Cloud Incident Response Blog | Cado Security

Investigating Tanium Live Response collections in the Cado platform

Written by jbowen@cadosecurity.com | Oct 20, 2022 1:25:04 PM

With the latest version of the Cado platform, customers can now import Tanium Live Response collections to expedite incident response investigations of on-premises systems. The Cado platform harnesses the power of the cloud to automate manual and time-consuming tasks traditionally associated with forensic investigations. Cado’s unique approach empowers customers to:

  • Take advantage of cloud-speed processing
    • Forensic investigations often require massive amounts of data to be processed. Using traditional methods, this can set back the start of an investigation by days - as each system needs to be processed sequentially. Cado’s patent-pending cloud-native architecture automatically scales up and down to provide rapid, parallel data processing – drastically reducing time to investigation and response.

  • Extend incident response and forensics to the cloud 
    • While Cado offers on-premises support, we understand that customers have a unique tool set and approach for different environments. For example, many organizations we speak with leverage Tanium to capture the required forensic data they need in their on-prem environment. However, when it comes to the cloud, Cado enables analysts to automatically capture and investigate forensic data across multi-cloud, container, and serverless environments.

How it works

Tanium Live Response collects forensic artifacts and formatted output of evidence such as running processes and active connections. The solution then sends collected data to a network location or S3 bucket. 

Tanium Live Response collections can then be imported into the Cado platform for processing and analysis. Cado supports parsing of the artifacts themselves (e.g. Windows Event logs) and also the text formatted data dumps from Tanium itself:

Once processed, Cado presents collected data in a way that allows analysts to seamlessly dive deep - determine root cause and incident scope – and efficiently respond. The Cado solution empowers security teams to drastically reduce investigation and response time by automating some of the common investigative techniques a human analyst would take. The solution’s Automated Investigation feature surfaces key details related to the incident to provide analysts with pivot-points that help guide the rest of the investigation. The Cado solution automatically flags key malicious activity, determines root cause and incident scope (including all compromised roles and assets) and presents a complete timeline of events.

If you’re currently using Tanium or a similar solution for forensic data capture across your on premises environments and are interested in seeing how Cado can further augment your incident response approach — check out our 14-day free trial or request a personalized demo today.