Security Insights - Cybersecurity for Real-World Workplaces

The Next Evolution of Patch Management: Don't Try to Patch Everything!

Ivanti Season 1 Episode 13

Host Adrian Vernon, Sr. Director of Product Management Chris Goettl, and former CEO of RiskSense Sri Mukkamala talk about the recent news of the Ivanti and RiskSense team up and what it means for patch management moving forward!

The conversation includes:

  • The history of RiskSense
  • The importance of "Proactive Response"
  • Some insights on the current realities in our world of vulnerabilities
  • Why the White House is encouraging a risk-based assessment strategy
  • Best practices on approaching the challenges that organizations face
  • Cyber Hygiene!
  • Join the conversation online on LinkedIn (linkedin.com/company/Ivanti)

Adrian:  Hi, everyone, welcome to another edition of the Ivanti insights podcast. I'm your host Adrian Vernon.  Now today as usual, we have Chris Goettl in the house. He's the senior director of product management here at Ivanti. Chris you're based in Minnesota, how's your summer so far up there in the land of 10,000 lakes?

Chris: Oh, it's been pretty good. We actually had a little bit of rain coming, which has been overdue. We were getting a little bit dry up here, so the rain has been nice, but overall it was a great holiday weekend and great start to the summer.


Adrian: All right. Well I can tell you based here in California, in the San Francisco bay area, little jealous that you've had a little rain, we desperately needed it and there was no rain insight. All right Chris, today we have a special guest Sri Mukkamala who was the co-founder and CEO of RiskSense, a pioneering risk-based vulnerability management and prioritization company. And we're excited because today it's announced that Ivanti has acquired RiskSense sends to drive the next evolution of patch management. Sri, great to have you with us, welcome to the Ivanti family. 

Sri: Thank you Adrian, thank you Chris for having me on this episode. 

Adrian: And Sri let's make note that you're based out here in the bay area with me, so we're practically neighbors. While Chris is halfway across the country out there enjoying a little bit of rain that we are very envious of. All right gentlemen, let's talk risks-based vulnerability management and what RiskSense joining Ivanti means for our customers and the industry at large. So Sri let's kick off with you, tell us about the acquisition and how this will help the industry combat cybercrime.

Sri: It's a last mile problem. So as an industry, you all struggled about first identifying a vulnerability, prioritizing it. We went through several iterations of is it threat-based? Is it attacker-centric? Is it exploit base? We all agreed, let's take a look at what would an attacker go after, that boils down to do I have a known exploit. While we can tell you what to fix, how to fix becomes very important. With Ivanti and RiskSense coming together, we're going to solve the last mile problem. What it means is once you identify it, you can act on it within seconds, rather than passing off the puck for somebody else to go act on it. This is truly revolutionary. It does reduce the amount of time it takes to really proactively respond. The key here is proactive response, which doesn't exist in the industry today. Don't react to an incident, don't react to a trending trap, but be proactive about it, and RiskSense and Ivanti coming together will truly be that company to be watched that doesn't exist in the market today. 


Adrian: Okay, and as I understand it, it's not just about what to fix then how to fix it, but even well what to fix, but prioritizing. You know, not just hey, here are some vulnerabilities, but here are the most critical vulnerabilities that you need to address first, right?


Sri: A hundred percent. I mean, that's the details it gets into. So one thing RiskSense has done very well is not only create a black box and said believe in us, we actually went and defined a taxonomy. When you find a vulnerability, when you find an exploit, we can tell you, is this a remote code executable? Is this a privilege escalation? Is this a probe? Is this a denial of service? Again, these are important because you have to look at them and say, what are the successful breaches in the last several years. 95% of them use a remote code executable and the privilege escalation. Go back, look at ransomware, Kaseya is a very good example, it’s a remote code executable vulnerability. Go back and take a look at several other vendors who have been victims of that, that's RCEs. So the question you asked about prioritization, RiskSense actually labeled exploits, and tells you exactly why a particular criticality score is important based on not only the type of the exploit, but how actively it's been talked about, how actively it's used. Is it tied and linked to ransomware? Is it used by APT groups? Is it used by nation states? It actually goes into a lot more detail on how it actually prioritizes and by the way, it's all transparent, it's not a black box saying oh, it's a top thread, believe in us. Nope, we'll tell you exactly. Transparency is keen on security, we bring that transparency to that customer so they can trust, but validate in our prioritization and actually act on that. 


Adrian: And Sri just quickly before we pass it over to Chris, who's waiting in the wings anxiously, maybe you can give us a little background while we have you here on how RiskSense actually came about as you were one of the co-founders.


Sri: A very good question Adrian. So we are proud, we served the nation in different capacities. All this started off as a project called CACTUS from department of defense, Computational Analysis of Cyber Terrorism against the United States. It's a big term, we were tasked to save and protect this great nation from cyber adversaries during two active wars. All this started pre-9/11 when post-9/11 happened, this became really active. Our goal and our mission from the government is to help the United States and its allies identify vulnerabilities that attackers are interesting in developing cyber weapons. That is the number one priority. If you put it back in layman terms, which vulnerabilities will be used by the bad guys? Then the other task we had on hand was if the bad guys can use a particular vulnerability and write a cyber weapon, do we have the capability to write cyber weapons by ourselves? You are seeing all kinds of movies around us, some chat around what should US be doing and should not be doing.

I was a chief scientist for CACTUS and my goal and my team's objective was to really help identify the vulnerabilities. Understand the internet chatter and help the government prioritize where should we be putting our resources. We have done some interesting work as part of the project, and when we came out of the government, we were the team that developed the first RFID fragmented malware. We were the team that developed and enhanced the WannaCry payload, the double Pulser, we were the team that actually developed the BlueKeep exploit, and we were the team that enhanced the net log on. We continue to actually take the research we have done for the United States and really bring it to our customers globally, in the quest to prioritize like an attacker's mindset. So think about this if you look at any NBA or NFL, you always debate between offense versus defense and history tells the teams that take an offense, have the most likely odds to win the game. Go back to the history, the odds are teams that play offense are the ones that are always successful, and coaches really called that strategy for the season and they really go at it. 

Interestingly on cyber, we've been playing defense, we continue to play defense and we're losing right. Every single day, we lose to a ransomware, we lose to an incident, we lose to a breach. I'm not saying we should go attack people, but let's understand what an offense strategy is and then build our defenses. So that's really how we came about, trying to understand the offensive side to help the defense, and it worked really well, that's why we were successful in helping several of our customers. Now coming to Ivanti will only make this even more easier to act and act with pressure, right? We can call the play, we can call the game and clearly say this is what it is, this is the strategy, go do it. We have the confidence. I know it's a long-winded answer Adrian, but that's really where we came from, and we were really confident that given our expertise on what we have done for the United States, and several of our allies, bringing all that wealth of knowledge and data we've been collecting with that patch data Ivanti has been collecting for years. You're talking about two massive data modes coming together. The barrier of entry is very high for other companies to come. They might have the data, but they don't have the knowledge, and if they have the knowledge, they don't have the data. So with this, we have the knowledge, we have the data, we have the know-how and we can really bring all this together and serve the Ivanti ecosystem. Whether it's an OEM play or a channel player or a partner play, or a direct play, the sponsors you've talked about can really partake into these massive data modes we’re bringing together and the expertise and the knowledge we bring to the table.


Adrian: Well Sri, I know long-winded answer, but I liked it. I'm a big sports fan, I like the sports analogy about offense playing defense, and that goes to what you said early on about allowing people to have a proactive response that's going to be a game changer as we move forward. Hey Chris, you've been kind of waiting in the wings, would love your quick thoughts here. We've talked a lot about ransomware, we even talked about ransomware in our very last episode here in Ivanti Insights with our chief security officer, Phil Richard, so it's been a topic of conversation. We've covered a couple of times here, this is a big market as we look ahead to risk-based vulnerability management tools, is it not?


Chris: Yeah, absolutely. So a couple of key things that Sri talks about there we've been dealing with things like vulnerability management for years. But there's over 200,000 known vulnerabilities that have been ID-ed and documented, and out of those, you could be talking tens of thousands of different configuration changes, software updates, and whatnot that you've got to put in place to be able to resolve all of those. Now any operations organization has a lot on their plate. They're being asked to do more with less everyday, so how did they get to the point where they can prioritize better? That's really what the shift is that's coming. So you're going to hear more and more about the term risk-based vulnerability management. This is trying to take just that large pool of massive amount of data and take the expertise of what Srinivas and the RiskSense team has done. And then using our Ivanti patch management technology, even being able to quickly remediate a significant amount of those vulnerabilities that have been I'll use the term again, weaponized. These are vulnerabilities that they're not just textbook, they're not just academic at that point. There's a known work method of being able to take advantage of that in the real world. Things like the principle or vulnerability that is going around right now, the six, zero days that Microsoft resolved last month. All of these, we need to be able to identify what vulnerabilities are… we'll go back to a couple of these terms, are remote code execution, RCE. That's a very important one because that one allows these attackers to get onto systems without much effort whatsoever.  What's trending amongst threat actors. Just like social media, if there's a topic or a specific event or a video that's trending on the web, everybody can find it quick, why can't we do the same with vulnerabilities?  Being able to understand the trends amongst cyber threats and being able to prioritize those things earlier really does a lot. 

Gartner did some research around this back in 2018, back then, this was about an $80 million market. By 2023, Gartner expects this is going to be about a $623 million market, and about 30% of organizations out there will have adopted a risk-based vulnerability strategy by them. According to their research, companies that make this shift and really prioritize based on this type of risk information, this type of analytics can reduce the amount of data breach incidents that their organization is going to face in a year by up to 80%. That's pretty significant when you start thinking about how to optimize day-to-day activities for the operations and security teams.


Adrian: So let me ask you guys this. When we look at mainstream news headlines and we see that the White House has recently released a memo that encouraged organizations to adopt a risk-based assessment strategy to drive patch management and better protect against ransomware. So with that out there, what are the challenges that organizations face today when they don't have a risk-based vulnerability management strategy in place? Sri, want to take that?


Sri: Absolutely Adrian. I mean, we are in the same mess we’re in, right? I hate to say that. Gartner came up with a very interesting perspective, don't try to patch everything. It's their number two project. The first one is work from home, how do you secure the user? I'm pretty sure Ivanti will talk about the zero-trust strategy on how they're doing it, but let's focus on that episode today. It’s risk-based vulnerability management, risk-based patch management. Gardner clearly is telling don't go try to wild ocean, patch everything under the sun. However, focus on the ones that are already weaponized, the vulnerabilities, with weaponization, Chris just defined that. Go one level below and understand the type of exploit. A bullet is not the same, your AK-47 bullet is different from a hand rifle, and is different from your hand grenade, right? It's still a weapon, but each weapon has its own grade, and how much damage it can do. They want you to go down? That's really the labeling I was talking. Then Chris also mentioned trending, is this something actively being used and talked about in the wild and in the dark? And then by the way, finally, is it used by ransomware as part of the delivery mechanism, exploit kits and bad guys. So when you start doing those associations, the technical term is called link analysis, if you can join all these dots, you build an interesting knowledge graph. You can say with precision, this machine on my network has this vulnerability, this is the missing patch, by the way, Ivanti patch manager can apply that patch, if it's related to a patch. In an absence, if it's not related to a patch, if it's a configuration change or a code change, that's what RiskSense will tell you, your zero-trust will come into play and either segment that asset, so you limit the damage or restrict access, so attackers can’t take advantage. Which company can do both? None. Ivanti is the only one, and that's the story here. We become a nice connected tissue, almost a cognitive intelligence. We can tell Ivanti to go patch, we can tell Ivanti to go restrict access until we find a solution to it.

That's really how I look at it. The White House clearly is saying bring a risk-based approach to whatever you do, it's very important. The analysts are saying the same thing. We as worker bees, don't have all the resources, Chris clearly said, do more, work less. So whatever little work you do, focus on the thing that matters, and in this case, what are we trying to do? Shrink the attack surface so an attacker becomes very suffocated. They can't get in, if they can get in, they can't do much, and once they're in, they can't leave either. So we want to make sure first we don't let them in, if they come in, limit them to what they can do and make sure they don't get out.


Adrian: So Chris, you host a monthly webinar here at Ivanti, it's called Patch Tuesday, where we learn about major patches they need to be applied from giants like Microsoft and Adobe, so you're working a lot in that realm. Are you seeing these challenges with organizations, are they trying to patch everything or seeing the challenges, are they fixing the right things, are they addressing the right things at the right time?


Chris: No, there's definitely a challenge in how much they can get to. So a lot of organizations and many of you might relate to some of these, it does your organization go based off of vendor severity only when it's critical. Are we going to put that into our top priority bucket, everything else can wait until later on to be managed.  Does your security team do things off of CVSS score? If it's an 8.0 or above, then it gets prioritized right away. Well, if we take the June patch Tuesday, this had a lot of really good examples. There were six-zero day vulnerabilities resolved last month. Five of those, Microsoft only classified as 'important', and three of those had a CVVS score in the 5.X range. So two of them were 5.2, one of them was 5.4. By the way, the one vulnerability that was rated as critical had a lower CVSS score than one of the ‘importants’. The problem that organizations are getting into is they're trying to whittle down the bucket of what they're prioritizing because the operations team has to go test all this and make sure they're not going to blow up the world by pushing everything out all at once. So they've got to test things, make sure it's working, make sure that systems aren't blowing up. And that's why they're going to prioritize more critical things first and the lower priority things, they'll leave in a pilot group for longer and push those in the next cycle.

The problem with this though is right now, they're doing this with blinders on. Without the type of telemetry, without the type of real risked information of weaponized metadata of what's trending amongst these cyber threats. The algorithms that a vendor like Microsoft uses doesn't take into account if it's already being exploited. It doesn't take into account common weaknesses, it doesn't take into account what's trending amongst threat actors if they know that they've got a weakness in a certain technology area. Started this year, we had about three months' worth of a lot of focus around exchange server, and the threat actors who specialized in that, they didn't let up. It was back to back for about three or so months from zero days to other exploits that were identified and needed to be resolved. That's the type of challenge that organizations face, and so we've got to get better at helping them to prioritize which activities to focus on first and take those blinders off so that they can make sure it's the right set.


Adrian: And that's where RiskSense is going to come into play as we move forward. All right, gentlemen, we have just about reached our self-imposed time limit, so with that I will say is there anything we missed? Sri we’re going to start with you, any final parting pearl of wisdom we didn't hit upon yet?


Sri: Absolutely. We should focus on the first mile and the last mile. Attackers are focusing on the first mile, they're looking at weaknesses consistently being introduced in the code by those big corporations. That's where they're focusing, weaponizing and launching these exploits. Doers should focus on the last mile because you don't have the luxury to define and decide what Microsoft will build, how will they build, but you do have an option. What you will install in your network and how you will take care of it. It’s hygiene, right? You don't create teeth, your parents give you a birth, you got them, but a dentist will tell, once you're born, it's your job to keep the hygiene going. It's not your parents' job. That's exactly what it is. Whatever is being built with, born with, that's what we live with, but we have an option to maintain that hygiene. It's a crude way of telling us we've got to take care of our staff, cyber hygiene is the mantra, we got to focus on that. 


Adrian: Okay Chris, you've talked about hygiene before in some of our previous episodes, would you add anything to Sri comments?


Chris: Yeah, cyber hygiene is very important, you've got to have a good balance of preventative and proactive threat hunting, but that basic cyber hygiene is very important. You can't set up a team to be successful at implementing a solution like EDR and going threatened unless you've mitigated a significant amount of that risk, otherwise they're going to be exhausted. They won't be able to keep up with all of the incidents they're going to have. That's an important part of what risk-based vulnerability management is about. Srinivas touched on the other point. A lot of times, the operations teams think of solutions like vulnerability management, well that's the security team, they're going to do their piece and they're just going to let us know what we need to do. One of the most important things that I think this acquisition brings to Ivanti is to Srinivas’ point, the first mile and the last mile. From one vendor, we're going to be able to help both the security and the operations team and bring that relationship closer together so that they can be much more successful at reducing the risks in organizations.



Adrian: Okay gentlemen, thank you so much again. Sri, a big welcome to you and the crew at RiskSense for joining the Ivanti family today. Chris and I, and others around Ivanti, we'll look forward to working with you as we move ahead. So folks that's about all the time we have for today, until next time, stay safe, be secure and keep smiling.