Go Back   SOCNET: The Special Operations Community Network > Areas of Expertise > Technology and Communications

Reply
 
Thread Tools Display Modes
  #1  
Old 20 March 2017, 17:50
Fubar's Avatar
Fubar Fubar is offline
Been There Done That
 
Join Date: May 2009
Location: South Fork Ranch
Posts: 3,028
Experience with Tanium Endpoint Security?

Hi. Any of our Security and IT experts have experience with Tanium's suite of products? Looking for thoughts and opinions. Is it decent?
__________________
"The nice thing about Twitter, in the old days when I got attacked it would take me years to get even with somebody, now when I知 attacked I can do it instantaneously, and it has a lot of power. You see some genius statements on Twitter. You see some statements coming out which are Ernest Hemingway times two." - The Trumpmeister
Reply With Quote
  #2  
Old 20 March 2017, 21:21
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,137
I use Tanium currently. It's...strange. It is insanely useful sometimes, and and kinda worthless at other times. When I think of endpoint, I usually think of forensic-type tools, like ecat. Tanium does not do what these tools do. On the other hand, it can be used to remotely push an "ir gatherer" package, rekall analysis and/or memory image.

If you have an enterprise that has a lot of machines off network, where you have to waste time reconciling "vpnuser031415.myenterprise.com" with "corporateworkstation.myenterprise.com" then Tanium can make that process more efficient by orders of magnitude. It can also be used to quarantine infected workstations via IPsec tunnel.

The long and short of it is, Tanium can do anything you script it to do, including knock your DCs over. If you go with Tanium, I'd recommend getting a support contract, as their tech gurus have been invaluable in making a really cool toy into a useful tool. End of the day, it's just a rootkit. It does whatever you tell it to do.
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #3  
Old 20 March 2017, 22:39
Fubar's Avatar
Fubar Fubar is offline
Been There Done That
 
Join Date: May 2009
Location: South Fork Ranch
Posts: 3,028
Quote:
Originally Posted by BOFH View Post
I use Tanium currently. It's...strange. It is insanely useful sometimes, and and kinda worthless at other times. When I think of endpoint, I usually think of forensic-type tools, like ecat. Tanium does not do what these tools do. On the other hand, it can be used to remotely push an "ir gatherer" package, rekall analysis and/or memory image.

If you have an enterprise that has a lot of machines off network, where you have to waste time reconciling "vpnuser031415.myenterprise.com" with "corporateworkstation.myenterprise.com" then Tanium can make that process more efficient by orders of magnitude. It can also be used to quarantine infected workstations via IPsec tunnel.

The long and short of it is, Tanium can do anything you script it to do, including knock your DCs over. If you go with Tanium, I'd recommend getting a support contract, as their tech gurus have been invaluable in making a really cool toy into a useful tool. End of the day, it's just a rootkit. It does whatever you tell it to do.
Thanks for the input and perspective BOFH. I asked because they are recruiting me... and had never heard of the product.
__________________
"The nice thing about Twitter, in the old days when I got attacked it would take me years to get even with somebody, now when I知 attacked I can do it instantaneously, and it has a lot of power. You see some genius statements on Twitter. You see some statements coming out which are Ernest Hemingway times two." - The Trumpmeister
Reply With Quote
  #4  
Old 21 March 2017, 05:26
HighDragLowSpeed's Avatar
HighDragLowSpeed HighDragLowSpeed is online now
Been There Done That
 
Join Date: Dec 2006
Location: Only Place For Me
Posts: 4,858
I am vaguely familiar with Tanium at least from early 2016 but not as a direct user. My information may be dated. Like many endpoint security solutions, Tanium started as an endpoint adminstration product that they rebranded itself into a security product. It's schtick is that you ask a question of your endpoints in natural language and get an answer. The downside is that it takes an administration focused rather than security/evidence oriented approach.

Other than the language options having limits, my opinion is that Tanium's achilles heels are 1) that endpoint data is passed over what I recall to be essentially unencrypted P2P. They now say on their website "decentralized data aggregation and distribution primarily across low-latency LAN traffic" but IIRC it's P2P - and 2)if so, like any unecrypted P2P system, scalability and security issues can ensue.

A better question is "who would run that broadly in their network?" I would dig into the above issues during any interview. That said, they do have money based on friends that work for them (or did..would have to check Linkedin which I hardly ever do)

HTH
__________________
"I know of no country in which there is so little independence of mind and real freedom of discussion as in America." - de Tocqueville, 19th century

God made machine language; all the rest is the work of man.

Last edited by HighDragLowSpeed; 21 March 2017 at 05:35.
Reply With Quote
  #5  
Old 21 March 2017, 08:06
Fubar's Avatar
Fubar Fubar is offline
Been There Done That
 
Join Date: May 2009
Location: South Fork Ranch
Posts: 3,028
Thank you HDLS.
__________________
"The nice thing about Twitter, in the old days when I got attacked it would take me years to get even with somebody, now when I知 attacked I can do it instantaneously, and it has a lot of power. You see some genius statements on Twitter. You see some statements coming out which are Ernest Hemingway times two." - The Trumpmeister
Reply With Quote
  #6  
Old 21 March 2017, 09:31
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,137
Quote:
Originally Posted by Fubar View Post
Thanks for the input and perspective BOFH. I asked because they are recruiting me... and had never heard of the product.
Fair enough! Yeah, they are a pretty new company. I think as the product matures, it will probably sweep the market. It's very VERY capable...the only real downside right now is that everything we want it to do is a 1-off that has to be scripted. As those capabilities become part of the base package, I think you'll see big things happening.

I've only worked with their tech guys, but they've all been top-notch. Friendly, courteous, and knowledgeable. I'd probably go to work for them, given then chance.
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #7  
Old 21 March 2017, 09:38
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: Avoiding Room 101
Posts: 7,231
What kind of work (generally speaking) are you being recruited for?
__________________
It's a hipster filter. Keeps your kind out. -Jimbo


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
Reply With Quote
  #8  
Old 21 March 2017, 12:16
Fubar's Avatar
Fubar Fubar is offline
Been There Done That
 
Join Date: May 2009
Location: South Fork Ranch
Posts: 3,028
I'd rather not say publicly. I'm pretty sure you know my history and who I used to work for.
__________________
"The nice thing about Twitter, in the old days when I got attacked it would take me years to get even with somebody, now when I知 attacked I can do it instantaneously, and it has a lot of power. You see some genius statements on Twitter. You see some statements coming out which are Ernest Hemingway times two." - The Trumpmeister
Reply With Quote
  #9  
Old 21 March 2017, 12:30
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: Avoiding Room 101
Posts: 7,231
Quote:
Originally Posted by Fubar View Post
I'd rather not say publicly. I'm pretty sure you know my history and who I used to work for.
Okay, cool. If it's in that vein, jump on the train and ride it to compensation-ville

I have not heard of them before, but that means nothing. There's so many firms popping up.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
Reply With Quote
  #10  
Old 21 March 2017, 13:55
MountainBum's Avatar
MountainBum MountainBum is offline
Vivat Fraternitatis
 
Join Date: Apr 2004
Location: Palo Alto
Posts: 611
As a disclaimer, I have no connection to these cats except friends of friends who work there.

Anecdotally, every data integration I do at large F500 firms - the inevitable question comes up - "can you ingest Tanium data?" Every major player I've dealt with either has it or is looking at piloting it for enterprise adoption. I've never used the tool but the NRT asset monitoring promises to solve a massive pain point for security teams.

From an institutional perspective, they're a major player in the endpoint security space ($3.5 bil valuation) and I'd expect them to IPO within 12-24 months. From what I know about their consulting-like model, not sure if that valuation is warranted because it's not a full product play but IMO employment there at this particular time is a solid option.
Reply With Quote
  #11  
Old 21 March 2017, 14:24
usmc_3m's Avatar
usmc_3m usmc_3m is offline
Confirmed User
 
Join Date: Jun 2013
Location: PR of Kali
Posts: 716
The leadership team hails from BigFix and Mandiant, so that says a lot.

Our company did a pseudo trade study with 3 vendors, including Tanium. Would be happy to discuss via PM if you think it would be valuable.
__________________
"He who does not punish evil commands that it be done." -- Leonardo Da Vinci
Reply With Quote
  #12  
Old 21 March 2017, 15:09
HighDragLowSpeed's Avatar
HighDragLowSpeed HighDragLowSpeed is online now
Been There Done That
 
Join Date: Dec 2006
Location: Only Place For Me
Posts: 4,858
Quote:
Originally Posted by MountainBum View Post
As a disclaimer, I have no connection to these cats except friends of friends who work there.

Anecdotally, every data integration I do at large F500 firms - the inevitable question comes up - "can you ingest Tanium data?" Every major player I've dealt with either has it or is looking at piloting it for enterprise adoption. I've never used the tool but the NRT asset monitoring promises to solve a massive pain point for security teams.

From an institutional perspective, they're a major player in the endpoint security space ($3.5 bil valuation) and I'd expect them to IPO within 12-24 months. From what I know about their consulting-like model, not sure if that valuation is warranted because it's not a full product play but IMO employment there at this particular time is a solid option.
That's interesting...explains their valuation. Except for a few trial deployments that I am aware of, they don't seem to have done much in my area of the world particularly in terms of event participation. CB has made much more effort.
__________________
"I know of no country in which there is so little independence of mind and real freedom of discussion as in America." - de Tocqueville, 19th century

God made machine language; all the rest is the work of man.

Last edited by HighDragLowSpeed; 21 March 2017 at 15:16.
Reply With Quote
  #13  
Old 21 March 2017, 18:30
Fubar's Avatar
Fubar Fubar is offline
Been There Done That
 
Join Date: May 2009
Location: South Fork Ranch
Posts: 3,028
You guys are tops! (And I don't mean that in the KidA bottom sense of the word.)
__________________
"The nice thing about Twitter, in the old days when I got attacked it would take me years to get even with somebody, now when I知 attacked I can do it instantaneously, and it has a lot of power. You see some genius statements on Twitter. You see some statements coming out which are Ernest Hemingway times two." - The Trumpmeister
Reply With Quote
Reply

Thread Tools
Display Modes

Our new posting rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -4. The time now is 08:07.
Powered by vBulletin® Version 3.8.3
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Socnet.com All Rights Reserved
SOCNET