Tanium launched the Tanium Software Bill of Materials (SBOM) to help organizations protect digital assets against external threats stemming from open-source software including OpenSSL v3.
Tanium is a solution that empowers IT and security teams with granular visibility and real-time remediation of software packages for every application on every endpoint at runtime.
The modern digital economy is powered by open-source software, but the average application-development project contains nearly 50 vulnerabilities spanning 80 direct dependencies. While indirect dependencies are even harder to find, that’s where 40% or more of all vulnerabilities are hiding. When software supply-chain vulnerabilities are discovered, organizations must scramble to understand their exposure, which could take weeks or even months. With millions of open-source libraries in use, not only are real-time visibility and remediation capabilities important, they are now a necessity. Seemingly innocuous coding flaws have the potential to bring down organizations on a massive scale.
“Software supply-chain vulnerabilities have been at the heart of some of the most disruptive cyber events we’ve seen,” said Nic Surpatanu, chief product officer at Tanium. “Tanium’s SBOM takes this challenge head on by leveraging endpoint data to breakdown the composition of software and root out weaknesses such as the newly announced vulnerability in OpenSSL version 3. This clarity can mean the difference between a minor operational hiccup or a complete global disruption with lasting implications.”
SBOM, built on Tanium’s core strengths of speed, scale, and real-time endpoint data, is an entirely new approach to address supply-chain vulnerabilities. Tanium SBOM focuses first on the software residing on individual assets to detect libraries and software packages with known vulnerabilities. Tanium’s approach goes beyond basic scanning tools by examining the contents of individual files wherever they reside in IT environment. This essential information allows Tanium to take swift, appropriate action such as conducting application patching and software updates—up to and including killing a specific process or uninstalling affected applications. Tanium can find and remediate vulnerabilities like OpenSSL v3 today as well as new supply-chain vulnerabilities in the future.
“The Log4j vulnerability has opened people’s eyes to the dangers of vulnerable open-source software,” said Jason Bloomberg, president of analyst firm Intellyx. “The ability to harness endpoint data for a diagnostic analysis of the software landscape is essential, as enterprises increasingly depend on so many disparate applications. Tanium’s SBOM data allows security teams to manage a variety of applications with the confidence that they can identify and address vulnerabilities before they adversely impact the customer.”
Tanium SBOM is particularly beneficial to public sector organizations faced with new regulatory requirements such as Executive Order 14028 in the U.S. and the U.K.’s National Cyber Strategy 2022 that enforce the integrity and security of software.
SBOM is the newest offering from the award-winning Tanium XEM platform, which released new capabilities in October that include Tanium Benchmark, designed to provide board members and executive leadership with holistic IT operations, risk, and security assessments for improved decision making and strategic execution.