Deployment Automation for Tanium Deploy – Tanium Tech Talks #120

Automated software deployment is a critical consideration for both IT operations and security teams. By integrating deployment automation with Tanium Deploy, a core capability of Tanium Autonomous Endpoint Management (AEM), organizations can achieve a more secure and efficient software deployment process while supporting user productivity by minimizing disruptions, maintaining operational stability, and upholding robust security controls.

Watch the video below for a comprehensive demonstration of how Tanium Deploy can be used to automate software deployment and efficiently roll out software updates across an organization’s endpoints.

Key takeaways

• Why deployment automation is important: Deployment automation enables phased software updates, which reduces the risk of disruptions. Instead of deploying updates to all endpoints at once, updates are rolled out in phases, starting with a small percentage of endpoints and gradually expanding based on success rates.
• Tanium AEM components used for deployment automation:
  
  • Understanding deployment plans: Deployment plans enable actions to be executed in phases or rings. For example, a standard plan might start with 1% of endpoints, evaluate success, and then expand to 15%, 40%, and eventually all endpoints. Jason shows how to set up deployment plans and rules. He also explains how to use the Ring Deployment Status page to monitor deployment activities and manage the process, including pausing or stopping it as needed.
  • Using Confidence Scores to anticipate deployment success: Confidence scores provide intelligent data on the success rate of software deployments derived from telemetry data collected across millions of managed endpoints in Tanium Cloud. These scores help determine the likelihood of a successful deployment in your environment, allowing administrators to make informed decisions about whether to proceed with an update based on its success rate and potential performance impact.
• Real-world use case: Jason shares a scenario where an organization would like to deploy a new version of Chrome. If the confidence score for the new Chrome version is high, it indicates a successful deployment on a large number of endpoints, allowing administrators to proceed with confidence. Once the organization is confident that the deployment will be successful, it can create a deployment plan that begins with a small percentage of endpoints, starting with a canary ring that targets 1% of endpoints and allows it to stabilize for 12 hours. If the success rate reaches 90%, the deployment automatically proceeds to the next ring, expanding to 15% of endpoints, and waits a day before reevaluating the success rate.
  
  The deployment plan also monitors performance degradation data, such as increases in application crashes, CPU spikes, or memory usage, to ensure that the new version does not negatively impact the endpoints. This process continues through additional phases, eventually reaching all computers, so that any issues are identified and addressed before they affect all users.
• Addressing zero-days: Jason explains how Tanium Deploy can also handle zero-day vulnerabilities by allowing for accelerated deployment when necessary. In such cases, a more aggressive deployment plan can be employed, which includes shorter waiting periods between phases and additional evaluation criteria to ensure that the update does not result in performance degradation or other issues.

I’m just thinking of all the customer feedback we’ve heard over the years on software deployment automation. I mean this is really what people have been asking for for a long time. The ability to control the versioning and automatically deploying the latest. This really checks a lot of boxes.

Additional resources

• Tanium Deploy automatic software deployment documentation
• Deployment automation for Tanium Deploy announcement
• How to establish a third-party update methodology
• What is software inventory?