Announcing Tanium Comply
Today we’re announcing the latest Tanium product module, Tanium Comply™. Enabled by Tanium’s unmatched speed at scale, Comply transforms the lengthy and unreliable work of validating endpoint security configuration into an activity that can be done accurately in minutes, no matter how many endpoints you have.
Compliance is likely to rank high on any CIO’s list of headaches. Ensuring your company complies with the endpoint security configuration requirements of various industry and federal regulations is a tedious process. It can take days to scan just 10,000 endpoints using a single scan source. Additionally, the amount of sensitive data kept on data centers, not to mention the number of endpoints within an organization, has grown exponentially over the past decade, while security configuration management and other security hygiene tools have not kept pace with the scale of modern networks. And the risks of failure are high: even minor compliance issues may result in fines and a loss of trust from your customers and constituencies. More importantly, failure to comply with security best practices leaves companies exposed to a greater risk of being breached.
The root of the issue is that many organizations struggle with answering, “Are all of our endpoints in compliance with standard security configuration benchmarks?” Efforts to answer that question can take days with legacy tools, if not longer, and consume significant computing and staff resources. Take the financial services industry: in a 2015 report, only 37% of financial services companies said they were “confident in the ability of their compliance department’s IT systems to satisfy the organization’s compliance responsibilities and reporting requirements.” Banking is one of the most heavily regulated industries, and to have nearly two-thirds of those companies lacking faith in their IT compliance is staggering. If it takes days to answer a question, the data is likely out of date by the time you get the answer.
What does it solve?
Using Tanium’s patented architecture, Comply can run and retrieve configuration benchmark results across an entire enterprise – hundreds of thousands of endpoints – quickly, without saturating the network or requiring additional hardware.
By way of example, any company that handles credit cards must meet the security standards laid out in the Payment Card Industry Data Security Standard (PCI-DSS) Section 2.1, which requires that you “change all vendor-supplied defaults.” Using Comply, an organization can search and highlight all endpoints not meeting these standards within seconds. This is typically a manual task requiring a team working full-time for days at a time to complete.
Beyond just helping with regulatory compliance, Comply empowers our customers to improve their overall security hygiene by applying best practices enterprise-wide. Hardening security configurations is obviously not a new concept, but most organizations dealing with tens of thousands or even hundreds of thousands of endpoints have been fundamentally limited by the scale of tools available to them. In fact, a customer recently said to me, “I tell people not to talk to me about regulatory compliance. Talk to me about security. If we’re doing security right, we will meet regulatory compliance.” That’s exactly the way we approached Tanium Comply.
We’re very excited about the potential for the Tanium Comply module to provide clarity in the cluttered and complicated world of security hygiene and IT compliance standards. Click here to learn more. Better yet, schedule a demo to see Tanium Comply in action.
About the Author: As Chief Security Officer, David Damato provides strategic product direction over module development for the Tanium Platform and manages the company’s internal security program. David brings a wealth of security expertise to Tanium, spanning incident response and forensics, vulnerability assessments, security program development, security operations, and network and security architecture. Prior to Tanium, David most recently served as Managing Director at Mandiant, a FireEye company, where his team led incident response and post-breach remediation efforts at over 100 Fortune 500 companies. At Mandiant, David was also instrumental in developing new incident response services capabilities and establishing consulting offices both domestically and internationally. Prior to Mandiant, David led security consulting teams at PwC as part of its Washington Federal Practice and held IT roles at Raytheon focused on the management of internal and government networks. David frequently shares his expertise and insights at industry events and with the media.