Without treating security as an ongoing process, hackers will find, weaponize, deploy, and attack your infrastructure faster than your team can patch. At the same time, the experience of your IT team working with the security group is frustrating and leads to many, many hours of manual work. Learn how to stay ahead of the bad guys and improve the experience for your team with continuous vulnerability management.
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
Ivanti - Continuous Vulnerability Management
1. Getting Ahead of the Flood
Chris Goettl
Director of Product Management, Security
This information is confidential, proprietary, and only for use by the intended recipient and may
not be disclosed, published, or redistributed without the prior written consent of Ivanti, Inc.
3. The first 5 controls
I n v e n t o r y o f A u t h o r i z e d a n d U n a u t h o r i z e d D e v i c e s
I n v e n t o r y o f A u t h o r i z e d a n d U n a u t h o r i z e d S o f t w a r e
S e c u r e C o n f i g u r a t i o n
C o n t i n u o u s V u l n e r a b i l i t y A s s e s s m e n t a n d R e m e d i a t i o n
C o n t r o l l e d U s e o f A d m i n i s t r a t i v e P r i v i l e g e s
CIS, US-CERT, ASD, and other authorities prioritize these five elements of cyber hygiene to significantly
reduce security threats.
4. Rise in vulnerabilities vs decrease in time to patch
2016 2017 20192018
• 16555 CVEs
• Average Time to Patch
34 days
• 14714 CVEs• 6447 CVEs
• Average Time to Patch
100 to 120 days
• Expect continued in
crease in CVEs
• Target Time to Patch
14 days
Exploited Zero Day
Public Disclosure
Unknown Vulnerabilities
0-2 Weeks
Rising Risk
Day Zero
Update
Releases
2-4 Weeks
50% of exploits
have occurred
40-60 Days
90% of exploits
have occurred
120 Days
7. “IT wants things to work smoothly,
while security wants security.
At the endpoint, they have to work
together to maintain both.”
Feedback from a survey of 100 CIO/CSOs
9. Continuous Vulnerability Assessment and Remediation
How hard can a handoff be?
In reality, it has many complications.
Each vulnerability
assessment could
contain 10s or even
100s of thousands of
detected CVEs.
De-duplicating and
researching the list of
detected CVEs can take
5-8 hours or more with
each pass.
12. ▪ PowerShell or REST
API
▪ Automation Standard
license at no additional
cost
▪ Script Complex
Workloads (Clusters,
Tiered Applications,
Etc)
Open API for Automation
19. Rise in vulnerabilities vs decrease in time to patch
Exploited Zero Day
Public Disclosure
Unknown Vulnerabilities
0-2 Weeks
Rising Risk
Day Zero
Update
Releases
2-4 Weeks
50% of exploits
have occurred
40-60 Days
90% of exploits
have occurred
120 Days
Application Control
Privilege Management
#1 Patch Management to reduce Attack Surface
#2 Application Control to block malware and untrusted payloads
#3 Privilege Management to prevent lateral movement pivot
20. P a t c h O p e r a t i n g
S ys t e m s
80-95% of Windows
intrusion threats
1
Organizations can prevent
P a t c h
Ap p l i c a t i o n s
2 3
M i n i m i z e Ad m i n
P r i v i l e g e s
4
by implementing four key disciplines
Ap p l i c a t i o n
W h i t e l i s t i n g
As recommended by…
22. Facilitate removal of admin
rights from enterprise
“Just enough” elevation for
local admins
“Just-in-time” elevation for
standard users
Allow users access to the
tools they need, without
excess rights
Reduce / Remove
Local Admin rights
1 2
23. Extremely effective at blocking
ransomware & other malware
Operational simplicity with
Trusted Ownership checking
Contextual Application Control
with advanced condition engine
to provide greater control
On-demand change requests to
maximize user productivity
Zero-day protection with
Application Control
1 2
Thank you for inviting Ivanti to be a part of your event today. I am ‘insert name and title’ and today I would like to talk to you about Continuous Vulnerability Management or more importantly, how to get ahead of the flood of vulnerabilities.
First lets talk about Continuous Vulnerability Management.
We at Ivanti look to security frameworks like the Center for Internet Security’s Critical Security Controls to help prioritize our efforts and maximize our customers benefits. The CIS framework provides a lot of industry best practices and guidance for securing your organization. What we like most about CIS framework is the prioritized guidance. If you start at the beginning and work your way through you will maximize your effectiveness with each step. Here you can see just the first five controls. These controls are key controls which should be implemented in every organization for essential cyber defense readiness.
(Click) For the purposes of this conversation we are going to focus on Continuous Vulnerability Assessment and Remediation
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
This control encompasses efforts of both the Security and Operations teams and a combination of solutions including Vulnerability Assessment and Patch Management solutions. Depending on the level of sophistication of your process today this could also include SOAR and SIEM solutions, but often there is a rather large gap from identification and prioritization of a vulnerability to remediation.
(Click) This model shows the life of a vulnerability and the Time to Patch to resolve a vulnerability.
Even before an update releases there are risk of Zero Day vulnerabilities that are exploited, public disclosures that expose a vulnerability to the public and threat actors in advance of an update, and unknown vulnerabilities waiting to be discovered by vendors, white hats, or black hats.
Day Zero is the day an update is released. From this point forward the risk of exploit of a vulnerability increases over time. At around 14 days the risk of exploit of a vulnerability starts to increase significantly. According to Verizon, within 2 to 4 weeks 50% of vulnerabilities that will be exploited, have been exploited. At 40 to 60 days 90% of vulnerabilities that will be exploited have been exploited. In 2016 the average time to patch was around 100 to 120 days. This means threat actors were actively exploiting vulnerabilities for two to three months before the vulnerabilities were remediated.
(Click) (Click) In 2016 there were 6447 CVEs reported and captured by CVE Details. The average time to patch was 100 to 120 days according to Verizon DBIR 2016.
(Click) In 2017 there was a significant increase in CVEs as bug bounties increased across the industry and new vendors started reporting vulnerabilities like IoT devices and other vendors who did not previously report vulnerabilities.
(Click) In 2018 there were over 16k CVEs. As you can see the volume of security vulnerabilities continues to increase year over year and will likely continue to do so for some time. So how can we stay ahead of threats? Many companies struggle to resolve vulnerabilities quickly. A report by TCell found that patching critical CVEs took an average of 34 days. This is an improvement over the 100-120 days average from 2016, but most companies are still in the high risk range.
References:
CVE Data taken from CVE Details. This is the number of vulnerabilities reported and confirmed by MITRE. This does filter out contended CVEs, duplicates, and revoked.
Average time to patch in 2016 taken from Verizon Data Breach Investigations Report.
Average Time to Patch in 2018 taken from a report by Tcell that found patching critical CVEs took an average of 34 days https://blog.tcell.io/whats-going-on-appliation-security-report-2018
(Click) 34 days Time to Patch is a significant improvement over the industry average of 100-120 days from 2016, but we are still in the high risk zone. (Click)
(Click) 14 days or less Time to Patch is the target that we need to strive for. So how do we get ourselves into this optimal window? (Click)
We are trending in the right direction, both in the diligence of vendors discovering and resolving vulnerabilities and in companies more rapidly putting updates in place to remediate those vulnerabilities, but what are the next steps to continue to shrink the window of risk? We would like to talk to you about several ways you can continue to reduce the time to patch, better prioritize and take action, and mitigate the impact if something does occur.
To truly attain Continuous Vulnerability Assessment and Remediation you need to bridge gaps between teams and between products within those respective teams. We want to share with you some thoughts on how to bridge these gaps.
On behalf of Ivanti, global advisory firm The Chertoff Group surveyed 100 CIOs/CSOs in October of 2016 to determine what they considered to be the most important security challenges in managing their endpoints today.
Here is a quote from that survey. [Read the quote.]
So we have two teams with two different mandates that can often times be at odds.
So how do we bridge the gap between teams with different goals and responsibilities?
A first step towards improving this process is to get Security and Operations speaking the same language. Security speaks CVEs and Operations speaks Patches.
(Click) We have spoken to many of our customers about how large vulnerability reports can get. It can often be 10s or even 100s of thousands of line items depending on the severity of vulnerabilities included in the report and how many systems you are reporting on.
(Click) Those same customers told us they spend on average 5-8 hours researching that list every time they get a new report from the security team. This includes deduplication and time to research what CVE applies to what application and what version you need to update to. In many cases you could have hundreds of CVEs that could easily be resolved by just a handful of updates.
We have come up with a simple way to way to significantly reduce the time spent on researching CVEs. In our latest release the Ivanti Patch for Windows product will be renamed to Ivanti Security Controls. In this release you can choose to perform an import of CVEs. This import can come from any Vulnerability Management vendor. It just needs to be clear text and include CVE IDs. The import is typically a minute or less (tested with a report of 450k line items).
So, very quickly we can take the report from the Security team and map the CVEs they have recommended for remediation to software updates in Ivanti Security Controls releasing in late Q1. You will be able to do this import once you upgrade to the latest version which is an easy process.
Automation is another key way to reduce the Time to Patch. If more of the process can be automated, teams can be freed up to perform other tasks.
Ivanti Patch for Windows provides an open API that can be used to automate more of the end to end process of patching.
The API has a PowerShell interface today, but in the Ivanti Security Controls release this will extend to include a REST API as well.
Ivanti also has an Automation platform. Whether using our Automation platform or an existing Orchestration solution you already have in your environment you can create runbooks to patch complex workloads more efficiently.
Ivanti Automation has a Standard edition that is included with your license of Ivanti Patch for Windows at no additional charge.
Another initiative that Ivanti is working on that will provide additional capabilities to help reduce the time to patch is our Ivanti Cloud.
The Ivanti Cloud will include our automation platform, connectors for many solutions to pull in data, a data services layer to reconcile what is discovered and provide feedback on actions that could be taken like systems that were discovered in an asset system, but not managed by a security solution. We also have a new Real-Time capability that allows you to query systems in real time and ask questions in natural query language.
But for todays conversation we want to talk about one of our Smart Advisors. A smart advisor provides a wealth of data about systems, software, users, and so on, but the real value in smart advisors is in the Peer Data and Machine Learning capabilities. These allow us to drive recommendations to you and provide you insight that would take time and effort to infer on your own.
Lets take a step back and talk about common challenges in the patch management process that cost a lot of time and effort and inevitably cause the patching process to take more calendar time.
(Click) Identification and prioritization – We have talked about this a little already. You often have ways to identify vulnerabilities and prioritize them, but getting that to map to the updates is often a time consuming challenge. Not only do we have ways to help solve this problem in Ivanti Security Controls, but we will have all of the information to map CVEs to Patches and Patches to CVEs from Patch Intelligence.
(Click) Testing of updates – How many test machines can you field? No matter if it is 10 or 100 you still run into issues with having too little data to make decisions quickly. If updates succeed on your test systems how comfortable are you that the rest of your environment will be unaffected by those updates? What if we can provide you with peer data from across our global customer base? Would being able to see thousands of systems that have successfully updated that same patch be helpful?
(Click) Getting deeper into the reliability question, what if you can see how many of those same systems globally have been rolled back and even get a reliability score of the update? What if you also had a risk score that included threat information like CVSS score, known exploited, or publicly disclosed? Together you would have reliability and threat as two metrics you can compare to make decisions about which updates to push through fast vs take more time to test and rollout.
(Click) Known issues are another time consuming research step for many patch admins. Reading documentation from the vendor, watching headlines or reddit posts, or even attending our Ivanti Patch Tuesday webinar are ways that many admins collect known issues to determine if anyone has hit something they should be concerned about.
Often what these challenges boil down to is more calendar time lost. And time is a variable that is working against us.
Here is a mockup of Ivanti Patch Intelligence. You can see elements of the challenges we just spoke about. Reliability, Threat, mapping to CVEs. As you drill into elements of an update you will see the data behind the scenes that helped us determine those scores and even known issues from the vendors and customer comments describing challenges they have had and reasons why they may have rolled back the update.
Part of this functionality will be going live in our Q2 Ivanti Cloud launch and we will continue to evolve the capabilities of the Smart Advisor as we move forward. Our goal is to provide you with the insight and guidance you need to help reduce that lost calendar time.
The last thing we want to talk about today is extending beyond patch to better secure your environment.
Lets return to our vulnerability lifecycle model.
(Click) Patching is the greatest reducer in attack surface, but patching alone will not stop everything.
(Click) The CIS framework and many other security frameworks agree that Application control is one of the most effective compliments to patching. It can block file based malware and untrusted payloads that prevent many attacks from gaining a foothold even if an software vulnerability was exploited.
(Click) Privilege Management is also necessary to reclaim administrative rights which can help to limit lateral movement throughout an environment if a threat actor gains a foothold.
(Click) Application control and Privilege Management also protect systems before an update is available or in the case you have an exception and an update cannot be pushed.
References:
CVE Data taken from CVE Details. This is the number of vulnerabilities reported and confirmed by MITRE. This does filter out contended CVEs, duplicates, and revoked.
Average time to patch in 2016 taken from Verizon Data Breach Investigations Report.
Average Time to Patch in 2018 taken from a report by Tcell that found patching critical CVEs took an average of 34 days https://blog.tcell.io/whats-going-on-appliation-security-report-2018
*Australia Signals Directorate (equivalent to US NSA)
Ivanti offers a leading solution that can help you prevent unauthorized code execution without making IT manage extensive lists manually, and without creating obstacles to user productivity. We also have a unique trust model called Trusted Ownership™ which automatically prevents the execution of any code, even unknown, that a non-trusted owner (a typical user account, for example) introduces. You can manage user privileges and policy just as easily, at a granular level, while allowing for self-elevation when exceptions occur. We make it simple to give users just the privileges they need to fulfil their roles—no more, no less—while keeping IT focused on core business initiatives rather than “keeping the lights on.”
Beyond Trusted Ownership our Priv solution has the ability to provide what we call just enough admin rights. We can take a full admin and remove access to specific features or capabilities. If you have an administrative user, but you don’t want them to be able to run certain utilities or start\stop services, etc.
We also have Just in time elevation allowing you to reclaim admin rights and only elevate those actions or applications that require elevated permissions.
Our AC capabilities allow you to apply additional trust models like Trusted Vendor or apply contextual rules using our advanced condition engine to provide greater control over your environment.
This solution is available today as a separate offering, but in our Ivanti Security Controls release we will be extending the capabilities of the product you are already running with this new module. It will be available as an add-on to Ivanti Security Controls customers.
Thank you for allowing Ivanti to join your teams today. At this time we would be happy to answer any questions you might have.