Oct 19, 2018
IT Operations Starts With Visibility to All DevicesBy Tim Mintner
You can’t manage what you can’t see
Before software can be installed, compliance assessed, inventory gathered, or patches installed, a system has to be known and managed. When working with new Tanium customers, it’s all too frequent that we find a significant percentage of endpoints not known or managed by their legacy systems management tool. I once asked a CIO how many endpoints were on the network and he stated somewhere between 250,000 and 400,000 endpoints. That is a potential gap of 150,000 endpoints!
Existing tools have tunnel vision
So why do we continue to see gaps between the number of known endpoints and the actual number of endpoints? Tools such as System Center Configuration Manager (SCCM) often leverage Active Directory or DHCP to determine what is on the network. This approach will omit standalone application servers or workstations that are not joined to an Active Directory domain. Any change to the IP address scheme can also cause a loss of visibility and management of clients. Too often AD-based discovery completely fails to identify lab systems, medical devices and “under the desk” systems that have been running for years without anyone realizing their existence.
A second approach uses a brute force method to centrally scan all network devices. Although this can be an effective way to identify devices, it produces a heavy network load over WAN links and can take days or weeks to complete. IT operations teams typically conduct these scans during off hours, resulting in broad coverage gaps. The result is an incomplete, inaccurate picture that does not account for changes during the time between the scans.
I have worked with many customers who have gone through mergers, acquisitions and divestitures. They typically have a short amount of time to identify all devices on the network being acquired. Unfortunately, legacy systems management tools are often blind to the acquired networks. SCCM, for instance, requires systems to be on the same Active Directory domain, which is often not the case with an acquisition. In addition, there are network overlaps in IP ranges which limit the routing back to a centralized scanning service.
There is a better way
With Tanium Discover we leverage the Tanium Architecture and existing managed endpoints to identify any device on the network. There are essentially two configurable discovery methods: active and passive. Passive discovery uses information collected by managed endpoints and what connections have been made to them. Active discovery uses mechanisms such as ping-based scripts or NMAP.
Because Tanium’s approach is much more efficient than traditional tools, it can discover the entire endpoint network multiple times per day. As a result, administrators have current and actionable data without congesting the network – unlike the traditional hub-and-spoke communications model used by legacy tools such as SCCM.
At a recent customer engagement, we used Tanium Discover to find 30K additional devices during a merger and acquisition. This was a prime example of how their legacy systems management tool, running in parallel, had failed to provide the same insight.
There are many examples where customers use unmanaged asset data in novel ways. One recent customer integrated unmanaged asset data, auto-labeling (in Discover) and TCP connection data (from Tanium Core). As a result, they identified a “printer” making unexplained port 22 connections to their Linux servers.
Dealing with Tanium client health and rogue devices
Client health is often a major problem with legacy tools such as SCCM. Tanium, however, provides robust client health tools to avoid potential problems. If the Tanium agent is removed, a firewall added that blocks communication, or for some reason the Tanium service is no longer available, Tanium Discover will automatically label that device as a “Lost Interface.” This can trigger a support ticket to repair the client on those devices.
Tanium Discover can also allow you to deal with “rogue” endpoints. Tanium has integrations with both Cisco ISE and Palo Alto Networks to block or quarantine.
Putting it all together
With the Tanium Architecture and Tanium Discover, we can provide visibility to every endpoint device on your network without dependence on other management tools or centralized scanning services. Tanium Discover is an integral part of the Tanium Operations Suite, which is designed to transform IT operations through speed and simplicity.
This is the second blog in our series covering Tanium for IT Operations. Read the first installment here.
About the Author: Tim Mintner, Senior Director of Technical Account Management. Over the past 20+ years, Tim has worked in IT Operations with organizations ranging in size from a few hundred to several hundred thousand computers. Tim has had roles as both a developer and an implementation consultant and has spoken at Microsoft conferences in the US and Europe on Operating System Deployment and IT Management.