Tanium recently welcomed two former FBI Cyber Special Agents to the company, Andre McGregor and Jason Truppi. Andre and Jason bring to Tanium decades of combined experience in incident response, criminal investigation and counterintelligence and our customers will gain from their unique perspectives from the front lines of the fight against cybercrime.
We recently sat down with Andre and Jason to learn more about their decision to make career changes and their thoughts on the Tanium platform.
Why did you join Tanium?
Andre McGregor: After several years working computer intrusions in the FBI, I wanted help prevent cyber crime from happening in the first place rather than always showing up after “the bank has been robbed.” I felt a certain level of frustration not being able to prevent the next attack — and worse, knowing that tomorrow will only bring the next attack regardless of how many cyber criminals the FBI arrested.
I was immediately impressed with the Tanium the moment I saw the product demo. First, remembering my earlier years as a network/systems engineer on Wall Street and for a large pharmaceutical company, I know the difficulties of scoping of a large network, keeping up with patches and managing thousands and thousands of devices. To see that Tanium could do all of that at speed and scale was astounding.
Second, as an FBI Cyber Agent, I know what it’s like to follow the evidence trail of a cyber attacker, then meet with a victim company and say “here is an MD5 hash and a beaconing IP address coming from your network, can you tell me more about this?” — only to wait days or weeks for the company to give me an answer about what that hash value or IP address meant to them. This wait meant that we in the FBI were now several days behind the curve and, by then, the attacker usually has changed their tactics.
If we can enable good cyber hygiene at scale across multiple industries, then we raise the cost to the adversary for hacking into computer networks and, in turn, create the game changer needed to combat cyber crime. Once I realized Tanium could be the tool that can actually reduced the threats and vulnerabilities that lead to computer intrusions, I turned in my badge and gun in order to join the Tanium team. I want to change how we think about security, promote good cyber hygiene and continue to work in concert with the FBI Mission to combat cyber threats at all levels.
Jason Truppi: I realized early on that the current model of discovering and remediating a cyber attack situation was very flawed. It’s more of a reactionary stance. Today, the average time between intrusion and when the company finds out is about 250 days. When I first started, it was over a year. What we call the “detection deficit” is getting smaller, but 250 days remain way too much.
There’s a huge reason behind that: a lot of people on an enterprise network can’t efficiently maintain the number of devices. So, when I saw Tanium in action, I immediately saw the allure of the technology’s speed and scale. I was really blown away. Like many of our customers, I didn’t believe it at first. I had worked on distributed platforms before the FBI and saw the issues that arise. What I noticed about Tanium, specifically, is that it can almost completely close the gap of the detection deficient. Plus it can actually help investigators respond, potentially mitigating the threat. As long as a user maintains proper threat intel feeds and is ingesting these IOCs given to you, anyone can detect, mitigate and protect other machines against threats. There’s nothing out there that’s close to that at all, and it pulled me out the door of the FBI.
How does Tanium Trace redefine incident response?
Jason Truppi: The addition of Tanium Trace (Trace) to the Tanium Endpoint Platform not only empowers any company to have control over their own network, but also create and train its own investigators. You can turn a system admin into investigator pretty quickly with Trace. That’s the whole point: it makes it simple to perform incident response.
The days of paying millions for external incident responders to come in and find hackers are slowly going away and Tanium is doing that. Not everyone can afford to hire an outside firm, and large companies are starting to replace contractors with internal analysts. We’re bringing the fight back to the company — with Tanium, organizations have a chance to switch out of their defensive stance and to actually do some hand to hand combat.
Andre McGregor: Trace helps us teach more people how to fish in terms of incident response. This tool not only builds a strong foundation for security with full visibility at speed and scale, but also helps teams go on the offensive when there is an issue. CIOs no longer have to call in a third party to get a sense of what’s going on; they have the right tools on their network today. Additionally, they can develop their own in-house expertise to get started and focused on all aspects of the IR lifecycle: detection, investigation, remediation and enforcement.
Recent hacks have proven we don’t have weeks or months to figure this out. Trace is a game changer. If we have a company that’s already using Tanium, and a knock comes form the FBI, they have the ability to gather all the IOCs and all the anomalous activity around it in seconds, rather than days and weeks. Afterwards, they can provide time-sensitive answers to the government and to their company’s decision makers. Every minute that goes by matters.
From your unique perspective, what excites you most about the Tanium Endpoint Platform?
Andre McGregor: When a cyber intrusion occurs, Tanium gives power back to companies, gives answers back to the government and gives decision makers the ability to do damage control and contain problems before it affects their business.
Jason Truppi: I wish I had this tool seven years ago. It would have made my life much, much easier. During my time with the FBI, we’d image a bunch of machines, manually analyze them and begin looking for a needle in a haystack.
With Tanium, you can focus on the investigation and the deploying of actions — not the gathering of evidence. For the first time, an investigator can work in near real time. And not just FBI, US CERT, NSA, but every person that investigates: large companies like banks and manufacturers. Internal investigators. Everyone can have the tools to compete against the hackers. If Tanium can ask anything on a host, you can trace literally anything on a network. That’s pinpoint accuracy of where the hackers might be, which you can utilize to find other infected machines.