How We Track Critical Compliance Metrics

3.1.2017 | Greg Pothier

This is part two in our four-part blog series exploring how we use the Tanium platform in our own organization. In part one, we revealed how we track critical vulnerabilities. In this installment, SecOps Engineer Greg Pothier shares his story about how a routine compliance check revealed six new servers which had previously been un-assessed. Here’s what he found out about those servers after running through these quick steps.

How was your last compliance audit?

Were you able to assuage everyone’s anxiety by providing instant answers to the most pressing questions?

No? We didn’t think so.

Compliance audits are no fun. Here at Tanium, our own compliance audit is coming up next month. In my role as SecOps Engineer, I’m directly involved in answering the many questions that arise during the process, including:

  • Will we pass or fail?
  • If we were to fail, how bad will the results be?
  • Are there assets on our network we don’t even know about?
  • How out of date and inaccurate are the latest scan results we’re using?

When my management team asks, “What percentage of our environment is compliant with our baseline configuration?” my job is made exponentially easier by using Tanium Comply. With Comply, the security team has the capability to run compliance and vulnerability scans across the enterprise with very little effect on our network and our end users. Here’s where we start:

In the Tanium console, we are able to view the results of all of our scans, whether they be Center for Internet Security (CIS) benchmark-based compliance scans or CIS OVAL Vulnerabilities scans. Based on the above results, the scores look good. Still, how can we be certain an audit won’t uncover any surprise machines running on our network that we don’t know about?

Tanium Discover

We use Tanium Discover to proactively scan all targeted subnets across the enterprise, and configure alerts to notify us when new machines are detected. Think of Discover as a real-time monitor for unmanaged assets. Discover provides us with the operating system and hostname, in addition to any potentially interesting open ports.

After checking our compliance results we receive an email alert from Tanium Discover that six new Windows machines have appeared online:

Within minutes of coming online, Tanium alerted us to the presence of these new machines on our network. We need to investigate these six Windows machines to ensure they don’t compromise our compliance percentage and, most importantly, our security posture. After checking with our IT department, we are informed that these machines were created for a temporary project and we’re assured that they are fully patched and hardened.

We trust our co-workers, but with Tanium, we can also verify and so we decide to install Tanium and run some compliance scans on these machines.

First, we create a computer group to target. We start with the Windows group for Windows Server 2012 R2. After setting up the computer group, we click on the Comply menu to prepare the deployment. To do so, we set up the CIS CAT benchmarks, which compare the configuration of machines to CIS benchmarks and provides reports on compliance scores.

Now we select the appropriate computer group to target, in this case the Windows Servers, and we run our compliance reports. We go to the report tab and create the name and description, select the platform as Windows, and select the computer group to be scanned.

After selecting the benchmark, we create and deploy the scan by clicking the Create & Deploy button in the lower right corner. (Note: we can have this scan recur as often as we like, which is very useful for checking trending over time.) After a few minutes, the scan is complete and the results are in. We can see in the compliance report that the overall compliance percentage from the six endpoints analyzed is 25%, with a total of 466 passes and 1,373 fails.

Below the overview, we see the run time, the issuer, the platform, and benchmark used, and we can drill down below into actual results, each of which has a drop-down explaining the check as well as the recommended state.

Compliance scan leads to unexpected results

These results were unexpected and it’s immediately apparent these servers were not appropriately hardened before deployment. Given that these systems didn’t follow the proper build process, it’s likely that the proper patches were not applied. Within Comply, we can run a vulnerability scan against these systems to confirm this suspicion.

To do this, we drop down to the vulnerability tab and click Create A Report. Next, we select the configuration boxes, and that’s it. Unlike scanners, the results are obtained directly from the endpoint – ensuring no impact to the network and accurate results, without requiring a local account for authentication.

Within a few minutes, the results are ready and we can see the machines have several vulnerabilities which need to be addressed – similar to the compliance scan results. We can see the average number of vulnerabilities found per system, as well as the total number of vulnerabilities, high severities, and endpoints analyzed.

On the Vulnerability Results page, we see all of the vulnerabilities listed by title and Common Vulnerabilities & Exposures (CVE), as well as a count of affected endpoints. A simple click of the title provides us with actual endpoint names and results. From here, we can use Tanium Protect to come full circle and secure these new systems.

In this example, Tanium not only alerted us within minutes of new machines first connecting to our network, it also gave us the capability to run compliance and vulnerability scans. Tanium provided us with actionable intelligence and the capability to secure those machines and maintain a secure posture.

This is part two in a four-part series. In part one, I reveal how we at Tanium track critical vulnerabilities. In part three, I talk about how to use Tanium and Splunk together to deliver patch management data. In part four, I offer guidelines on mean time to respond, and explain why rapid response times are key for every business.

About the Author: Greg Pothier is a security engineer at Tanium with experience in security automation, data analytics, penetration testing, and software development. Prior to Tanium, Greg served as a Senior Engineer in several US Intelligence and Government Agencies. Greg completed his Master’s Degrees in Computer Science at George Mason University, where he was honored with the NSA Information Assurance Cyber Scholarship.