Insight by Tanium

Next in endpoint management: Automation and AI

AI and enough data will let security and network operators use natural language to poll devices and establish automated remediation routines.

You can’t secure an enterprise network without securing the endpoints connected to it. The average federal agency operates thousands of endpoints, so managing and securing them is no trivial task. Endpoint management also presents an obvious and high-payoff opportunity to apply automation backed by artificial intelligence.

In fact, both commercial and governmental executives “are asking questions of their organizations, saying, ‘How do you plan on implementing automation, and how do you make that a robust process and minimize risk?’ ” said Harman Kaur, the vice president of AI at Tanium. “More and more organizations are thinking about how they automate endpoint management.”

Kaur said automated endpoint management aids two requirements: cybersecurity and compliance. In both cases, it reduces the manual workload for agencies that have large numbers of devices to manage.

“Compliance is always evolving,” she said. “New rules and regulations are coming your way all the time. So how you actually stay in compliance is the biggest battle for an organization.”

Automating compliance, especially for cybersecurity requires correlating multiple sources of data, “being able to have access to all the data that you need when you’re actually trying to figure out if a threat is real,” Kaur said. An alert might light up, “but how do you validate that? You may need to collect information from many different sources in your organization to understand that.”

Complete aggregated data, she added, will let an organization’s IT group know the scope of a threat in terms how many endpoints lack the required protections or patches.

“Is it just limited to these four machines, and I just need to address these four machines,” Kaur said, “or is this something that’s across my entire organization, and I need to respond, and then I need to make a fundamental policy change?”

Given that an agency can’t manage threats it can’t see, visibility into the entirety of the organization’s endpoints is a must.

“Historically, endpoints that were not connected to your core network were just not managed. It was like a blind spot for organizations.” Kaur said. The latest versions of tools such as Tanium, she said, give agencies a way to manage devices even when users have connected them to home or public Wi-Fi access points.

“You actually have a way of enforcing some policies on these endpoints” she added. “You have a way of understanding what’s happening on these endpoints.”

Threat detection requires more than network visibility

Visibility and vulnerability discovery should lead to remediation.

“And sometimes the hardest part is doing the remediation, and doing it in a time frame that makes sense to respond to that threat,” Kaur said. Automation must extend to pushing patches, or whatever remediation the flaw calls for, to the entire population of endpoints, coupled with a reporting function to verify the remediation.

Even having full visibility into your own endpoint population may be insufficient for dealing with today’s threat environment, Kaur said. She said Tanium makes available anonymized data from millions of devices from its customers.

Such data enables trend spotting. For example, an update to a widely used application might cause crashes, memory spikes or user lockouts.

“How do we just proactively tell you that this change in your organization may have negative consequences associated with it?” Kaur said. “Or on the contrary, say, ‘Hey, this is a really safe change because we’ve seen it happen on hundreds of thousands of machines.’” That’s the thinking behind what Tanium calls its Confidence Index, available to users of its endpoint management tool.

The index, which appears on the Tanium console, updates every 3 to 5 minutes.

“We’re getting data from all these endpoints as they’re making changes,” Kaur said. That means users on the West Coast could potentially learn of a problematic patch or some other threat manifesting itself on the East Coast in time to avoid it.

As the artificial intelligence lead for Tanium, Kaur espoused a step-at-a-time approach to applying AI to cybersecurity, detection and automated remediation.

“I don’t think you need to apply AI if we can just do it with simple data analytics,” Kaur said. “We’re doing kind of a crawl, walk, run approach here — with a lot of the data collection.”

As data becomes more robust and models more mature, “we are focusing and leveraging AI’s ability to actually interact with your endpoints and ask questions and gather data,” she added.

Kaur noted that, “historically, if you wanted to know anything about your enterprise, it required complex queries, structured queries.” That took time and addressed only one question at a time, such as which machines were patched for which application.

AI-enabled automation, coupled with Natural Language queries, will eventually let users do more thorough discovery of activities on and conditions of their endpoints. It will also let them build automations without a lot of coding.

“Maybe what you’re trying to automate is a look at endpoints that have x, y and z, and then you want to apply some sort of fix to them,” Kaur said, adding that the Tanium tool would result in a “draft of what this automation could look like, so you can go in and tinker and tweak it.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Vince Micone

    Giving Tuesday was a gateway to this year’s Combined Federal Campaign

    Read more
    FBI Wray

    FBI Director Wray says he intends to resign before Trump takes office in January

    Read more