How To Use Tanium To Respond to the Australian PSPF Direction 002-2024 (Technology Stocktake)
On July 8, 2024, Australian Home Affairs Secretary Stephanie Foster issued a series of formal directions under the Protective Security Policy Framework (PSPF) instructing each federal government body to identify and mitigate potential cyber risks amidst rising concerns for foreign interference.
The three mandatory directives require Australian Government entities to:
- Identify indicators of Foreign Ownership, Control, or Influence risk as they relate to procurement and maintenance of technology assets and appropriately manage and report those risks
- Conduct technology asset stocktakes on all internet-facing systems or services to identify and actively manage the risks associated with vulnerable technologies they manage, including those they manage for other entities
- Participate in the Australian Signals Directorate’s Cyber Security Partnership Program and for those using threat intelligence sharing platforms to share cyber threat information with the Australian Signals Directorate
How Tanium can help
Tanium is a powerful real-time endpoint management platform that provides real-time visibility and control of IT environments. Tanium offers a breadth of capability, including the following functional areas, which are directly relevant to the goals of PSPF Direction 002-2024.
- Discovering assets: This is a foundational activity and is essential for any management and security approach to be effective. It is also imperative to understand if and where high-risk assets and services are located within your internal network.
- Improve cyber hygiene standards: Real-time visibility and control make the difference here; it is like turning a light on in your environment. This activity is extremely important as it reduces and ultimately removes the attack surface adversaries are searching for to access your environment.
- Hunting and detection: If an adversary has made their way inside your environment, it is important to find them quickly before they become more deeply entrenched and activate any nefarious goals.
- Incident response: After a breach has been identified, the priority then shifts to investigation to assess its scope, collection of all relevant evidence, quarantine implicated endpoints for containment, and ultimately remediation to expel the intruder and negate their activities to that point.
Tanium’s innovative approaches to PSPF Direction 002-2024
Discover all assets (know your estate)
- Leverage distributed and centralised scanning to find newly connected assets within minutes
- Identify and categorise device manufacturers (including foreign or otherwise)
- Bring those assets under management that can be managed. Once under management, you can:
- Gain an endpoint-centric view of the network of processes, ports, and connections (sources and destinations)
- Identify all software applications (vendors, titles, versions, and their usage)
- Use a Software Bill of Materials (SBOM) to see underlying software components to manage supply chain risk
Why Tanium? Tanium includes native discovery functionality that can find all IP-connected assets on the network in a highly efficient manner. Managed assets can then be queried across the estate in real time to ensure a continuous and current state view of all facets of hardware and software is available. Querying managed endpoints for their current (and historical) network connections provides a unique view of how suspicious or interesting assets may be interacting within the environment and ultimately aids in the identification and determination of their legitimacy.
Hygiene (reduce attack surface to stop attackers from getting in)
- Real-time visibility and control of the entire IT estate
- Standardisation:
- There shouldn’t be many versions of the same application (e.g., 15 versions of Chrome or Firefox across the estate)
- You shouldn’t have single outliers, such as deviations from a known baseline (e.g., a specific version of Chrome or Firefox only on one endpoint)
- Remove software not being used
- OS and third-party application patching (plus scan for and address vulnerabilities)
- Zero-Day vulnerabilities (understand exposure in real time and pivot immediately to perform mitigation steps)
- Understand and surface supply chain vulnerabilities
Why Tanium? Tanium can surface a complete, current, and accurate view of the current state of the environment. Any information retrievable from a single endpoint can be queried in real time across the entire IT estate. This allows deviations and outliers from a standard baseline to become obvious. Once known, the anomalies can be remediated promptly within Tanium to ensure standards are adhered to. Patching and vulnerability management functions also benefit from real-time access to endpoints, allowing compliance to maximise and attack surface to reduce significantly.
Hunting (look for evidence that attackers are already in)
- Real-time view of drivers/DLLs/processes/file hashes/network connections/DNS queries/registry changes (like detecting the presence of any international character sets)
- Focus on MITRE ATT&CK stages: Persistence, lateral movement, and more (hunting questions for these are provided natively by Tanium)
- Outlier analysis (e.g., one-off scvhost.exe hash or DLL)
Why Tanium? Tanium’s real-time access to endpoints allows Threat Hunters to search both broadly across the estate for items and activities of interest and deeply into endpoints to gain highly specific details. The level of visibility is profound and ensures there is nowhere for an adversary to hide their presence.
Detection (look for attackers already doing something)
- Intel-based detection: Tanium Signals/IOCs/YARA rules
- Leverage Tanium Signals to detect activity in real time (e.g., deploying and leveraging web shells)
Why Tanium? Tanium Signals are a powerful intelligence mechanism allowing efficient real-time identification of activity occurring on endpoints. While many Signals have been defined by Tanium and are natively fed into the Tanium Platform, the ability for operators to easily tune and create new Signals allows organisations to be agile and quickly adapt to new threats.
Incident response (scope, contain, and neutralise)
- Investigate alerts (full process history, chronology, and ancestry)
- Collect evidence (forensic artifacts, memory dumps, and more)
- Quarantine endpoints (while retaining management capabilities)
- Remediate (pivot to policy-based and ad-hoc actions)
Why Tanium? Tanium offers best-in-breed incident response capabilities. When threats have been identified, Tanium offers the ability to immediately pivot and ask scoping questions across the estate to confirm if other endpoints are impacted. Forensic evidence can be readily retrieved and stored, which allows containment actions such as quarantining to take place without stifling investigation activities. The ability to perform ad-hoc or policy-based actions across the estate ensures that operators have the power to perform defensive actions and fight back against an incursion.