The last 1717 days

I mentioned on LinkedIn yesterday that I’m looking for a new role. For recruiters and interested parties, I thought I should provide some background about what I’ve been doing for the last four and a half years.
I left Microsoft back in September of 2015. It was a difficult decision. I worked with and “against” brilliant people on really interesting problems. It was one of the most challenging and rewarding jobs I’ve ever had.
I left to join Tanium, a company that I’d never heard of at the time. A friend of mine who I’d known through Microsoft reached out to me about it. His claims about what Tanium could do were hard to believe. He said it could pull a list of running processes with their hashes, data about network connections, information about files on disk, installed software, logged in users, etc. from hundreds of thousands of systems across multiple platforms in seconds.
According to my friend, Tanium could execute changes on those systems just as fast and it could do all of this with very little infrastructure. We would find out later through the work of a brilliant engineer that the architecture could scale to more than one million endpoints managed by a single server — a beefy server, to be sure, but not 100 servers or 50. One.
The scalability of the platform meant that security and operations teams could be more agile. They wouldn’t need a team of engineers focused on maintaining a fleet of servers, instead those engineers could focus on hunting, investigating, responding to incidents, patching, running vulnerability scans, etc.
Having worked with other commercial products and having built my own tooling to perform incident response tasks, I was skeptical. How had a company I’d never heard of conquered this hill that so many products had died on?
We talked off and on for a few weeks. I spoke with a seemingly endless list of different people from Tanium and we agreed there was alignment of my interests and their objectives. I joined the company.
During my time at Tanium I contributed code to extend the security incident response capabilities of the platform. Alongside others, I developed and delivered training. I became a “player / coach” on a team with deep experience in DFIR work. We had former Feds, Mandiant, Cylance and professionals from industry in our ranks. We helped our customers understand what the platform could and could not do. We won their confidence and trust.
We helped customers respond to security incidents. When information on 0days came to light, we worked with engineers across the entire company to determine if we had existing capabilities to address those issues and if not, we rapidly put together new content to help investigate and mitigate. In the days of WannaCry, it was incredibly satisfying to work with customers to mitigate the SMBv1 vulnerability across hundreds of thousands of endpoints in their networks in seconds — not minutes, days or weeks.
Tanium is not a perfect product. No perfect product exists, but over the last four and a half years product managers, developers and engineers have worked tirelessly to make it better and better. If I were a CIO or a CISO in a large enterprise, Tanium would be on my short list of must have tools. I say all of this as someone who is effectively an ex-Tanium employee. I still have a few days left and in full-disclosure, I own stock in the company, but even if I could sell all of my stock today and my position was terminated effective immediately, Tanium would be on my list. There may be better niche products for some specific problems (for now), but there is nothing on the market that is as flexible and as scalable as Tanium and in the enterprise, flexibility and scalability are a winning combination for tackling all kinds of unforeseen problems.
Why leave? And especially why leave during a global pandemic, the worst unemployment since the Great Depression, a time of massive civil unrest, with a mortgage and multiple college tuitions to cover? I left because it was time. It was time for me to move on to new challenges and new personal growth and in so doing, I hope I have provided opportunities for growth for those I left behind.
Godspeed former colleagues.

*** This is a Security Bloggers Network syndicated blog from trustedsignal -- blog authored by davehull. Read the original post at: