Broken Cyber Hygiene: A Case Study

10.4.2016 | Charles Ross

No shortage of information security tools

With more than 200 different products from 125 vendors to solve the top 20 security controls (deep breath), there’s no shortage of information security tools in the market. Organizations are building defensive arsenals with these tools, but the intruders are still slipping through the digital “doors and windows” left open and unlocked by the organization.

Instead of looking at this problem from the outside-in (i.e. “Where and how will the attackers get into the network?), we have long advocated for an inside-out approach. Why predict the next threat when you can confidently address the root cause of the problem? First, identify what needs to be managed and secured within an environment, then work to proactively secure every asset with the appropriate patches and security configuration controls. It’s the first thing we say to our customers: _you can’t secure what you can’t manage, and you can’t manage what you don’t know about.

Leveraging Tanium with the security hygiene assessment

One of the first activities we do with prospective Tanium customers is a Security Hygiene Assessment. Leveraging Tanium, we are able to provide visibility into the current security posture of an organization to establish a baseline of the “as-is” current state. This process allows us to measure and understand how many machines an organization has, what software is running on them, possible misconfigurations and where vulnerabilities lie – most of the time completely shocking IT teams by their sheer numbers. Because of the Tanium platform’s speed and completeness of data at scale, we’re able to get this information cost-effectively within seconds, a key deterrent to taking this approach in the past.

Tanium ran such an assessment at retail and software companies with more than 2,000+ remote locations, and the results mirror the experiences of many of other companies. We’re sharing an insider’s view of the results of their Hygiene Assessment today.

When these companies first deployed Tanium through their current software deployment processes, Windows SCCM, they were only able to hit 40% of their organization. Any legacy software distribution tools will have similar or worse results. It’s extremely rare that we encounter companies that have greater than 75-80% coverage with their software deployment tools._ What would only pass as a “C+” on a high school exam, puts you on the “Principal’s Honor Roll” when it comes to deploying software!

Why does this matter?

Attackers know you can’t update your systems in a timely manner, which is why 99.9% of attacks exploited are from vulnerabilities that had been identified for more than a year, some of them as far back as 1999.

For these companies, this means any software they were deploying previously, including security tools and anti-virus products and updates, were only effectively reaching two out of every five machines on the network. With a second wave using McAfee ePO, formally known as Intel Security, they were able to reach an additional 20%.

In most organizations today, teams have multiple tools to get software to their endpoints; yet, if you’re deploying software using the same historically unreliable tools and technology, you’ll likely miss areas of your network and end up finding unmanaged and unprotected network segments across your enterprise. Ultimately, Tanium was able to deploy within a day to the remaining 40% of endpoints, reaching the full 100% of targeted endpoints.

Once able to assess an entire network, it is not uncommon for us to find another 12 – 20% of endpoints that are unmanaged and the company simply didn’t know existed. Here we found 23% of endpoints were unmanaged.

Now we can turn the lights on to see what’s really going on….

When we look at staying current on patches for major software applications, like Adobe, Google, Microsoft, and Oracle for example, you’ll find commonalities: multiple, distinct, and outdated versions, and a wide disparity of patches from computer to computer. The number of critical vulnerabilities can get out of control. CISOs have a general idea of the different types of software, and disparity of different versions across their environment, but they rarely know just how bad it really is.

Blissful ignorance is a state many CISOs are forced to live in when it comes to security due to outdated tools, which are the leading factor to poor security hygiene.

All in all, we found:

Adobe: 2,771 critical vulnerabilities (CVSS 5 or higher) with 98.9% of endpoints running vulnerable version of Shockwave. 91% had vulnerable versions of Flash.

Java: 106 distinct versions of Java detected with 97.8% of endpoints impacted by vulnerabilities

Windows Patches: 77% of machines were missing six or more critical updates, with 1.6 million missing patches in all and 2007 being the oldest reported missing critical patch — a nearly 10 year old missing critical patch

SCCM: 20% of machines with unhealthy SCCM clients

After an Assessment, the end of the story isn’t just fixing your patches and closing your vulnerabilities. An assessment report is simply a snapshot of today. If it’s the end of your actions, you’ll find yourself in the exact same position soon enough if your tools and workflows aren’t corrected. Therefore, you must also remediate your environment and remediate your tools: these are usually just as broken as the hygiene on your network. Addressing security hygiene isn’t sexy or easy to do, but when you address hygiene continuously, you will be able to close all those digital doors and windows.

You’ll never stop vigilantly hunting and investigating threats, but you will spend less time doing it. All that time you used to spend on hunting that hack on the 2007 missing critical patch can now be used for doing something else.

Don’t waste time guessing where the next attack might occur, when you can fix the underlying problems.

Better hygiene equals a better security posture. There is a better way. See how Tanium for Security Hygiene can help you solve these challenges at

About the Author: In his role as Chief Customer Officer, Charles Ross leads the team responsible for delivering the Tanium vision to our customers: scalable endpoint management to operate and secure their business reliably and quickly. Prior to Tanium, Charles worked at McAfee, where he held a variety of leadership roles in pre-sales engineering, solution architecture, and IT security. Prior to McAfee, Charles worked as an Enterprise Risk Consultant for Deloitte & Touche. Charles holds a Bachelor of Science from the University of Florida.