Without treating security as an ongoing process, hackers will find, weaponize, deploy, and attack your infrastructure faster than your team can patch. At the same time, the experience of your IT team working with the security group is frustrating and leads to many, many hours of manual work. Learn how to stay ahead of the bad guys and improve the experience for your team with continuous vulnerability management.

1. How to Perform Continuous Vulnerability
Management and Avoid Failure
Chris Goettl, Director of Product Management, Security
Meeting ID: 803 050 534
Call-in toll-free (US/Canada)
1-877-668-4490
Call-in toll (US/Canada)
1-408-792-6300

2. CIS #3: Continuous
Vulnerability Management

3. The first 5 controls
I n v e n t o r y o f A u t h o r i z e d a n d U n a u t h o r i z e d D e v i c e s
I n v e n t o r y o f A u t h o r i z e d a n d U n a u t h o r i z e d S o f t w a r e
S e c u r e C o n f i g u r a t i o n
C o n t i n u o u s V u l n e r a b i l i t y A s s e s s m e n t a n d R e m e d i a t i o n
C o n t r o l l e d U s e o f A d m i n i s t r a t i v e P r i v i l e g e s
CIS, US-CERT, ASD, and other authorities prioritize these five elements of cyber hygiene to significantly
reduce security threats.

4. CIS Control 3: Continuous Vulnerability Management
Continuously acquire, assess, and take action on new information in order to
identify vulnerabilities, remediate, and minimize the window of opportunity for
attackers.
Why Is This CIS Control Critical?
When researchers report new vulnerabilities, a race starts among all
parties, including: attackers (to “weaponize”, deploy an attack, exploit);
vendors (to develop, deploy patches or signatures and updates), and
defenders (to assess risk, regression-test patches, install). Cyber
defenders must operate in a constant stream of new information:
software updates, patches, security advisories, threat bulletins, etc.
Understanding and managing vulnerabilities has become a
continuous activity, requiring significant time, attention, and
resources.

5. CIS Control 3: Continuous Vulnerability Management
CIS Control 3.1:
Run Automated
Vulnerability
Scanning Tools
CIS Control 3.2:
Perform Authenticated
Vulnerability Scanning
CIS Control 3.3:
Protect Dedicated
Assessment
Accounts
CIS Control 3.4:
Deploy Automated
Operating System Patch
Management Tools
CIS Control 3.5:
Deploy Automated
Software Patch
Management Tools
CIS Control 3.6:
Compare Back-to-
back Vulnerability
Scans
CIS Control 3.7:
Utilize a Risk-rating
Process

6. Rise in Vulnerabilities
2016 2017 20192018
• 16555 CVEs
• Average Time to Patch
34 days
• Only 7% of CVEs were
exploited
• 14714 CVEs• 6447 CVEs
• Average Time to Patch
100 to 120 days
• 12174 CVEs
• Target Time to Patch
14 days
Exploited Zero Day
Public Disclosure
Unknown Vulnerabilities
0-2 Weeks
Rising Risk
Day Zero
Update
Releases
2-4 Weeks
50% of exploits
have occurred
40-60 Days
90% of exploits
have occurred
120 Days

7. BlueKeep Timeline
14, May, 2019
CVE-2019-0708
Update Available
15, May, 2019
PoC research begins
Social Media Trackers
GitHub Trackers
20, May, 2019
BSOD achieved
28, May, 2019
Active Scanning of public systems
White Hats and Black Hats
6 security research teams confirmed they have
achieved exploit of BlueKeep
14 Days

8. Why a 14 Day SLA is so
Difficult to Achieve?

9. Time to Patch
Exploited Zero Day
Public Disclosure
Unknown Vulnerabilities
0-2 Weeks
Rising Risk
Day Zero
Update
Releases
2-4 Weeks
50% of exploits
have occurred
40-60 Days
90% of exploits
have occurred
• Challenges:
• Identification Prioritization of Vulnerabilities
• Aggregating Known Issues
• Testing
• Reliability vs Risk

10. “IT wants things to work smoothly,
while security wants security.
At the endpoint, they have to work
together to maintain both.”
Feedback from a survey of 100 CIO/CSOs

11. Exploit Data
Many vulnerabilities are given a severity and rated with a CVSSv3 score that
easily become overlooked. More specific risk data must be taken into
account to help refine prioritization.
Zero Day: Win32k Elevation of Privilege
Vulnerability (CVE-2019-1458) rated
Important, CVSSv3 7.8
Zero Day: Win32k Elevation of Privilege
Vulnerability CVE-2019-1132 rated Important,
CVSSv3 7.8
Zero Day: Scripting Engine Memory
Corruption Vulnerability (CVE-2020-0674)
rated as Critical, but CVSSv3 score of 7.5
Zero Day: DoubleKill (CVE-2018-8174, Critical,
CVSSv3 7.5) and Elevation of Privilege exploit
from May (CVE-2018-8120, Important, CVSSv3 7)

12. Bridge the gap between Security and IT Operations

13. Mapping Vulnerabilities to Software Updates
How hard can a handoff be?
In reality, it has many complications.
Each vulnerability
assessment could
contain thousands, 10s
or 100s of thousands of
detected CVEs.
De-duplicating and
researching the list of
detected CVEs can take
5-8 hours or more with
each pass.

14. CVE Import

15. Examples of Success

16. Department of Homeland Security
Binding Operational Directive 19-02
DHS Says Federal Agencies Have 15
Days to Fix Critical Flaws
Announced in April 2019
What made them successful:
• Eased into the change - BOD 15-01 Announced in May 2015
to review and mitigate critical vulnerabilities within 30 days
• Made the change a top down policy change
• Non-compliance means systems are taken offline

17. 80k+ Global Manufacturer
Manage over 80k systems globally
Target 14 Day SLA for remediation of
Security Vulnerabilities
What made them successful:
• Partner with the business – Heavily use pilot users
• Start testing immediately upon release of updates
• Made updating part of corporate culture
• Set hard timeframes and enable users to opt in to get
patched sooner

18. 66k+ Global Retailor
Manage over 66k systems globally
Target 14 Day SLA for remediation of
Security Vulnerabilities for Servers
Weekly Remediation for Endpoints
What made them successful:
• Partner with the business – Heavily use pilot users
• Start testing immediately upon release of updates
• Made updating part of corporate culture
• Standardization of software
• Made non-compliance a very visible and critical metric to
all levels of the business

19. What Experience
is Right for You

20. Flexibility to Meet a Variety of Needs
Ivanti has a variety of solutions depending on your needs.
• Ivanti Endpoint Manager Provides a unified endpoint management solution to manage
your enterprise. Ivanti’s UEM solution provides the best user experience while boosting
productivity and increasing security.
• Ivanti Security Controls Managing vulnerabilities in the datacenter is a bit different than
across endpoints. Security Controls provides capabilities to agentlessly assess and
remediate security updates. Ivanti’s APIs provide the ability to customize your
experience for managing complex runbooks for critical workloads.
• Ivanti Patch for Microsoft Endpoint Manager (SCCM) Ivanti’s simple plug-in allows
you to extend your investment in Microsoft Endpoint Manager in minutes. With just a few
clicks you have publish our entire catalog of hundreds of third-party applications.

21. Shifting Experience for
Remote Workers

23. Remote Control with Ivanti Cloud
• Remote-control nearly any desktop from any device with secure, browser-based
access.
• Resolve remote problems without a remote-control session for common issues like
viewing a device’s task manager, starting and stopping services, troubleshooting a
network outage, and executing scripts.
As IT departments work to satisfy the expectations of users, supporting them through remote capabilities goes a long
way in meeting expectations and improving service and support efficiencies.

24. 5 KEY TAKE AWAYS

25. • Ask Yourself: How accurate is your DiscoveryAsset
Management program?
• Build your security roadmap around a well developed security
framework like CIS framework.
• Evaluate your vulnerability assessment and prioritization.
What metrics are you using? Are they accurate enough?
• 50% of vulnerability exploits occur within 14-24 days of
release of an update. What is your Time to Patch?
• Continually review your security strategy.
5 KEY TAKE AWAYS

26. Thank You