected terminals in real time, appropriate countermeasures cannot be taken, and countermeasures against malware will never end. With limited resources, we live in an age where it is essential to acquire highly real-time information and respond quickly in order to reliably protect the environment in which we are using it.
Recently, attention has been focused on the EDR field as a countermeasure against malware, and a wide variety of EDR products are provided by various companies. Even though it is called EDR, the focus is only on the detection part, and I get the impression that there is not much that can be done about real-time handling and response to incidents that actually occur. Once again, let's think about the response that should be implemented after an incident occurs.
Inability to respond in real time
Beyond primary response
have to deal with forever
It takes time, effort, and money to complete
3 Reasons to Choose Tanium
-
POINT 01
Even in a large-scale environment with a linear chain
Achieving “real-time system management”- Search and handle in real time even if there are hundreds of thousands of managed terminals
- Unauthorized/vulnerable app usage regulations
- Windows 10 migration load reduction
(regular updates/patch distribution)
-
POINT 02
endpoint in real time
Visualization/control- Visualize unmanaged terminals hidden in the company
- Finding and fixing violating devices
- Windows patches and installers are automatically split and delivered reliably even with low bandwidth
- Search for infected terminals in real time and deal with multiple terminals simultaneously
-
POINT 03
What you can do on the command line is
all executable- Over 500 types of sensors (scripts that can acquire information)
- Collect and display desired information from all online terminals
- Customizable scripts
-
half
of Fortune 100 companies deploy Tanium's unified endpoint and security solutions -
12
of US banks (out of top 15) trust Tanium for endpoint management and security -
13 years
years of cybersecurity and IT management experience -
50%
of Fortune 100 companies deploy Tanium solutions -
6
of leading retailers use Tanium to protect cardholder data and enable compliance -
all
of U.S. Armed Forces protect and manage endpoint security with Tanium -
27.6 million
of endpoints managed by Tanium globally -
2020
#4 in Fortune's High Tech Workplace Rankings
Tanium Endpoint Platform
Although it encompasses all categories as an “end-point platform,”
Already invested areas can be adjusted so that investments do not overlap
Comparison with other companies
| Tanium response | Typical EDR response | |
|---|---|---|
 per alert |
With Tanium, it is possible to investigate the terminals where the same incident occurred based on the detected alerts. In addition, it is possible to collectively deal with the relevant terminals, and even when malware infection spreads within the company, it is possible to take quick measures. | Many of the EDR products provided by each company have a format that deals with each detected alert. When malware infection spreads within a company, it is difficult to immediately deal with all infected terminals. Example: When 100 cases are detected, 100 operations (responses) are required. |
 Responsiveness |
With Tanium, it is possible to simultaneously handle multiple terminals, such as isolating the incident terminal, deleting the file that caused the incident, and restoring the process stop registry. Unlike individual EDR products, it is possible to respond quickly. | Each EDR product that is currently being adopted can isolate the incident terminal, delete the file that caused the incident, stop the process, restore the registry, etc. However, when dealing with multiple terminals at once, I hear that it is not easy to implement because in many cases it is necessary to operate using commands or additional development using APIs instead of using the normal management screen. . |
 of the incident |
Tanium provides a function to scan for vulnerabilities that exist in each device. It is also possible to distribute OS patches to deal with target vulnerabilities. A single agent, Tanium, can carry out this response. | Many malware and ransomware exploit known vulnerabilities. Many attacks can be prevented by dealing with vulnerabilities (appropriate patching), but when patching is taken into account, it is necessary to introduce a separate asset management tool. |
 Difficulty in batch survey of environment |
It is possible to investigate and confirm whether the file or application that caused the incident exists on other terminals all at once, and delete the target file to prevent the occurrence of the incident. | Many of the EDR products provided by various companies take the form of dealing with detected alerts. In addition, it is difficult to investigate whether the application or file that caused the problem exists on another device. |
Click here for various seminars and document requests
realize the response
Functions of Tanium
Introducing the Threat Response module
A module that can realize EDR such as behavior detection, investigation, response, etc.
-
Detect
- Detects behavior at the time of attack related to MITER's ATT&CK technique with a rule base called Signals
- Capable of importing and creating IOCs (OpenIOC, STIX, CybOX, Yara rules)
-
Response
- Investigate the entire endpoint at once by using the Question attached to the incident response function
- Actions such as quarantining and process termination can be implemented for multiple endpoints
- Save endpoint activity, analyze suspicious behavior and investigate impact from past history
-
Recorder
- Records activity on endpoints, encrypts and stores data on endpoints, and can transmit from endpoints to SIEM in real time with the Stream function
- It is possible to directly connect to the database recorded using Live Endpoint and investigate various operations of processes (file operations, network connections, registry operations, event log records, DNS name resolution, loaded DLLs and drivers, etc.). Check status
- Graphically display the process tree, and check parent-child relationships and related activities
- The file browser function allows you to check files on the local disk and download them to the Tanium console side.
Example of operation in a large-scale environment
-
financial industry
scale
Hundreds of thousands of units, global deployment
Task
- Visibility at Scale and Control of Endpoints Globally
導入メリット
- Prompt application of patches and real-time situational awareness
- Visibility and control of endpoints even in large-scale environments
- Integration of agents because one agent can do various things
-
retail business
scale
Hundreds of thousands of units, global deployment
Task
- It takes time to collect endpoint information.
The data collected are also limited. - No patch applied. Some cases are left unattended for years.
- There were some cases where 6 or more types of critical patches were not applied.
- I don't know if the patch was provided to all devices
導入メリット
- リアルタイムな可視化とインシデント対応時間短縮によるコスト削減
- パッチ適用成功率99%。従来と比べて早く適用できるようになった
- It takes time to collect endpoint information.
-
financial industry
scale
Hundreds of thousands of units, global deployment
Task
- Visibility at Scale and Control of Endpoints Globally
導入メリット
- Prompt application of patches and real-time situational awareness
- Visibility and control of endpoints even in large-scale environments
- Integration of agents because one agent can do various things
-
retail business
scale
Hundreds of thousands of units, global deployment
Task
- It takes time to collect endpoint information.
The data collected are also limited. - No patch applied. Some cases are left unattended for years.
- There were some cases where 6 or more types of critical patches were not applied.
- I don't know if the patch was provided to all devices
導入メリット
- リアルタイムな可視化とインシデント対応時間短縮によるコスト削減
- パッチ適用成功率99%。従来と比べて早く適用できるようになった
- It takes time to collect endpoint information.
Click here for various seminars and document requests
Introduction support
- Tanium by us
Utilization training - Provides original detection rules (YARA rules) for countermeasures against groups of attackers targeting Japan
- By Tanium Products Service Delivery Partners
Altitude response compatible