In this case study

With today's ever-growing threat to organizational security, it has never been more crucial for leadership to focus on stopping current attacks, preventing future attacks and finding compromised systems before damage is done. 

Tanium's wide array of capability offerings enable operation teams to utilize a 'single pane of glass' to manage multiple operating systems and endpoints in segmented networks. Using the Tanium Threat Response (TR) module for endpoint detection and response (EDR) and the Protect module for endpoint protection platform (EPP), customers are able to proactively manage threat indicators and identify existing compromises. In conjunction with Tanium's powerful platform, WWT has developed solutions for improving organizational security posture and increasing adoption with current tool sets.

Engagement 1: Gap analysis assessment

Challenge

During an internal assessment, a customer found compromised endpoints had gone undetected for an extended period of time. It was determined that current threat response capabilities needed improvement and refinement if the organization was to address the growing and adapting threat landscape. The customer required a detailed report identifying which MITRE ATT&CK Tactics and Techniques were being utilized in their environment. Along with a detailed report, understanding their operational readiness for finding, tracing and preventing exploitation was needed.

Solution

An assessment of the customer's current Tanium Threat Response Signal coverage, cross-checked against the MITRE ATT&CK framework, revealed significant gaps in coverage. Adversarial activity being monitored and detected was out of date or lacking customization where necessary. 

The WWT consulting team conducted research into appropriate coverage areas and areas of weakness or vulnerability — developing a wide array of Signals within the Tanium Threat Response module. These developed Signals would alert threat analysts to attempted bad actor and nation states infiltration activity.

Outcome

Through analysis of controls and threat capabilities, accompanied by educational training sessions, the customer team was enabled with visibility and understanding of gaps in the environment. The Signals developed within the Tanium platform ultimately provided an extensive overview of target areas requiring further coverage and enabled the customer to identify behaviors on the network. This has led to an increase in security posture and has enhanced the diligence needed for adversarial prevention.

Engagement 2: Security posture improvement

Challenge

A large, segmented organization identified gaps in threat hunting activity and response time to security incidents — increasing the likelihood of infiltration and malicious activity. The delayed response time was in part due to analysts being required to analyze physical endpoints as part of incident investigation processes. An inability to remotely analyze compromised endpoints in a timely manner left the organization open to known threats for prolonged periods of time.

Solution

In addition to the purchase of the Threat Response module, WWT's solution provided in-person Threat Response training. These customer-catered capability sessions enabled threat analysts and incident response team members with the resources necessary to more quickly investigate endpoint activity, leaving the physical asset requirement behind. 

Additionally, stable Signals were imported to increase alerting of adversarial activity and intelligence was tailored to the customer's environment. Integrations with the customer's software information and event management (SIEM) system were conducted to provide detailed threat reporting to stakeholders and leadership.

Outcome

Armed with knowledge and developed tool customizations, the customer now performs EDR functions with greater speed and success. Physical assets are no longer required as part of the investigation process — allowing analysts more time to focus on prevention of adversarial activity. The SIEM reporting has allowed for condensed viewing of alerts and threat data captured from multiple sources, providing a comprehensive view of the threat lifecycle.

Engagement 3: Tool fatigue and adoption

Challenge

A SOC (Security Operations Center) and IR (incident response) team utilized a myriad of tools to achieve day-to-day cybersecurity operations. In an effort to drive tool consolidation organizationally, corporate proceeded with the purchase of Tanium's Threat Response and Protect modules. The SOC/IR team faced major hurdles — there was a lack of manpower to implement and a lack of expertise needed to deploy the capabilities and to train team members to effectively use the tool. Additionally, multiple and overlapping tools being used to achieve similar threat response tasks meant confusion and lack of adoption.

Solution

Through discovery sessions and assessment of SOC tool usage, a plan of action was developed to phase out unnecessary tool sets and train required team members to utilize the capabilities of Tanium's Threat Response and Protect modules. Daily visits with the teams and one-on-one enablement sessions were provided to ensure the adoption and success of the new tool sets being used.

Outcome

With a well-documented, customer-specific plan in place, the organization was able to consolidate cybersecurity tool sets used by the SOC and IR teams and work to permit license lapse for tools deemed as overlap or no longer necessary. This provided a quick monetary return on investment for the purchase of the Tanium platform and the Threat Response/Protect modules. With streamlined processes, uniformed tools and knowledge increase, the customer is now seeing reduced response times and overall improved security posture.

Our approach

WWT's Tanium-certified consultants work with customer teams to develop tailored Threat Response solutions. We have partnered with organizations with as little as 16k endpoints, to organizations with well over 500k endpoints. We work with a variety of asset types to include physical, virtual and Tanium-compatible OS platforms.

Our offered services target inefficiencies associated with threat management and organizational processes — ultimately enhancing the threat prevention, detection and remediation process.

Key activities include:

  • Gap analysis of current Threat Response procedures and deployed capabilities.
  • Rationalization of threat technologies (overlaps, gaps, etc.) and product/technology recommendations.
  • Gap analysis of MITRE ATT&CK Techniques with current alerting/Tanium Signal coverage.
  • Assistance determining whether current threat teams are aligned with industry standard roles and responsibilities (RACI).
  • Implementation and suppression of stable Signals and indicators of compromise (IOCs) for baseline protection.
WWT security engagement model

 

Make sure to follow our Endpoint Security topic to learn more about how our team of Global Security Consultants can assist you with Tanium Threat Response.

Technologies