Tanium review: Endpoint security at the speed of now

Many security monitoring products gather information from computers over the network and store it in a centralized database, where it can then be analyzed and queried. The biggest problem with this approach: The data is only as fresh as the last collection, which might happen nightly at best. A better strategy would be to pull fresh data from the endpoints on the fly when it’s needed. The issue there is getting query results from a network of hundreds or thousands of computers in a reasonable time. This is a problem that Tanium solves.

I’ve been following the Tanium Endpoint Platform for a few years now. Early on I was a skeptic. I thought the endpoint querying solution was a one-trick pony that excelled at speed, but not at answers. I used to summarize Tanium as simply "a security query engine on steroids." I still have concerns about the Tanium product, but it has continued to mature, expand, and improve to the point where I think every company should review and consider it.

Tanium came out of BigFix eight years ago and was initially resold by McAfee. The functionality that started it all -- the security query engine -- is officially known as Tanium Core.

Tanium works by installing client software; it supports Windows, Mac OS X, Linux, and Unix but not mobile platforms. Information is collected on every managed client, where it can be queried on the fly or on a scheduled basis from the server. The path the data takes to the server is shortened by Tanium’s optimized peer-to-peer network architecture, which organizes clients in linear chains instead of hubs and spokes.

Simple queries, fast results

The Tanium peer-to-peer architecture makes it the fastest endpoint query engine I've seen. Previous endpoint query tools I've used either functioned like inventory/asset managers, which gathered a predefined set of data through a routine batch job and sent it to a central collection point, or they ran a specific query or script against every managed computer. The former approach has problems with data freshness, while the latter quickly bogs down under scale. In the Tanium demo environment, which contains a few hundred nodes, most queries were answered in a few seconds.

Tanium queries are based on natural language expressions. You simply type from a list of available questions and predefined verbs (Tanium autocompletes or suggests as you type). Or you can use the query GUI and click on the available verbs, subjects, and actions instead of typing. You will quickly learn the available query verbs and will probably use the GUI only rarely after the first few weeks with the product.

The information you can gather from your queries is constrained only by what the various "sensors" on the endpoints were designed to collect. Tanium has produced more than 1,000 sensors so far, but says the typical installation uses about 400. Tanium staff spend time with each new customer helping them deploy the right sensors. Custom sensors can be created -- by the customer, by Tanium support, or by the Tanium community at large -- using nearly any scripting engine that can be deployed on the client. Basically, any information that a script could conceivably access on a supported client could be queried in Tanium.

My testing was limited to Tanium's demo environments, but I have conducted multiple tests of those environments over nearly two years. I have tried to come up with a few dozen queries that would be relevant to any company facing multiple attack vectors and advanced persistent threats (APTs), which amounts to most environments today. In general, Tanium Core performed as well as advertised, especially when conducting very common queries (such as the number of unpatched Java clients or whether a particular registry key is present). A year or two ago, my queries sometimes resulted in very slow responses (one to two minutes) or no responses at all, where the query never seemed to finish. Those types of errors appear to be gone.

Many of my queries asked for information that the currently installed set of sensors could not deliver (for example, “show me all installed certificates signed by a SHA-1 hash signature” or “show me every logon done by a member of the Enterprise Admins group”). Tanium often responded that either a different type of sensor would need to be installed, an existing sensor would need a small edit, or a new sensor would need to be made. In my testing, this happened often enough that I recommend that all potential Tanium customers create lists of security information they are interested in. That way, when Tanium comes to demo or install the solution, they get the most benefit they can from the system. Don't merely let the Tanium folks demo what they know will work.

That said, I was very impressed with what Tanium delivers in a normal install. It brings a lot of information to your eyes very quickly. No product is perfect, and no security monitor can deliver every answer or piece of information you might want or need right out of the box. Fortunately, Tanium is easily extensible, so you can get what you need.

Additional capabilities and modules

Although Tanium is mainly about information queries, you can also instruct the Tanium client agent to perform actions such as patching software, changing registry keys, or retrieving files. Tanium even allows you to combine actions into workflows, so you can require multiple approvals before a particular task is performed. Nice!

Tanium also can do basic baselining. You can tell Tanium to monitor a specific client activity (executed processes, network connections, and so on) for X number of days and create an alert when thresholds are passed.

Tanium Core is now supplemented by Tanium IOC Detect, Tanium Trace, Tanium Patch, and Tanium Connect.

Tanium IOC Detect is a platform extension built around “indicators of compromise,” which is a term commonly used by security vendors and forensic guides. IOC Detect supports IOC subscription lists from other partners and sources, and it includes a predefined list of IOCs for various known attacks. IOC Detect also supports the YARA malware descriptions and REST API. In conjunction with Tanium Core and Tanium Trace, IOC Detect can serve as an early warning tool that can help minimize damage from a new threat, but it is not a complete threat intelligence solution.

Tanium Trace, released in June, helps with incident response analysis, allowing real-time and historical forensic snapshots of clients. Like Tanium Core, Tanium Trace works using predefined sensors, which can collect a variety of client information, including execution history, files, registry keys, event logs, and network connections. Information collected from one or more clients is aggregated into a “trace data set,” where it can be further analyzed. Traces can be conducted ad hoc or on a predefined schedule. Unfortunately, a complete system copy is not an available Trace default sensor.

Tanium Patch is another tool that can help you patch your computers. It currently works solely with Windows clients, using Microsoft's WSUS technologies, which means it only patches Microsoft Windows plus a handful of other products (Java, Adobe, popular browsers). Other third-party patching can be done with Tanium Core product, but I don't consider Tanium’s patching functionality to be anywhere near sophisticated enough to serve as a complete patch management solution.

Tanium Connect is a module that allows you to integrate Tanium (inputs or outputs) with popular SIEM solutions and other products, including ServiceNow, VirusTotal, Hadoop, and Splunk.

Take note

One last review note: I asked Tanium several times over the past several weeks for one or two customers to interview so that I could get a sense of how the Tanium Endpoint Platform performed in the real world and to learn what customers liked and disliked about the solution. Though Tanium claims the product is installed in more than half of the Fortune 500, I was never provided access to a single customer. This lack of customer references is unusual for a product reviewed by InfoWorld.

With that caveat, I recommend that any company looking for fresh answers to security questions take a close look at Tanium. The Tanium Endpoint Platform solves an age-old problem of how to collect fresh data in a timely manner. Its method and speed of data collection is equally as important, maybe even moreso, than the information it can collect (which is everything). The downside is that you'll probably end up writing a fair number of custom scripts to get the information you want. But that's all right. Script writing isn't so hard. The hard part has been handled by Tanium.