This summer, Tanium—software that does endpoint security, management, patching, intrusion detection, and incident response—came up on our radar for the time when VMware announced that they were OEMing it and calling it VMware TrustPoint.
Initially, we thought VMware might be using it to fill the gaps in Windows 10 MDM. (As we’ve discussed a lot this year, MDM for Windows is compelling, but on its own it can’t do much with traditional desktop apps.) However, more recently we learned that VMware actually built new Windows 10 MDM gap-filling functionality directly into AirWatch on their own, and that for VMware customers, TrustPoint is a separate security add-on. This makes sense—instead relying on a partner for essential unified endpoint management functionality, everything is part their own platform.
Anyway, regardless exactly how VMware is using it, Tanium is still a very interesting product. Back at VMworld, Shawn Bass recommended learning more about it, so this week I went to Tanium’s conference here in San Francisco.
So just what exactly is Tanium?
Tanium provides an endpoint agent for laptops, workstations, and servers running Windows, macOS, Linux, and Unix. The agent can do all the typical queries and commands you’d expect—gather system and software specifications, modify configurations, deploy software and patches, copy logs, remove malicious files, kill processes, and so on.
The key difference is how the agents communicate with Tanium’s back end servers. Instead of every endpoint having its own point-to-point connection with a server, the Tanium agents communicate through each other using a process they call linear chaining. The chains self-form and self-heal as machines come on and offline. Commands and queries run up and down these chains, and the management servers are only connected to the ends, instead of having an individual connection to every agent.
Tanium says that this architecture cuts down on management infrastructure, scales better, and is much faster than traditional approaches. The “wow” part of their demo is when they query thousands of endpoints at all once, very quickly—they say most queries can happen in 15 seconds. Tanium can also discover unmanaged or unknown endpoints.
The initial entry point for most Tanium customers is security. The use case is having fast, complete visibility to find threats or indicators of malicious activity, and then responding and remediating. Think along the lines of companies like Target (which is a Tanium customer) that want to respond to breaches.
These intrusion detection and response use cases are important and fascinating, but what’s more interesting is how Tanium can be used from an operational standpoint. See, Tanium was founded by David and Orion Hindawi, the father and son team that created the BigFix management software (that was later sold to IBM).
At the Tanium conference, Orion Hindawi talked about the importance of software patching and security “hygiene.” Of course, patching is just as much of a security issue as it is an operation issue. Orion spoke soberly and pragmatically about how 99% of breaches happen because of old (or sometimes very old) known vulnerabilities, and only 1% of breaches come from sexy things like new malware or 0-day exploits.
Very refreshingly, Orion Hindawi and Tanium offer the opposite of typical security vendor marking bullshit. I was happy to hear this at the conference, and I tweeted: “Big theme: Let's patch our computers already, and solve 99% of our problems.”
If only it were this easy, though. Longtime BriForum speaker and friend of BrianMadden.com Ron Oglesby tweeted back at me: “If it wasn't such a pain, fraught with failure (in process and regression) I believe we wouldn't have to state the obvious.” And of course he got to the heart of the issue—people aren’t stupid, this stuff is hard.
So the big question is whether Tanium, aside from doing the sexy stuff of detecting and responding to breaches, can revolutionize client management in general and patching in particular. The overhead of change management probably won’t go away for a while, but for their part, Tanium says that their architecture can do a lot of tasks—like pushing out patches—faster and more reliably than traditional client management. Tanium already has an impressive list of big customers using it for security, and at the conference, some of them (including GE Digital) talked about how they’re starting to use it for operations.
Tanium’s new approach to faster patching for better security, combined with their pragmatic attitude, is very interesting and attractive, so I’ll certainly be watching to see how this develops.
Either way, between Tanium, unified endpoint management, Windows 10 MDM, SCCM as a service, and other new efforts, the winds of change are blowing for endpoint management.