Please share with the community what you think needs improvement with Tanium.
What are its weaknesses? What would you like to see changed in a future version?
The solution can give a lot of false positives. It's an aspect of the solution that could be looked at and worked on. If you deploy all the threat intelligence rules that come with it, you may spend a lot of time suppressing some of the false positives as some of them are very vague. You'll have the indicators due to the fact that you can suppress by hash or by pass or by command and parents process. However, that information is often very limited. You may get an alert for common language image load which can be a hacker technique, however, it's also a normal process between valid Microsoft processes, between the Msiexec, or some sort of system process. It's frustrating that there's not enough data - at least that I've found - to be able to determine whether something is a false positive or true positive. Whether it should be suppressed or whether you should let it go, the number of false positives you may have to deal with, if you enable all of these sources, could be over a hundred thousand. The scalability can be challenging, depending on a company's setup. The ability to calculate risk with one query would be useful. In other words, to be able to combine known vulnerabilities on an asset with known threats that are targeting that vulnerability from Intel. Being able to determine some way or another, which processes you prefer would be ideal. There should be more access to automated processes. Somehow you should be able to determine the business value of that asset and be able to have a true risk meaning and a true way to bubble up these high-value, high-risk assets. They need to get more attention. The solution needs some sort of risk engine that takes into account threat vulnerability and business value.
Our biggest issue with the solution is its lack of mobility. Also, when it comes to deploying the SaaS, it's more difficult to deploy on-prem.
Tanium comes with multiple models, so definitely the threat protection is the primary opportunity area my organization is looking for. It is going to be primarily used for event collection, which is being fed into our centralized tools for tracing any kind of vulnerability or any kind of uneven situation.
* I would like to have more integrations and custom plugins to input. Integration is always a big deal in a lot of different environments. * Custom modules would be nice. * Visualization of data could be added to it. * Making the initial process easier always helps.
We all know it's really hard to get good pricing and cost information.
Please share what you can so you can help your peers.