Skip to content
icon content hub

Decoding Essential 8 Compliance: How to Simplify and Automate with Tanium

This article is intended to compliment to the previous post, Decoding Essential 8 Compliance: Tanium's Unique Path

How-to

Tanium’s Essential Eight strategy surpasses traditional Essential Eight (E8) reporting approaches of using sample sets of endpoints and/or point-in-time auditing, with a solution that enables you to not only audit but resolve non-compliance at the touch of a button. Reporting simply becomes an outcome of managing and securing IT environments effectively using Tanium.

In this blog, we will outline how Tanium enables organisations to truly increase their Essential Eight Maturity within days after installation, removing the complexity and reducing the resource overhead.

What makes Tanium different?

Tanium provides real-time access to endpoints. Comprehensive management and security capabilities have been built that leverage real-time access to retrieve data and make changes to endpoints. Once you have the data (and control), reporting for E8 is the easy part.

Tanium content is open. All scripts, configuration, control mappings, and interpretation are not only open to customers for inspection but are available to clone and/or modify as desired. Ultimately the ACSC provides guidance on how to implement and measure controls so there’s no secret there, the “magic” Tanium provides is a framework to access endpoints estate-wide.

Tanium enables real-time remediation in one platform. The ability to not only surface and report on E8 controls but to provide remedial actions that can quickly close the gaps allows a continuous cycle of “Compliance by Design” to be achieved.

The solution is real. Let’s be honest, the E8 reporting and services world is big on promises and short on delivery (otherwise you probably wouldn’t be reading this article). Pop the hood on Tanium’s E8+ reporting and you will be pleased to see a whole lot of engine staring back at you. We can demo, walk through the code, explain the mappings, talk to any caveats, and ultimately deploy and change the game!

There is more to this story though. Let’s widen the lens and consider the bigger picture.

So why Essential Eight?

The underlying intent of the Essential Eight framework is to reduce the attack surface and ultimately improve security posture. It is a line in the sand whereby the ACSC have prescribed a minimum set of controls that should be implemented to help organisations protect themselves.

Given that IT environments are highly dynamic and volatile, the process of managing and securing them is not encompassed by a series of one-off activities, it is a highly iterative process. Incorporating Essential Eight into this process is advantageous and can be represented diagrammatically as follows:

Flow chart of Tanium remediation process.

Figure 1

Let’s break down each of these components:

Manage and secure the environment: Tanium provides complete estate coverage with real-time access to endpoints to achieve this goal.

Run compliance checks: Tanium is a highly flexible platform that allows regular compliance checks to be run against almost any control with associated reporting, against the entire estate.

E8 reporting: Specific reporting has been pre-built to provide summary and detailed E8 compliance views per maturity level, plus full context of specific controls that have failed on endpoints so that remediation action can be understood and undertaken.

Remediation: This step completes the cycle and harnesses the power of Tanium to perform the remediation actions surfaced by simply incorporating them into normal management and security activities within a single platform.

Traditional Essential Eight auditing solutions will simply calculate a summarised compliance and leave the customer wondering what to do next for remediation. The Tanium approach highlights specifically what must be addressed to reach compliance against each maturity level and provides a clear pathway to address those gaps within the platform.

Tanium’s E8+ solution overview

Design

Tanium’s overall management and security capabilities include an abundance of reporting options to ensure visibility into the health, status, and activities occurring on the network. In addition to providing core visibility of general endpoint status and configuration, this includes operating system patching, installation and updating third-party applications, vulnerability management, and enforcement of policy.

The Tanium Comply module includes the ability to scan against custom configuration benchmarks to measure compliance. It is this function that is leveraged to assess the state of endpoints, either by querying the endpoints themselves or retrieving reportable data from the other components within Tanium managing those endpoints.

The main components of Tanium’s E8 solution are illustrated in the diagram below:

A diagram of the main components of Tanium’s Essential Eight solution

Figure 2

The solution has been packaged and is easily imported into environments with an existing or newly deployed Tanium instance.

Essential Eight mitigation strategies and controls

There are several interesting distinctions between the eight mitigation strategies and the underlying controls themselves that dictate how they are applied and reported upon.

Patch applications Patch operating systems Application control Restrict Microsoft Office macros User application hardening Þ The controls within these five mitigation strategies are typically endpoint centric. That is, they can be measured from an endpoint directly. They are also generic in nature allowing a standard set of compliance checks to be created that satisfy the controls between environments.

Figure 3

Multi-factor authentication Restrict administrative privileges Regular backups Þ The controls within these three mitigation strategies are often measured via centralised logs or configuration. They are also environmentally specific which means some level of customisation may be necessary to build the checks as required. This is one of the reasons why flexibility is so important for an E8 solution.

Figure 4

There are also two main categories of controls within these Mitigation Strategies:

Technical based These controls are typically ensuring that a specific measurable aspect of management is occurring across endpoints. For example, that various policy settings have been applied, that patching is occurring within certain timeframes. Compliance checks for these types of controls can be automated and run continuously. Procedural based These controls are ensuring that certain general management processes are in place within the environment. Example 1: Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered. Example 2: Requests for privileged access to systems, applications and data repositories are validated when first requested. These controls require manual self-assessment to attest that the activity is implemented and operating as expected within the environment.

Figure 5

Tanium’s Essential Eight solution ensures that all eight mitigation strategies and their underlying controls can be incorporated into reporting. Compliance checks have been and/or can be created for all technically based controls, and self-assessment methods are available for procedurally based controls that ultimately result in a complete compliance picture of the environment.

Please contact Tanium for more information on the specific alignment of controls to ACSC guidance.

Internet-facing vs non-internet-facing endpoints

Essential Eight controls distinguish between internet-facing and non-internet-facing endpoints. Tanium caters to this distinction by allowing custom tags to be applied to endpoints. The application of custom tags can be achieved automatically via targeting criteria (e.g., host naming convention, host subnet ranges, presence of applications, active directory group membership, etc.), or manually as necessary.

Once tags have been applied, the appropriate Tanium Essential Eight control checks and associated thresholds are automatically applied to the relevant endpoints according to their designation.

Reports and Dashboards

Once compliance results have been assessed and collected from endpoints, the data is made available for tabular reporting and within a series of dashboards/charts. The scope of both reports and dashboards can be easily changed as desired or saved permanently to different periods, and different groupings of endpoints that may belong to a particular geography, team/department/agency, or technology type. Dashboards may also be exported for consumption outside of Tanium.

Please note that the raw E8 results data may also be exported to third-party tools if desired.

Reports

Reports are the raw Essential Eight results data collected from endpoints and presented in a tabular form. This is the data that feeds into dashboards. Reports available include the results of compliance checks and the context/underlying reason for a pass or fail result.

Note that all controls are keyed off their corresponding Test ID as per ACSC as follows: E8-[Test ID]. For example, an identifier of E8-ML1-RM-04 corresponds to Essential Eight, Maturity Level 1, Restrict Admin Privileges control 4.

Please refer to the ACSC Example Essential Eight Assessment Test Plans that can be found here.

Example results data report:

Reports include current details such as each endpoint, the control check ID, the current state of the control on the endpoint. Other report views may include summarised results of pass/fail checks or health of the Essential Eight tools performing the checks.

Screenshot of Essential Eight reporting report in Tanium console

Figure 6

Dashboards

Dashboards provide a graphical representation of pass/fail rates for controls, plus a view of the endpoints that have failed, the specific checks that have failed, and the reason why. Views include an overview and detailed breakdowns per mitigation strategy and maturity level.

There are numerous dashboards available with some examples shown below.

Example 1: Overview Dashboard

A summarised view of all eight mitigation strategies showing endpoint pass/fail rate for each maturity level and their aggregated controls.

Essential 8 Overview Dashboard in Tanium Console

Figure 7

Example 2: Strategic Mitigation Detailed Dashboards

This view is available for each mitigation strategy providing control level detail for each maturity level. Where endpoints have failed a control check, the details of which endpoint and what needs to be remediated are provided.

Screenshot of Essential 8 Strategic Mitigation Detailed Dashboards in Tanium console

Figure 8

Note that for each mitigation strategy passing all maturity level 1 checks is a prerequisite for passing maturity level 2, and passing all maturity level 2 checks is a prerequisite for maturity level 3.

Where applicable, instructions on how to resolve and an “Apply Remediation” button to implement the appropriate policy to endpoints from within Tanium is provided. Applying remediation will typically enforce the necessary policy to endpoints to conform to the relevant control or open a deployment page allowing patches or software updates to be applied.

Example 3: Procedural Controls

Some controls are related to procedures and must be measured manually. Tanium’s Essential Eight reporting includes a mechanism to allow self-assessment of these controls so they may be included in the overall reporting.

Within mitigation strategy detailed reports, a “Complete Compliance Survey” button is provided which allows a user to populate pass/fail values into the associated report based on their manual checks. This matches ACSC guidance on how to assess and report on these types of controls.

Screenshot of Essentail 8 procedural control dashboard in Tanium console

Figure 9

Key Take-Aways

Tanium is a highly extensible platform that provides a powerful security and management layer for your IT environment. By leveraging Tanium for these functions, compliance reporting and adherence becomes a natural outcome rather than an additional burden with expensive point-in-time audits and/or sampling of a set of endpoints and imagining that the rest are similar.

The underlying intent of the Essential Eight framework is ensure IT hygiene, reduce attack surface, and build security posture. To achieve that goal, there is no substitute for Tanium’s real-time view of the entire environment and the ability to pivot quickly and efficiently to make any necessary changes based on that view.

Tanium Staff

Tanium’s village of experts co-writes as Tanium Staff, sharing their lens on security, IT operations, and other relevant topics across the business and cybersphere.

Tanium Subscription Center

Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.

SUBSCRIBE NOW

Related

What to Expect at Tanium Converge 2024: Building Confidence and Resiliency Through Innovation

Desktop featured image: CTI blog 3 - wide

CTI Roundup: Sophos vs. Chinese Threat Actors, CRON#TRAP Linux VM, Bing Phishing Campaign

Image for What is Endpoint Monitoring blog post

What is Endpoint Monitoring? Why Effective Security Needs It