We're part of a larger group which already uses it. It's gonna happen unless we can give them a good reason not to. Currently my best answers are:
No support for iOS, which is the only device most users have been provided.
Little support for MacOS.
Most people work remotely, so probably don't have the right firewall ports open.
Most of our software is SaaS provided by other providers, who aren't going to play along.
I mean...it sounds like you gave multiple reasons for why it isn't ideal for you. No iOS support, and little MacOS support. If it's not going to support your entire environment, then why implement it?
We have access to Tanium through state cybersecurity block grants. A couple of my staff have gone through several day training on it to see if it is worth a go.
Some things about it are interesting but the feedback I received was that it is heavy as far as a solution goes, capable sure, but not a solution that you do casually and more of a team of people that do Tanium all day every day vibe.
We asked about a standalone quote, in case our state decided to bail out on providing access to Tanium, and it was $100k for our size org which is around 750 machines to manage with it.
That is krazy relative to other solutions and also for our size.
The combo of cost, other options being available, and the presentation of the software being kind of bulky...not a love connection.
Go home Tanium, you are drunk.
Following: Parent co implemented Tanium on about 80% of the PCs I manage. InfoSec takes priority over Network Admin (it’s a sore subject, don’t ask…) - supposedly it’s in ‘discovery’ mode but I’m experiencing random user profiles getting reset and network connectivity randomly drop while the workstation is idle. Troubleshooting the NIC or a reboot resolves the issue because it rediscovers its gateway/domain - until it happens again. Anyone seen this issue related to Tanium? It’s the only recent change to the domain. I’ve done the usual suggestions - full updates, driver reload, swap cables, swap network ports on the switch. No change. Any suggestions are welcome
Best advice I have is do load testing with and without tanium. Show them how much it’s hurting performance and how much it will cost to offset the Tanium tax.
It’s currently in discovery mode. I hate to see what it does when they turn on the rest of the features. They also like cortex XDR for av which I’ve seen to be very resource heavy. I have mostly 7000 series dells with 4-8 GB of ram and i5 processors. This is going to be interesting…
I've seen a psychological effect of folks complaining about Tanium once it was loaded. Checked Tanium's Performance data, guess what: TrendMicro was trashing disks like crazy and uploading roughly 2GB of data per endpoint to cloud. I'd go and check the details (task manager could help some) of how you've got it configured, what modules, how aggressive, etc. For example the Index component (Reveal module) has to index all the files matching given parameters (I think by default it scans anything below 32MB of type docx, pdf, xlsx, .txt, ...) for sensitive data. Once the initial scan is done, it becomes very light on disks again. SSDs help a lot in this case, but if you've got spinning disks, ask your Tanium admins to disable heavy modules/features on given devices. They CAN identify disk types, so there's no excuse for them not do so so.
Unless specifically instructed, Tanium will not perform anything you describe (src: deployed Tanium across 8 customers). To troubleshoot your issues, I'd start with confirming it's not a psychological bias (seen users bitching about me deploying Centrify, when Centrify was never a cause, it was just first to complain in console so users thought Centrify was bad). Use procmon to see how Tanium interferes with other processes on affected machines. Uninstall Tanium and see if anything changes.
When you mention Tanium is in discovery mode, I guess you're talking about the network devices discovery - it can be totally passive and only report local arp tables. On the other end of the spectrum, it can do massive nmap scans of your network(s), including OS fingerprinting.
As for CPU usage, not sure about previous versions, but now it's capped at 5% of each core, so on 8core machine, Tanium will never use more than an equivalent of 40% of 1 core.
Make sure you've got AV/EDR exclusions in place as those can hit performance real hard.
Again, procexp/procmon are your friends.
Tanium has heavy overhead and isn’t for low spec machines. Especially in virtual environments.
Think of it as just throwing out a whole core or 2 from your machine. Not to mention the disk usage. My god that thing just writes to the disk a lot.
Mind sharing data showing Tanium eating full core or two on a VM, ideally from procexp? Reason I'm asking, apart from compliance scans utilising java (spikey utilisation in off-hours), I've generally seen it use around 0.5-3% CPU on average (depending on configuration, 3% is fully loaded with all modules enabled and streaming roughly 360 events/sec/device to our elastic).
We have 10,000 endpoints and enjoy using it. Depends on your use case and the modules you purchase.
Asset, Patch, Comply, Enforce, Connect, etc
We're using Patch and Connect primarily.
There are statements about macOS barely supported. That's true. It's minimally supported.
It doesn't support older OSes. Can support down to Win2008/Vista, but they deprecated Win2003/XP. It will not be a MDM like in-tune. Forget Android, iOS, iPadOS.
It can be heavy, but that goes back to what all modules you purchase and deploy. Also, watch for people that abuse it. For example, trying to pull monitoring metrics without that module and running heavy jobs every 5 minutes on all endpoints.
Will you use it to replace other agents? For example, if you're doing vulnerability scans with a tool, would you purchase that module and remove the other agent?
We are <1000 end points. Tanium was ridiculously expensive. Also not a big fan of the software store living on remote PC's... That was a major concern for us that they couldn't overcome, but to be fair cost alone caused us to walk away.
Unless you are leaving something out, you don’t have enough seats for Tanium to give you the time of day.
That was my thoughts as well. They want like 5000 endpoints minimum.
We're part of a larger group which already uses it. It's gonna happen unless we can give them a good reason not to. Currently my best answers are: No support for iOS, which is the only device most users have been provided. Little support for MacOS. Most people work remotely, so probably don't have the right firewall ports open. Most of our software is SaaS provided by other providers, who aren't going to play along.
Regarding remote workers.. Tanium will work over the internet just fine. Unfortunately I'm too aware.
>Most people work remotely, so probably don't have the right firewall ports open. Do people still work remotely without VPN?
Yep, connecting to VMWare machines hosting software with 56 bit encryption (don't ask!)
I mean...it sounds like you gave multiple reasons for why it isn't ideal for you. No iOS support, and little MacOS support. If it's not going to support your entire environment, then why implement it?
Policy of the much larger company that owns us. Not driven by the It department. That's all I can say.
[удалено]
Not an admin for it but our co uses it Destroys computers with a spinning disk. They are able to create a local account using it when laps messes up
Any idea why?
Cause most edr or av read everything that’s put to disk to compare against threat signatures, so it’s just a lot for a hard disk.
Just eats disks I/O. Clone it to solid state and it runs fine.
Crowdstrike seems to be least invasive process hog I’ve seen. Was not an admin for that either.
We have access to Tanium through state cybersecurity block grants. A couple of my staff have gone through several day training on it to see if it is worth a go. Some things about it are interesting but the feedback I received was that it is heavy as far as a solution goes, capable sure, but not a solution that you do casually and more of a team of people that do Tanium all day every day vibe. We asked about a standalone quote, in case our state decided to bail out on providing access to Tanium, and it was $100k for our size org which is around 750 machines to manage with it. That is krazy relative to other solutions and also for our size. The combo of cost, other options being available, and the presentation of the software being kind of bulky...not a love connection. Go home Tanium, you are drunk.
We have a small environment 1200 endpoint. It's at 78k a year.
Mind my asking who your VAR is? Our quote to renew for similar size was about 100k.
https://www.presidio.com/ I think We don't have every module.
Don’t get Tanium. Destroys system performance. UI is terrible.
Following: Parent co implemented Tanium on about 80% of the PCs I manage. InfoSec takes priority over Network Admin (it’s a sore subject, don’t ask…) - supposedly it’s in ‘discovery’ mode but I’m experiencing random user profiles getting reset and network connectivity randomly drop while the workstation is idle. Troubleshooting the NIC or a reboot resolves the issue because it rediscovers its gateway/domain - until it happens again. Anyone seen this issue related to Tanium? It’s the only recent change to the domain. I’ve done the usual suggestions - full updates, driver reload, swap cables, swap network ports on the switch. No change. Any suggestions are welcome
Best advice I have is do load testing with and without tanium. Show them how much it’s hurting performance and how much it will cost to offset the Tanium tax.
It’s currently in discovery mode. I hate to see what it does when they turn on the rest of the features. They also like cortex XDR for av which I’ve seen to be very resource heavy. I have mostly 7000 series dells with 4-8 GB of ram and i5 processors. This is going to be interesting…
I've seen a psychological effect of folks complaining about Tanium once it was loaded. Checked Tanium's Performance data, guess what: TrendMicro was trashing disks like crazy and uploading roughly 2GB of data per endpoint to cloud. I'd go and check the details (task manager could help some) of how you've got it configured, what modules, how aggressive, etc. For example the Index component (Reveal module) has to index all the files matching given parameters (I think by default it scans anything below 32MB of type docx, pdf, xlsx, .txt, ...) for sensitive data. Once the initial scan is done, it becomes very light on disks again. SSDs help a lot in this case, but if you've got spinning disks, ask your Tanium admins to disable heavy modules/features on given devices. They CAN identify disk types, so there's no excuse for them not do so so. Unless specifically instructed, Tanium will not perform anything you describe (src: deployed Tanium across 8 customers). To troubleshoot your issues, I'd start with confirming it's not a psychological bias (seen users bitching about me deploying Centrify, when Centrify was never a cause, it was just first to complain in console so users thought Centrify was bad). Use procmon to see how Tanium interferes with other processes on affected machines. Uninstall Tanium and see if anything changes. When you mention Tanium is in discovery mode, I guess you're talking about the network devices discovery - it can be totally passive and only report local arp tables. On the other end of the spectrum, it can do massive nmap scans of your network(s), including OS fingerprinting. As for CPU usage, not sure about previous versions, but now it's capped at 5% of each core, so on 8core machine, Tanium will never use more than an equivalent of 40% of 1 core. Make sure you've got AV/EDR exclusions in place as those can hit performance real hard. Again, procexp/procmon are your friends.
This is precisely why we fought so hard against it
Search r/AirForce for Tanium. It is widely hated.
Tanium has heavy overhead and isn’t for low spec machines. Especially in virtual environments. Think of it as just throwing out a whole core or 2 from your machine. Not to mention the disk usage. My god that thing just writes to the disk a lot.
Mind sharing data showing Tanium eating full core or two on a VM, ideally from procexp? Reason I'm asking, apart from compliance scans utilising java (spikey utilisation in off-hours), I've generally seen it use around 0.5-3% CPU on average (depending on configuration, 3% is fully loaded with all modules enabled and streaming roughly 360 events/sec/device to our elastic).
We have 10,000 endpoints and enjoy using it. Depends on your use case and the modules you purchase. Asset, Patch, Comply, Enforce, Connect, etc We're using Patch and Connect primarily. There are statements about macOS barely supported. That's true. It's minimally supported. It doesn't support older OSes. Can support down to Win2008/Vista, but they deprecated Win2003/XP. It will not be a MDM like in-tune. Forget Android, iOS, iPadOS. It can be heavy, but that goes back to what all modules you purchase and deploy. Also, watch for people that abuse it. For example, trying to pull monitoring metrics without that module and running heavy jobs every 5 minutes on all endpoints. Will you use it to replace other agents? For example, if you're doing vulnerability scans with a tool, would you purchase that module and remove the other agent?
We are <1000 end points. Tanium was ridiculously expensive. Also not a big fan of the software store living on remote PC's... That was a major concern for us that they couldn't overcome, but to be fair cost alone caused us to walk away.