The Tanium security system is organized as a platform that supports a list of optional modules. Among those components is Tanium Protect, an endpoint protection system.
The Tanium Core Platform is a cage shaker. Since the news of its groundbreaking technology filtered out into the wider world, Tanium’s structures have been adopted by other market entrants to create a following — a whole new cybersecurity sector.
The traditional AV protection model relied on the talent of a central team of investigators who detected new threats, identified their characteristics, and then disseminated telltale identifiers to every installed instance of the AV product operating in the world.
A leap forward in the fight against zero-day attacks was to build detection methods into the software. This created a global army of sensors that alerted the central office of any new threats. The lab then passed on an alert and a solution to all the software’s instances around the world.
The Tanium innovation applied a modified Skype-like peer-to-peer architecture to intrusion detection and threat intelligence distribution. It implemented simultaneous processing and speedy response times. It was astonishing and left industry experts wondering why no one thought of it sooner.
About Tanium Inc
Tanium Inc was started by dynamic father and son team David and Orion Hindawi in 2007. Hindawi the elder started up a technology business, sold it off, and made a fortune while junior genius effortlessly sailed to the top of his class at Berkeley. David set up, hot-housed, and sold off a second IT company, BigFix, focused on computer security, reaping another fortune.
With money and know-how, the two Hindawis put together an outline for a new security approach and created Tanium to develop it. A casual demonstration of the new software ‘in action’ resulted in the Hindawis being pelted with money by venture capitalists. Retaining 60 percent of the company, the family built up a development fund, set up a team of brilliant young innovators, and became multi-billionaires before selling a single copy of Tanium.
The key foundation myth of Tanium lies in that original demo of the software to eager investors. In just 15 seconds the software scoured the entire IT system of a hospital and cleared it of all viruses and vulnerabilities. The investors couldn’t believe how quickly the operation ran. The simple interface that looked like Google’s home page with one input field ticked away and fixed everything while the money-men and their technical expert advisors chatted.
In truth, the software took 12 expert cybersecurity technicians five years to develop and they got a lot of input from McAfee. The relationship with McAfee ended after two years in 2014 and resulted in the contender walking away with McAfee’s sales director. With a new corporate approach to sales, the lean and groundbreaking Tanium took off.
The Tanium Architecture
Peer-to-Peer protocols first grabbed the attention of the world’s technology enthusiasts when Napster put it to spectacular use as a file-sharing application. BitTorrent took over the lead in developing the architecture, creating efficiency from node autonomy and cooperation.
Skype applied P2P to telephony and it is the Skype model that seems to have given the Hindawis their key architecture. Skype distributes a network’s command structure by nominating strategically located nodes as primary, making them responsible for coordinating the transmission of packets through subordinate nodes.
This is how Tanium works and its tree structure is the key to Tanium’s legendary speed. An agent is installed on one endpoint per network segment. Each agent communicates with about 100 of its neighbors. It gathers vulnerability data, aggregates it, and then passes its findings on to the central manager for final consolidation and reporting.
The speed of the system derives from the simultaneous processing by supernodes. The data aggregation that they perform means that most of the analysis work has already been completed during the data-gathering phase.
In cybersecurity, speed is half the battle. There is no point in having the best antivirus or intrusion detection system in the world if all of your data has been stolen or destroyed before that software raises an alert.
CIOs of genius Silicon Valley startups were easy to sell to. A demo of Tanium’s show-stopping 15-second system cleanup got all of the big tech companies signing on the dotted line.
The Tanium Cult
Tanium is the type of project that everyone wants to believe in. Adherents feel good about themselves because they support it. Not many people understand much about how cybersecurity systems work and the number of people who understand that and the finer points of distributed processing plus Peer-to-Peer architecture is even fewer.
However, by pretending to understand the technology behind Tanium and entrusting the security of the IT systems that support tech giants, those buyers had to buy-in to the myth that got created by the software’s smoke and mirrors. Surprisingly few CIOs have demanded a full investigation of Tanium’s efficacy. Even the US military bought and installed the security software without really understanding the implications of its architecture. Visa, Amazon, Best Buy, the U.S. Department of Defense, and Nasdaq are some of the big-name clients of Tanium.
Other software houses jumped on the P2P concept as a shortcut to speed. New rivals emerged, all wanting that multi-billion-dollar valuation that the Hindawis acquired for Tanium almost overnight and seemingly without even trying to attract investors.
Putting on a Brave Face
McAfee got the inside track on Tanium’s methodology back in 2012. In 2014, when the Hindawis left the partnership with McAfee, did they walk away or were they pushed? McAfee has made no attempt to apply distributed processing to its security solutions since learning of the innovation seven years ago. Why?
It doesn’t take much expertise to spot a major flaw in the Tanium strategy, but all of the experts in the field have invested their credibility in Tanium endorsements. No one wants to admit they were dazzled and duped, so everyone keeps quiet. Tanium doesn’t identify and close off vulnerabilities, it creates them.
The problems of Tanium could be fixed, but the solution would lose the software its 15 seconds headline and leave the security system doing exactly what McAfee and Symantec are doing now without having its own AV for mitigation.
Pros & Cons
Pros:
- Backed by security experts
- Robust automated and manual remediation actions
- More detailed than most endpoint protection software on the market
Cons:
- Not ideal for those who don’t want red team activity on their network
- Not the best option for larger networks
The Flaw in Tanium
A hacker gets into an endpoint on a network, searches through its files for security information, installs keyloggers to get login credentials, explores for valuable data, and then finds entry points through to other computers on the network.
Now, let’s look at how Tanium operates. The agent software gets loaded onto an endpoint on the network. That node then contacts its neighbors and searches each for vulnerabilities. It scrapes log data and profiles the data stores and applications on each computer. It brings that information home, puts it in a file and then sorts and consolidates it. The summary of that investigation is then forwarded to the central controller.
The Tanium agent acts ‘like’ a hacker. It does all of the hacker’s data gathering for him and then handily stores that information in a file, ready for nabbing. Tanium doesn’t just speed up vulnerability scanning, it speeds up data theft as well. How does the agent get into each subordinate endpoint? Hackers would love to know, and they can easily find out by breaking into the agent’s host.
The developers of Tanium didn’t create their own proprietary scanning and data gathering tools. They appropriated existing free network and system scanning tools – primarily Nmap and PsExec together with 7-Zip for file compression. The system also uses shell scripts, which are written in plain text – anyone can access, read, and execute them.
Nmap and PsExec are two tools that are widely used by hackers. Essentially, Tanium loads a hacker toolkit onto one node on the network and gives that node access to 100 other endpoints. Hacker says: “Don’t mind if I do.” While he’s there, the hacker also might as well search through all of the plain text intelligence information that the last run of the Tanium agent left behind on the host.
It is hard to believe that during two years of meetings the seasoned cybersecurity professionals of McAfee didn’t spot the flaws in the Tanium methodology. Wouldn’t they have tipped off the graduates running the development of the new system? A small number of cybersecurity consultants and pen testers first spotted the problem with Tanium’s setup in 2017 and alerted the company immediately. Tanium neither replied nor overhauled its software. It is likely that they already knew.
The innovative edge of Tanium Core Platform relies on giving one endpoint unrestricted access to a hundred others. It doesn’t protect data flows between each endpoint and the controlling software on a central server with end-to-end encryption. It creates a man-in-the-middle, providing a hotrod vehicle for hackers.
Tanium Protect: The weaknesses
The Tanium star was likely to become quickly tarnished even without the discovery of its fundamental security weakness. The communication method between the agent and the subordinate nodes relies on a process that is referred to as chaining. This assumes that all nodes in a network segment have been allocated sequential IP addresses by a DHCP server.
Networks today are a lot messier than they were back in 2007 – acceptably so. This is because of the complexity introduced by BYOD acceptance, the extensive integration of mobile devices into business networks, and the need to integrate physically distant branches into the home network. All of that means that businesses might not have tidily segmented subnets in manageable 100-node chunks. That reduces the speed and efficiency of Tanium.
Tanium Protect competitors & alternatives
If you have already deployed Tanium at your company, let’s hope that you didn’t boast too loudly about how clever you were. You need to backpedal and quickly find a credible reason to replace your tainted Tanium. Here are five alternatives to consider.
- Crowdstrike Falcon Sources threat signatures from across the internet and scours the local network for matches.
- Action1 Endpoint Security Platform A cloud-based system with lightning-fast node discovery and vulnerability checks.
- Carbon Black Response The fifth biggest-selling endpoint protection system in the world; one slot ahead of BigFix.
- Symantec Endpoint Protection Nearly but not quite Peer-to-Peer.
- Fidelis Endpoint Includes both detection and response, but beware: this also uses P2P.
Crowdstrike Falcon
Crowdstrike deploys a cloud-based architecture for CVE acquisition, but the endpoint protection software runs on each individual machine as an agent. The service works well for mobile devices as well as for traditional office computers. This is an AV replacement system that integrates AI machine learning techniques to create a very fast protection solution with few false positives.
Action1 Endpoint Security Platform
Action1 uses natural language commands in its Endpoint Security Platform. This is a cloud-based service that lifts processing off your equipment, making it very suitable for the protection of mobile devices. The package includes software inventory discovery, patch management, remote software rollouts, IT asset management, and vulnerability assessment.
Carbon Black CB Response
Carbon Black Response includes threat hunting and incident response. This is ‘a much talked about package’ at the moment and it is creating a lot of buzz with its big data analytics that spot new threats, much in the way that Crowdstrike does. Carbon Black was bought out by VMWare in October 2019 so expect some big developments with this brand.
Symantec Endpoint Protection
Symantec Endpoint Protection shows the kids how it’s done. The service coordinates threat discovery between 175 million installations worldwide. This can be thought of as a mediated P2P concept. The presence of the cloud-based controlling server cuts out direct communication between peers and reduces the risk of cross-infection.
See also: Symantec Endpoint Protection Review
Fidelis Endpoint
Fidelis Endpoint is included here just to show that Tanium is not the only cybersecurity system that uses P2P architecture. Be careful about using this system without investigating its behavior on your network thoroughly with the free trial.
Look at our market sample of just five competitors of Tanium to get a feel for the alternatives. This peer-to-peer implementation turned out to be a security blunder but P2P will prove to be a good idea if someone can come up with a plan that doesn’t compromise endpoint access credentials. It’s an appealing challenge and Tanium came close to nailing it but missed the target.