In this article

One of the toughest challenges in any constructive endeavor is determining what tools should be used to accomplish a given objective. A simple stroll through your local hardware store is enough to realize that there's more than one way to drive a nail. So, how do we know when to pick up the hammer and when to plug in the nail-gun? How do we choose the right tool at the right time?

The answer is experience. Spend enough time swinging a hammer the old-fashioned way and you'll gain a huge appreciation for the speed of the nail-gun. Similarly, spend enough time wielding the pneumatic tool, and you're bound to learn when those tricky nails call for some old-fashioned manual effort. Learning when to deploy this tool or that tool is what ultimately leads a builder to complete his projects in the most efficient way possible.

While carpenters know their basic tools of choice, enterprise IT professionals must navigate an ever-expanding landscape of technology tools.

Two of the most powerful tools available for enterprise IT professionals today are Tanium and ServiceNow. At first glance, these two appear to have many overlapping functions, leading many customers to misunderstand where and how they fit together. Fortunately, WWT has experience and know-how to get your company effectively and efficiently wielding both tools to their maximum potential.

Start with the business function

The first step in properly using a given tool is to understand what that tool was created to do. Without this rudimentary step, it is very easy to overlook simple solutions. For example, if you ask people walking down the street what a hammer was created to do, they will likely answer "to drive nails."  While a hammer is certainly used to drive nails, it also has a "claw" on one end, allowing the user to pull nails. This subtle distinction makes it dramatically more useful than the nail-gun when pulling nails is required.

Similarly, both Tanium and ServiceNow were created to do specific things within the enterprise.

Tanium is manifestly an endpoint management tool. It excels at managing endpoints with unparalleled speed and scale.

ServiceNow is a cloud-based service management platform. It is often used for asset and configuration management.

With these high-level business functions defined, we can now build a better picture of how each tool ought to be used.

Tanium: Unrivaled power, unparalleled speed

As the premier endpoint management tool on the market today, Tanium provides a specific, critical function to the enterprise. It is the gold standard when it comes to communicating with and controlling endpoints. This includes retrieving data from endpoints, such as configuration details or performance metrics, as well as sending instructions to endpoints for execution.

To return to our tool analogy, the proper use of Tanium as an enterprise tool is to communicate with and control all endpoints in the enterprise. Here are some common tasks that are good candidates for this tool:

  • Gathering hardware and software information from all endpoints.
  • Running compliance scans against all enterprise workstations.
  • Patching a critical vulnerability across all enterprise servers.
  • Enforcing standard anti-virus policies across the enterprise.
  • Looking for and alerting on common malware threats across the enterprise.

ServiceNow: Enabling the workforce

In the context of enterprise IT, ServiceNow is the leader in service management solutions such as help-desk functionality. The platform is used to build workflows around operational events in order to drive consistency, scalability and efficiency.

To return to our tool analogy, the proper use of ServiceNow as an enterprise tool is to create workflows that simplify and scale operations. The following common IT tasks are therefore good candidates for this tool:

  • Consolidating data into a configuration management database (CMDB).
  • Aligning IT operations to business priorities.
  • Automatically generating work tickets when a specific event occurs.
  • Streamlining change and release management to reduce risk.
  • Automating support for common requests.

Deciding which tool to use

Now that we have a good understanding of when Tanium and ServiceNow should be used, let's further compare and contrast them by evaluating a specific situation where either one can work: network discovery.

Network discovery describes activities that aim to answer the all-important question, "What's on my network?"  Both Tanium and ServiceNow have dedicated solutions that perform network discovery, so how do we decide which one to use?

The Tanium Discover module performs network discovery by turning every agented endpoint into a sentry within its local network. Endpoints can either passively scan their own ARP and connection tables or they can actively scan their local network using Ping and Nmap. Nmap results can be used to further identify the type of endpoint, its operating system and other basic information.

ServiceNow Discovery uses an agentless approach to discover endpoints.  By combining the discovery function with the existing CMDB, ServiceNow can perform a wide range of discovery techniques such as SSH, SNMP, WMI, Powershell, Rest APIs and more.  The resultant data can then be mapped for dependencies and correlated with the CMDB.

Just as the hammer and nail-gun can both drive a nail, we see that Tanium and ServiceNow can both perform network discovery. The choice of which tool to use depends on the details of the situation. The builder must understand the pros and cons of each in order to properly choose the right one. For example:

  • ServiceNow does not require cumbersome agents on every endpoint, but it does require distributed servers in every network segment. If a company already has Tanium agents deployed, it may make more sense to deputize those agents for network discovery rather than deploy the required ServiceNow architecture.
  • Tanium only uses Ping and Nmap for active scanning, whereas ServiceNow is able to use credentialed techniques such as SSH, SNMP, WMI, etc., due to having CMDB awareness of the endpoints. This makes Tanium very good for quickly finding unknown endpoints, while ServiceNow does a better job of profiling known endpoints.
  • Both Tanium and ServiceNow have automated options for bringing unmanaged endpoints into a managed state when they are discovered. Tanium does this via either the Discover module itself or via the Tanium Automatic Installation Module (TAIM). ServiceNow does this via automated workflows.

All of these considerations and more must go into the builder's decision to use one tool or the other. At the end of the day, it isn't fair to say that one is always better than the other — it comes down to matching the right tool with the right situation. This is where WWT's experience and breadth of knowledge can help.

The opportunity ahead

While it's unfeasible for builders to own every tool that they come across, it is important to understand that functional overlap does not necessarily imply redundancy.

Tanium and ServiceNow are both so uniquely powerful that owning both affords the enterprise architect with an immense degree of flexibility in IT operations and management. For example, if ServiceNow becomes the tool of choice for network discovery, then maybe Tanium is chosen for threat hunting and remediation. Or maybe both tools are integrated together for common functions such as asset management, configuration compliance or software deployment.

At the end of the day, both Tanium and ServiceNow offer powerful business functions that, when used properly, yield massive return-on-investment. The trick is to know each tool inside and out and to grab the right tool at the right time.

Fortunately, WWT has vast experience integrating ServiceNow and Tanium with each other as well as with other tools such as Splunk, SIEM, ELK, Flexera, VMware vRealize, Ansible, Salesforce and more.

For help with better understanding the tools in your tool belt, check out our Security Tools Rationalization Workshop or connect with me about an executive briefing.