Helping Banks Spot Vulnerable Servers ... in Seconds

When Orion Hindawi attended a dinner with executives from a global bank that recently became a customer of the cybersecurity company he co-founded, he heard something that crystallized the high stakes of his work.

The bank's CEO told Hindawi that there are three threats that could put the bank out of business: nuclear weapons, meteors and cybersecurity.

"Think about that," said Hindawi, the president and chief technology officer of Tanium, in recalling the conversation. "Two are existential risks that you can't control at all and the third is an emergent threat."

As banks work to fortify their defenses against cyberthreats, Hindawi finds the C-suite has deepened its knowledge of security and is paying close attention to platforms from companies such as Tanium, which allows clients to close gaps in their security by letting information technology managers see in nearly real time across the thousands or hundreds of thousands of machines that make up their networks, whether those networks span a geographic region or circle the globe.

IT managers can type a question such as "How many laptops are currently missing security patches?" or "Which Linux servers are vulnerable to Shellshock?" into Tanium's Endpoint Platform and they are supposed to get the answer within 15 seconds.

"This is an opportunity for banks to take something that's been antiquated for a long time, the way they've managed their endpoints en masse, and upgrade it in a way that's qualitatively different and better," Hindawi said. "You can't even imagine what's possible."

In addition to surveying a network instantly, Tanium can consolidate threat intelligence and identify and shut down compromised access points. The platform, which consists of software the company installs on servers, desktops, laptops, virtual machines, embedded devices and cloud environments, also lets IT managers patch, update or uninstall software; detect and disable malware; track usage of databases and servers; and capture forensics to aid incident response.

Those capabilities have earned Tanium the business of seven of the 10 largest global banks and more than half the Fortune 100, according to the Emeryville, Calif.-based company, which counts U.S. Bancorp, Visa, Amazon and the U.S. Department of Defense as customers.

Investors such as Andreessen Horowitz, T. Rowe Price and TPG also are depending on Tanium, which the latest round of funding values at roughly $3.5 billion. That makes Tanium among the hottest companies in a market that is could be worth $30 billion over the next three years, according to FBR Capital Markets.

Finding Threats That Matter

A survey last spring by Accenture of 150 bank executives found that 65% view cybersecurity as the risk most likely to become more severe in the next two years. JPMorgan Chase plans to double, to about $500 million annually, its spending on cybersecurity this year and next compared with 2014, the bank said in its latest quarterly securities filing. Bank of America will spend whatever it takes to guard against cyberthreats, CEO Brian Moynihan told Bloomberg in January.

A wave of companies touting the latest generation of security software has emerged to address the demand. Along with Tanium they include firms such as Palo Alto Networks, Lancope, FireEye, Qualys, Splunk, and Crowdstrike, which in July received $100 million from a group of investors led by Google Capital. "The threat is not slowing down — it's actually accelerating," said Daniel Ives, senior analyst at FBR. "That's why there's such a surge of spending in this area."

While banks may be shelling out for cybersecurity, the challenge for chief information officers may be getting their arms around what they have.

"A large bank will get a half million to a couple million security alerts a day and they're not well prioritized," said Avivah Litan, vice president at Gartner. "The systems are all shooting off alarms and it's hard to distinguish which ones are important. CIOs want to detect the bad guys who are flying under the radar and to improve the productivity of their security staff."

Tanium says its platform allows banks to lower the volume and filter out the noise. According to the company, a large global bank that deployed Tanium determined within one day that 20% of its network was unmanaged as a consequence of remote safeguards that either were not deployed or malfunctioning. The discovery allowed the bank to slash the incidence of malware outbreaks by roughly a third and boost compliance from 80% to 97%.

The company says the platform makes most sense for networks that have at least 5,000 access points, a critical mass that signals "you probably have data that's worth stealing and people targeting you already," Hindawi said. The price of the platform ties to the number of vulnerabilities, though a sliding scale means the price per endpoint drops above a certain threshold.

Lords of the Ring

Tanium's promise turns on speed and potential for expansion, which reflects the evolution of a design developed by Hindawi, 35, and his father and co-founder David Hindawi, 70, an émigré from Israel who holds a doctorate in operations research from the University of California at Berkeley and serves as CEO and chairman.

In 1997, David founded BigFix, a company that patched computers across a network automatically, and recruited then-17-year-old Orion, who while still in high school was taking college classes, as a developer. While at BigFix, which IBM bought in 2010, the duo began to hear from customers that the increasing virulence of cyberattacks and the advent of virtualization and cloud computing demanded the ability to assemble information from remote access points immediately. Getting data within days or even hours no longer sufficed.

The realization spurred David, Orion and a dozen of their colleagues to start Tanium, where they set out in 2007 to solve what Orion terms "a fundamentally different problem." The solution ultimately led them to discard the hub-and-spoke design that characterizes many networks in favor of a system in which computers pass files to their peers along a series of ordered rings. Instead of a server sending a file to each machine in the network, the server sends the file to a lead machine in each ring that then distributes the data to its peers.

"The ring architecture was the outgrowth of our realization that the hub-and-spoke architecture everyone uses was the problem," Orion said. "That's why they were slow. Tanium to this day is the only tech company that is not using that 40-year-old design."

With Tanium, the range of queries a company can put to its access points ties to the number of so-called sensors those points are programmed to register. Though Tanium has a library of more than 1,000 sensors (most companies use around 400, the company says), IT managers, either in-house or with support from Tanium, can customize sensors to harvest any information they can program a machine that runs Windows, Mac OS X, Linux or Unix to identify.

One thing Tanium cannot query is smartphones and tablets that run iOS or Android. That is because Apple and Google do not enable their operating systems to answer questions about which applications are touching certain types of data, a limitation that Hindawi notes affects all mobile device managers.

"I've never met any company that is happy with its mobile device management solutions," added Hindawi, who says the answer lies either with mobile OSs permitting better management or with manufacturers such as Intel and Qualcomm building the capability directly into processors.

Sorting 'Fact from Fiction'

Add that to the challenges for bank CIOs, who are faced with sorting through a deluge of companies that come calling with software or services that a defender of data seemingly cannot fail to vet.

"There are hundreds of unbelievably innovative cybersecurity technologies that typically focus on one niche or the other," FBR's Ives said. "That's always the decision for CIOs: do they do best of breed when you can have 16 or 20 vendors in your data center or go with three or four? Customer references are crucial in terms of separating fact from fiction."

Hindawi agrees, noting that Tanium typically enables companies to decommission between four and seven applications they had used. He adds that Tanium, which in August announced an exclusive pact with Palo Alto Networks to provide an integrated offering that automates detection and prevention of threats, says it has turned a profit every quarter since 2012.

"Banks should not have to be worried about balance sheets of their vendors, but if a company is making excuses that 'because we're growing we cannot be profitable' it means there's something wrong with their business," said Hindawi, adding that he knows from experience what IT managers endure. "I've been on the phone with CIOs at 3 a.m., when it's their worst time."

The goal, says Hindawi, is to achieve what he calls "a real A-plus." On a network with 500,000 access points, "if you're sitting at 92% compliance ... that's tens of thousands of vulnerabilities," he said. Even "95% is not good. It means they can be hacked by a 9-year-old with access to Google."

For reprint and licensing requests for this article, click here.
Bank technology Data breaches Cloud computing Cyber security
MORE FROM AMERICAN BANKER