I joined Tanium in 2012 as one of our first two Technical Account Managers (TAMs). Like so many working in tech, I’ve worn a bunch of IT hats over the years – from helpdesk to ops to security to software. As a security guy, I saw Tanium in its early stages of development and I was hooked on its capabilities – and its potential.
Over the years, it’s become clear to me that IT and security teams cannot rely on black-box solutions to keep pace with time-sensitive, unique and evolving challenges. When an organization adopts any vendor technology, that tech needs to be a complementary force multiplier to an essential core set of operations, security skills and capabilities.
In this post, I want to share some perspective on what this means and how it inspires what we build at Tanium. Please suspend your disbelief as I try to pretend that I don’t work for our company, but rather speak as a concerned citizen in your industry.
Flexibility to solve hard problems
Even at small scale, IT environments in most organizations are incredibly challenging to control and monitor. Each piece of unique software – each distinct system configuration – bolted-onto the network adds significant complexity. As you add more users, endpoints and devices, that complexity grows logarithmically, not linearly. Understaffed teams fend against the chaos from bad software, misunderstood systems and threat actors alike. Security and risk goes far beyond a simple malware problem.
It is for this very reason that I and other veterans of this industry are skeptical of silver-bullet point solutions that attempt to solve entire domains of security threats. There’s nothing we can buy, as tempting as the idea has always been, that absolves us of the need to do the unglamorous, but critical work, of security and IT management fundamentals.
Tanium has come a long way since I first joined more than four years ago. We’ve invested heavily in developing workflows that make it easier for our users to perform security and IT operations tasks at-scale, without having to worry about how the underlying architecture or software makes it happen. Our product modules like Comply, Protect, IOC Detect, Trace, Patch and Trends are all built around that philosophy.
Beyond product modules, we always want Tanium to empower the “makers” and “builders” – not just provide a black-box of static features. From the start, Tanium was fundamentally designed to keep the platform scalable, the core client as simple as possible and the overarching platform infinitely extensible. That underlying flexibility is why I joined Tanium in its infancy. Today, our TAMs help quickly deliver customized content and solutions to meet the unique needs of every customer’s environment. Those same customers are self-sufficient as well, frequently building their own sensors, packages, dashboards, and integrations, all without having to resort to vendor-proprietary languages. We’ve highlighted many simple examples of how Tanium’s openness provided solutions to critical, time-sensitive problems in prior technical blog posts.
Building the ideal team
One of the most compelling aspects I’ve found in working at Tanium is getting a small look into the challenges faced by security teams across so many organizations, specifically the different ways these teams are staffed and structured. In addition to learning from our customers, I’ve also been fortunate to learn from peers in our own TAM organization, which draws a broad range of skills in threat detection and response, forensics, IT operations, system administration, software development, troubleshooting and integration.
These experiences have shaped my perspective on what comprises the “ideal” blueprint of a security team that I think would have the best chance in today’s environment. It goes without saying that domain expertise is critical: CIRT teams need strong IR practitioners versed in network and endpoint forensics; assessment teams benefit from seasoned red-teamers and so-on. But what’s often neglected in the hunt for highly specialized talent are team members with scripting / coding chops (even if applied to other disciplines), along with those that are seasoned in IT or security operations. That doesn’t just help broaden the capabilities of the group; it can also break down silos that often exist among security and IT organizations in many large companies.
An operations veteran – especially if they’ve been with the organization for a long time – will know a corporate network like a London cabbie, and know who to talk to for what. (If this person is well-liked throughout the company, that certainly helps!) Ensure they’ve been responsible for either blowing something major up years ago, or fixing someone else’s crisis, so they have the “fear” in them. They must not be afraid of scripting or automation. Their job is to know what you own, how it works, and make sure the right stuff is done, safely and quickly.
A good coder will act as a force multiplier for a security team’s tools and skill sets. They don’t need to have a strong infosec background, but can learn from team members while likewise sharing their own knowledge. They don’t need to be a kernel hacker, but they might need to work with at least one of the languages that are most commonly used for security or dev-ops: Python, Ruby, Golang, PowerShell, maybe once did Perl or shell scripting, and can at least read C++. They can help your specialists automate their processes, glue your existing systems together via APIs and platforms like Tanium and scale and simplify core security tasks across the enterprise. Likewise, your operations-minded practitioners can help keep these efforts in check and ensure that they are tested and deployed in a safe manner.
There are so many specialized skills in the security industry; surprisingly, it’s one or both of these extremely broad skillsets which seem to be easy for teams to overlook. Teams that can produce and deploy code quickly and safely have a massive advantage.
A core part of Tanium’s mission is to empower organizations to manage and secure their own systems – to be truly self-sufficient and effective. That means building solutions that are easy to use and can help small teams achieve quick successes, yet can still remain flexible enough to allow more experienced users to rapidly adapt to new use-cases and workflows. So many “new” security problems can be solved with a handful of lines of code, as long as you can reliably test, run, and collect the results of said code at enterprise-scale, quickly, safely and cross-platform. The Tanium Platform allows Sensor Authors the ability to detect, in seconds, conditions that traditional security products failed to find and can deploy Actions to help remediate the problem of the day — whatever it may be.
Conversely, so many security products look amazing when running through canned proof-of-concept demos, but quickly unravel at the seams when they need to be adapted or extended to the broader use-cases at each unique environment – or when applied at massive scale. Tanium’s open platform was an original design goal, not an afterthought, built by people that intimately knew the limits of any vendor and what a world class team with such a platform can do beyond the bullet point features.
About the Author: Rory Prendergast is a Senior Technical Account Manager in Tanium’s Emeryville office.