1

© 2015 Tanium, Inc. All rights reserved. Tanium is a registered trademark of Tanium, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.

At A Glance● 커널 레벨(Kernel-level) 모니터

링을 통해 지속적으로 파일시스템, 프로세스, 네트워크 연결, 레지스트리 및 보안 이벤트등의 엔드포인트 활동을 기록

● 즉시 개별 엔드포인트에 직접연결하여 실시간 포렌직 분석을 실시

● 검색, 필터 및 시각화 도구를통해 손쉽게 포렌직 데이터를검사, 탐색 및 Drill-down

● 컨텍스트-센서티브(ContextSensitive) 링크를 통해, 단일엔드포인트 내 조사와 전체 기업 수준에서의 검색 사이에서신속한 전환 가능

● 독창적인 아키텍처는 수백만대의 엔드포인트 규모로 확장시에도 성능유지 및 지속적인인프라 추가 불필요

오늘날의 위협은 우려스러운 속도로 진화하고 있으며, 기업 및 공공기관 모두에게 있어서 전에 없던 거대한 도전과 리스크를 제기하고 있습니다. 적들은 점점 더 쉼 없는 노력을 기울이고 있으며, 이들의 공격 방법 또한 고도화되고 있는데, 이는 금전적, 정치적, 그리고 전략적 이익의 취득이라는 동기가 이들의 결의를 더욱 강화시키고 있기 때문입니다. 더 나아가, 이러한 공격들은 보안을 뚫고 들어와 개인 식별 가능한 정보를 훔치는(Smash-and-grab) 단발성 공격부터, 오랜 기간에 걸쳐 지적재산을 빼돌려 서서히 공격대상을 망하게 만드는 은밀하고 장기적인 캠페인에 이르기까지 다양한 형태로 이루어지고 있습니다.

최근의 뉴스 기사에서 보듯, 많은 조직들은 여전히 무방비 상태로 보안 위협과 맞닥뜨리고 있으며, 대면한 보안 과제를 극복하지 못하고 있습니다. IT 팀들은 매일 홍수같이 쏟아지는 보안 경고 알림의 우선순위를 정하고, 분류하며, 조사하기 위해 필요한 엔드포인트 가시성을 유지하는 데 큰 어려움을 겪고 있으며, 설상가상으로 알려지지 않은 위협을 식별해내지 못하는 무능한 시그너처 기반 툴이나, 지속적인 침입을 막기에 너무 느리고, 사용이 어려우며, 확장에 많은 비용이 드는 포렌직 솔루션들에 의해 더욱 방해받고 있습니다. 가뜩이나 힘든 이 싸움을 더욱 어렵게 만드는 것은, 바로 사고 대응을 위해서는 보안팀과 IT 운영팀이 합치된 노력을 기울여야 함에도 불구하고, 대부분의 경우 각 팀은 별도의 툴 및 프로세스를 가지고 있다는 점입니다. 이는 양 팀의 협력 및 신속한 대응 속도가 가장 중요한 시점에 오히려 이들의 노력을 지연시키며, 그 결과 이들 조직은 늘 공격자보다 한 발짝씩 뒤처지게 됩니다.

"Trace는 우리가 새로운 위협 정보를 클라이언트 환경 내 저장된 활동 내역에 적용하는 과정을 자동화할 수 있게 해주었으며, 통계적 Anomaly 탐지를 위해 풍부한 데이터 세트를 전달해줄 뿐만 아니라, 사고대응팀에게 침입자가 남긴 디지털 풋프린트에 대한 고품질의 상세기록을 제공함으로써, 위협의 봉쇄까지 소요되는 시간을획기적으로 줄여주었습니다."

– Kris McConkey, 사이버 보안 파트너, PwC

태니엄만의 차별점태니엄 엔드포인트 플랫폼은 개별 엔드포인트 상에서 포렌직 조사를 수행할 수 있는 능력을 제공하며, 완벽한 가시성 및 컨트롤 확보를 위해 글로벌 네트워크에서도 15초 이내에 전사 차원의 검색 및 조치를 실행할 수 있게 해주는 최초이자 유일무이한 기업용 플랫폼입니다. 태니엄의 특허받은 아키텍처는 수백만 대 규모의 엔드포인트를 지원할 때에도 항상 최적의 퍼포먼스 및 안정성을 유지할 수 있으며, 확장 시 지속적인 서버의 추가 및 유지보수를 필요로 하지 않습니다. 태니엄 엔드포인트 플랫폼은 오늘날의 보안 위협에 맞서기 위해 필요한 속도와 확장성, 그리고 신뢰성을 제공합니다.

태니엄 Trace 개요태니엄 Trace는 태니엄 엔드포인트 플랫폼의 모듈 중 하나로, 엔드포인트 활동을 지속적으로 기록합니다. 또한, 보안사고 대응자가 단일 엔드포인트에 대한 포렌직 분석결과를 손쉽게 기업 수준으로 확대해 수백만 대의 엔드포인트에 대한 히스토리 데이터를 수 초 내에 정확히 검색할 수 있게 해줄 뿐만 아니라, 그 반대도 가능케 하는 민첩함을 제공합니다. 태니엄 Trace를 통해 수집된 포렌직 증거는 태니엄의 다른 모듈의 기능을 강화시킬 수 있으며, 더 나아가 사용 중인 써드파티 SIEM 및 기타 보안 툴의 성능을 향상하는데에도 사용될 수 있습니다. 보안팀은 공격자의 공격 방법을 이해하고, 기업 수준에서 악의적인 행위를 신속하게 살피며, 조치하는데 드는 시간과 노력을 획기적으로 줄이기 위해 필요로 했던 돌파구를 드디어 태니엄 Trace를 통해 얻을 수 있게 되었습니다. 

태니엄 Trace는 사고대응팀(Incident Response Team)에서 신속하게 단서를 잡고, 포렌직 데이터를 검색, 필터, 그리고 시각화 할수있게 해주며, 특정 시점에 각 엔드포인트에서 어떤 일이 일어났는지에 대한 이야기들을 이어 붙여줍니다. 태니엄 Trace는 윈도우 커널을 통해 시스템 활동을 모니터링하고, 지속적으로 포렌식 증거를 기록함으로써, 하나의 엔드포인트에 대한 분석만 가속시킬 수 있을 뿐만 아니라, 동일 데이터를 활용하여 전사적 차원에서 수 초 이내에 감염된 시스템을 식별해낼 수 있습니다.

최악의 보안 위협에 직면한 기업 IT환경

Key Features

Continuous Endpoint Event Recording and Remote InspectionTanium Trace continuously records endpoint activity, including system artifacts not normally retained, for example short-lived network connection details, hashes for executed processes and file events such as creation, deletion, renaming and the initiating process. Tanium Trace performs reliable kernel-level monitoring, and can detect rootkits or other advanced counter-forensic techniques employed by attackers to conceal their tracks. With this module, incident response teams can rapidly conduct live forensic analyses on any endpoint by connecting to them remotely with a single click, even if they are globally distributed. Tanium Trace dramatically reduces the time and e ort required to properly detect, scope and remediate malicious endpoint activity at enterprise scale.

Instantly Pivot Between Single Endpoint Forensic Analyses and Enterprise-wide SearchesWhat was the initial means of compromise? What did the attacker do? How many systems and users have been impacted? O�entimes the most basic questions arising from an attack are the ones that are the most di icult and time-consuming to answer. Tanium Trace empowers investigators with the agility to examine suspicious artifacts uncovered from an individual endpoint’s forensic data, and use them to perform context-sensitive searches across the entire enterprise network to locate similarly compromised endpoints in seconds.

Intuitive User ExperienceTanium Trace is designed with an overall focus on ease of use to simplify the process of gathering, analyzing and understanding the wealth of forensic data recorded. Users can easily drill-down on specific data elements through search and filters, or even navigate through the complexities of events like process execution and file creation using special timeline and process visualization features.

Speed In Seconds, Minimal Infrastructure Even For A Million EndpointsTanium Trace is capable of scaling to millions of endpoints while maintaining its unrivaled speed, reliability and cost-reducing infrastructure. Comparatively, competitive solutions o�en require dozens to hundreds of additional supporting servers to scale, and the aggregation of data becomes progressively more sluggish and di icult to maintain as the data accumulation overwhelms bottlenecked servers. Tanium Trace provides the advantageous ability to store data at the endpoint to leverage latent storage readily available within the enterprise environment thereby significantly reducing the cost of warehousing and transferring immense amounts of historical data.

HS-DS-TAN-TRA-010416

Data Sheet

2

ABOUT TANIUM태니엄은 전 세계의 가장 큰 기업 및 정부기관들에 수 초 이내에 수백만 대의 엔드포인트를 보호, 컨트롤 및 관리할 수 있는 독보적인 경쟁력을 제공합니다. 이제 보안 및 IT 운영팀은 태니엄이 제공하는 전례 없는 속도와 간편함, 그리고 확장성을 통해 항시 정확하고 총체적인 엔드포인트 상태 정보를 수집하여 현재의 보안위협에 대해 효과적으로 방어할 수 있게 되었을 뿐만 아니라, IT 운영에 있어서도 새로운 차원의 비용 효율을 달성할 수 있게 되었습니다. 더 많은 정보를 위해서는 www.tanium.com을 방문하시거나, 트위터에서 @Tanium을 팔로우하세요.

© 2015 Tanium, Inc. All rights reserved. Tanium is a registered trademark of Tanium, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.

Tanium Trace helps incident response teams take an initial lead, quickly search, filter and visualize forensic data, and piece together the story about what happened on an endpoint in a given point in time. By monitoring the Windows kernel for system activity and continuously recording forensic evidence, Tanium Trace not only expedites analysis of a single endpoint, but also leverages the same data to identify compromised systems enterprise-wide in seconds.

In Trying Times, Security Teams Remain Unprepared For The WorstToday’s threat landscape is evolving at an alarming pace, and poses greater challenges and risks to private and public sector organizations than ever before. Adversaries are increasingly relentless in their e orts and sophisticated in their methods in large part due to the lucrative financial, political and strategic motives strengthening their resolve. Furthermore, intrusions come in all forms, from smash-and-grab attacks stealing personally identifiable data to stealthy long-term campaigns aimed at siphoning intellectual property to cripple targets over time.

As recent headlines have shown, many organizations are still being caught o  guard and unable to overcome the daunting security challenges they are facing. Teams are struggling to maintain the endpoint visibility necessary to prioritize, triage and investigate the flood of security alerts they are seeing, and are further hampered by ine ective signature-based tools incapable of identifying unknown threats or forensic solutions that are di icult to use, expensive to scale and too slow to combat ongoing intrusions. Compounding this already uphill battle is the fact that o�entimes security and IT operations teams need to align their e orts in order to remediate incidents, yet the inconsistent tools and processes in place impedes such e orts at a time when coordination and speed is most critical. As a result, these organizations continually find themselves a step behind their attackers.

“Trace enables us to automate the application of new threat intelligence to historical activity in our clients' environments, delivers a rich set of data for statistical anomaly detection, and provides our response teams with a high fidelity view of a threat actor's digital footprints in order to dramatically reduce containment times.”

– Kris McConkey, Cyber Security Partner, PwC

The Tanium Di�erenceThe Tanium Endpoint Platform is the first and only enterprise platform that provides the ability to conduct forensic investigations on individual endpoints, as well as perform enterprise-wide searches and actions for complete visibility and control in 15-seconds, even across the largest global networks. Tanium’s patented linear-chaining architecture can easily support millions of endpoints and sustain optimal performance and reliability without the need for ongoing addition and maintenance of supporting servers to scale. The Tanium Endpoint Platform delivers the speed, scalability and reliability necessary for defending against today’s threat landscape.

Tanium Trace OverviewTanium Trace, a module of the Tanium Endpoint Platform, continuously records endpoint activity and equips security incident responders with the agility to easily pivot from single endpoint forensic analyses to accurate enterprise-wide searches for historical data across millions of endpoints in seconds, or vice versa. The forensic artifacts captured by Tanium Trace also enhance the capabilities of other Tanium modules, and can be further used to enrich third-party SIEMs and other security tools. With Tanium Trace, security teams finally have the breakthrough they need to dramatically reduce the time and e ort it takes to thoroughly understand attacker methods, quickly scope and fully remediate malicious activity at enterprise scale.

핵심 기능엔드포인트 활동 상시 기록 및 원격 포렌직 분석태니엄 Trace는 지속적으로 엔드포인트 활동을 기록하며, 여기에는 매우 짧은 순간 동안 이뤄진 네트워크 연결 정보, 실행된 프로세스의 해시값, 그리고 파일 생성, 삭제, 이름변경, 초기화 등의 파일 이벤트처럼, 일반적으로 기록이 유지되지 않는 시스템 아티팩트들이 포함됩니다. 태니엄 Trace는 안정적인 커널 레벨 모니터링을 실행하여, 공격자가 자신의 흔적을 숨기기 위해 사용한 루트킷(Rootkit) 및 기타 고급 카운터-포렌직(Counter-forensic) 기술을 탐지해 낼 수 있습니다.사고대응팀은 이제 글로벌로 분산된 환경에서도 이 모듈을 통해 그 어떤 엔드포인트든 상관없이, 원클릭으로 신속히 접속하여 원격에서 실시간 포렌직 분석을 진행할 수 있습니다. 태니엄 Trace는 악의적인 엔드포인트 활동을 기업 수준에서 제대로 탐지하고, 또 살피며, 조치하는데 필요한 시간과 노력을 획기적으로 줄여줍니다.

태니엄 Trace는 지속적으로 포렌직 데이터를 기록하여, 사고대응팀이 엔드포인트에서 특정 시점에 무슨 일이 일어났는지를 빠르게 파악할 수 있게 해줍니다.

Hardware Requirements(Tanium Server / Database Server)

Processor Cores (Physical)

Memory

Disk Space2

So�ware Requirements3

Operating System

Database Version

16 / 8

48 GB / 16 GB

400 GB / 1 TB

40 / 32

256 GB / 64 GB

1.5 TB / 4 TB

Microso� Windows Server 2008 R2, 2012 or 2012 R2

Microso� SQL Server 2008, 2012 or 2014

80 / 64

512 GB / 128 GB

3 TB / 10 TB

Client Requirements1

● Microsoft Windows, Vista, 7, 8 or Windows Server 2008, 2012

대 5,000대 이하 150,000대 이하 400,000대 이하

다양한 엔드포인트 규모에 대한 유연한 포렌직 분석처음에 침해를 유발한 수단은 무엇인가? 공격자는 무엇을 했는가? 얼마나 많은 시스템과 사용자가 영향을 받았는가? 등, 흔히 공격을 받았을 때 떠오르는 가장 기본적인 의문들은 사실 답변하기 가장 어렵고, 또 많은 시간이 걸리는 질문들입니다. 태니엄 Trace는 조사자에게 각 엔드포인트의 포렌직 데이터에서 발견된 의심스러운 아티팩트들을 검사하고, 이를 활용해 전체 기업 네트워크에 대해 컨텍스트-센서티브(Context-Sensitive) 검색을 실시하여 유사한 감염 엔드포인트를 수 초 내에 찾아낼 수 있도록 하는 민첩성을 제공합니다. 

직관적인 사용자 경험태니엄 Trace는 손쉬운 사용성에 중점을 두고 디자인되었으며, 이를 통해 풍부한 양의 저장된 포렌직 데이터를 수집, 분석, 그리고 이해하는 프로세스를 단순화시킬 수 있습니다. 사용자는 검색 및 필터링을 통해 특정 데이터 요소에 대해 Drill-down 할 수 있으며, 더 나아가 특수한 타임라인 및 프로세스 시각화 기능을 통해 프로세스 실행이나 파일 생성 등의 이벤트가 지닌 복잡한 특징들을 두루 찾아볼 수 있습니다.

단일 인프라로 수백만 대의 엔드포인트 확장태니엄 Trace는 수백만 대의 엔드포인트에 적용 시에도 전례 없는 속도와 신뢰성, 그리고 최저 비용 인프라를 보장합니다. 그에 비해 경쟁 솔루션들의 경우, 보통 확장을 위해서 수십에서 수백 대의 추가 서버를 필요로 하는 데다가, 병목현상이 발생한 서버는 수집되는 데이터의 양 및 속도를 따라잡지 못하기 때문에, 결국 데이터의 통합과정은 점점 더 느려지고, 이를 유지하는 것도 어려워집니다. 태니엄 Trace는 기업 환경 내에서 즉시 사용 가능한 잠재 스토리지 (Latent Storage)를 활용하기 위해, 데이터를 엔드포인트 내에 저장할 수 있는 능력을 제공합니다. 이를 통해, 막대한 히스토리 데이터를 저장 및 이동시키는데 드는 비용을 획기적으로 줄일 수 있습니다.

시스템 요구사항 Server Requirements1

1 더 많은 정보는 https://kb.tanium.com/System_Requirements 참조2 제시된 디스크 용량 요구사항은 근사치이며, 사용사례 및 사용방법에 따라 달라질 수 있음