tanium endpoint security...2015/10/29 · to certain antivirus and security websites. sality can...
TRANSCRIPT
Tanium Endpoint Security
Andre McGregorDirector of Security @AndreOnCyber
To be the platform that every enterprise and government organization will use to communicate with every IT asset.
TANIUM VISION
How Tanium Works
what is happening on your endpoints at
all times
ASKa question in plain English
KNOW ACTby changing all of
the impacted endpoints as needed
Deploy a Patch
In 15 Seconds
What are the computer names of the machines with critical patches missing?
Kill a Process
Uninstall an ApplicationGoogle for IT Data
15-Second Visibility and Control
ACCURACY99%+ of data is current
Father And Son Become Billionaires With Tanium, The Hottest Cybersecurity StartupA father-son duo came from out of nowhere with a more clever idea to protect networks from hackers—and now have a $3.5 billion startup with $160 million in the bank.
Tanium Endpoint Platform
CMDB
Help Desk
AssetManagement
Monitoring
ENDPOINT SECURITY ENDPOINT MANAGEMENT
TANIUM COREAsk • Know • Act
SIEM
Big Data
Threat Intelligence
File Reputation
CONNECT
Vulnerability Assessment
Threat Detection
Incident Response
Configuration Compliance
SoftwareDistribution
PatchManagement
AssetInventory
AssetUtilization
Copyright 2015 Tanium, Inc. All rights reserved.
Copyright 2015 Tanium, Inc. All rights reserved.
Tanium Network Topology
Tanium ManagementServer
Tanium Client
Leverages a linear peer-to-peer agent communication model to provide responses in seconds to over 400k nodes
Tanium Management
Hundreds of users can collect data or change the environment simultaneously via a web browser
Workflow Integration
Tanium’s real-time data can be integrated with existing in-house systems such as your SIEM, CMDB or help-desk solution
Use Case: Display Top Running Process Get running processes from all machines, High memory processes
Use Case: Detect and Display Real Time Malware Behavior
Get IP connections with location, Data Leakage
Use Case: Determine Rogue Devices
“Unmanaged assets” Dashboard – view unknown systems
Use Case: Diagnose Outbreaks (Heartbleed or Cryptowall)
Heartbleed content search (MD5 Hash)
Use Case: Display Writes to USB Storage
Get USB Information
Use Case: Display Process ID matching (RegX) String ?
Get Service Status with MD5 Hash from all machines
Note: Tanium Trace Displays PID/user for all processes
Use Case: Detect the Sality IOC and trigger an alert in real time
Description:Sality is a family of file infecting viruses that spread by infecting exe and scr files on Windows-based endpoints. The virus also includes an autorun worm that allows it to spread to any removable or discoverable drive. Sality includes a downloader Trojan component that installs additional malware via the Web.
Symptom:Sality disables antivirus software and prevents access to certain antivirus and security websites. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped file(s) when the drive is accessed.
Ingest Sality IOC’s from Isightpartners into IOC Detect
Use Case: Detect and Display Registry Modifications
Trace Displays historical registry modifications
Andre McGregorDirector of Security
[email protected]@AndreOnCyber