Introducing Tanium Trace: Changing the Game for Incident Response

6.25.2015 | David Damato

For more than a decade, I’ve focused on a combination of designing secure networks, testing security controls and investigating complex breaches. In each of these roles, I struggled to find tools that provided the visibility and control of all endpoints required to better prevent, detect and resolve security incidents. That is why I was excited — and initially skeptical — when a former client introduced me to Tanium. After viewing the demo, I quickly realized the power of the platform and potential new applications, which were impossible with existing solutions. And since becoming Chief Security Officer at Tanium, I’ve seen up close the game-changing abilities Tanium provides its customers — and I’m thrilled to share our latest extension of the technology.

Tanium Trace (Trace) is our newest module, which takes the speed and scale of the Tanium platform even further. It enables the agility to conduct immediate and in-depth forensic investigations on a single endpoint, as well as perform accurate enterprise-wide searches based on captured artifacts across millions of endpoints in 15-seconds — what previously took days or weeks. Organizations that continue to rely on outdated technologies that cannot achieve this level of speed and visibility, will find themselves well behind attackers and at a greater risk of becoming the latest headline.

How is this possible? Trace continuously records endpoint activity, including system artifacts not retained by normal logging mechanisms like short-lived network connection details, hashes for executed processes and the creation, deletion, or changes to files and registry keys. Trace also performs reliable kernel-level monitoring, and can detect rootkits or other advanced counter-forensic techniques employed by attackers to hide their activity. With this information, security teams have direct access to a complete story of malicious activity, which would not exist under normal circumstances.

How Tanium Trace benefits organizations

Taking into consideration my past experiences responding to large breaches, it’s clear my incident response teams would have benefited greatly from the capabilities Trace provides in three distinct ways.

Trace provides customers with the ability to detect malicious activity.

In my previous role leading incident response engagements, we continuously received new intelligence, often referred to as Indicators of Compromise (IOC). Likewise, the majority of organizations receive IOCs from a variety of sources and search for IOCs using varying tools. In most cases, IOCs are simple (e.g. MD5, IP, filename) and searches can take hours or days, if such information is actually available. Trace changes this model, by allowing organizations to search recorded data across all endpoints, in seconds. The module can also continuously monitor for any combination of indicators recorded by Trace. Using the Tanium platform, alerts produced by Tanium Trace can be used to automate specific events, such as uploading a file to VirusTotal, forwarding information to a SIEM, or acquiring a snapshot of the Trace database for later analysis.

Trace can help organizations more accurately and quickly scope incidents.

Organizations are often overwhelmed with security alerts. As a result, organizations must either expend a considerable amount of energy analyzing alerts or choose to simply rebuild all systems with a potential compromise. Both are undesirable options. Scoping all incidents via traditional forensics can overburden already busy security teams and cannot capture the same level of detail, recorded by Trace. Rebuilding systems without analysis, commonly results in unnecessary costs where the initial alert was a false positive or prevents analysts from detecting a much larger breach. Trace provides analysts with access to a wealth of forensically significant events, so that organizations can properly scope every incident quickly and completely.

Trace can also assist organizations to remediate incidents with more precision and efficiency.

After an incident is properly scoped, analysts can utilize the core Tanium platform to initiate remediation actions that clean up impacted systems and eliminate artifacts of attacker activity. This integrates the investigative and remediation process, limiting the impact on your end users and the amount of time required to resolve an incident.

Trace adheres to the same core principles as the rest of the Tanium platform, including the ability to gain instant visibility into hundreds of thousands of systems at scale. As a result, there is no need to deploy additional hardware or storage, regardless of the number of endpoints. Likewise, users of Trace can still use all the power of the Tanium platform to access and search data recorded by the module, in seconds.

Having access to such detailed data maintained by the capability and the ability to search contained information quickly and at scale, could have saved me — and the teams I’ve led — thousands of investigative hours. During the coming weeks we’ll have more updates on this module as our customers continue to deploy and use Trace in exciting and new ways.

If you’re interested in learning more about Trace or seeing a demo of the Tanium Endpoint Platform, click here.

David Damato, Chief Security Officer

Interested in seeing Tanium in action? Schedule a one-to-one demo or attend our weekly webinar. Talk to our Tanium experts at our upcoming events.