With the rapid shift to remote work, many organisations have been forced to understand how to manage and secure infrastructure that ‘transcends traditional boundaries’. Chris Goettl, Senior Director, Product Management for Security, Ivanti, talks us through the challenges CISOs are facing right now, introduces us to Ivanti Neurons and highlights how it is helping security teams.
How would you describe the threat landscape right now?
Change brings opportunity. For threat actors it is a way of life. Changes in technology allow threat actors to defeat security measures that were effective previously. Changes to our environments increase the potential for something to be misconfigured outside of IT oversight. Changes in code by a vendor to resolve a security vulnerability provides an opportunity to reverse engineer those changes and exploit it. Most recently, the rapid shift to remote work changed our IT infrastructure drastically and many organisations are still figuring out how to manage infrastructure that transcends traditional boundaries.
Ransomware started as a random spread of malware through phishing and other means to try and ransom individual systems for a three to four-digit payout. In 2016 we saw a large-scale targeted ransomware attack that increased its ransom demand. SamSam was averaging US$50k payouts by conducting a more hands-on attack while simultaneously ransoming organisations’ critical infrastructure. In 2019 there was a drastic increase in average ransoms due to another tactical change: ransomware was now paired with data exfiltration. Sodinokibi and Ryuk, who have perfected this combination attack, quickly rose through the ranks of ransomware families. As a result, the average ransom paid had gone from >US$9,000 to US$111,605 by the end of Q1 2020.
Beneath these attacks, the same security controls are being exploited. A user is phished, a vulnerability is exploited, or a credential is stolen to gain access. Once in, the threat actors use automated and manual means to move about the environment, find and exfiltrate sensitive data, and execute the ransomware attack.
What key challenges are CISOs currently facing?
CISOs are faced with significant challenges. Pre-COVID-19 challenges are now compounded by the pandemic. Depending on your industry, you are either worried about remote workers and how to balance security initiatives with Business Continuity or you are deep into physical security and safety concerns if remote work is not an option. Most organisations’ remote workers prior to the pandemic were managed acceptably through a VPN and other tools. With most users now working remotely, tools may be stretched to meet demands and security requirements. Many CISOs have had to make hard decisions around prioritising Business Continuity over security in the short term.
How have your customer requirements changed and how have you adapted?
Customer requirements have definitely changed due to COVID-19. Prior to the pandemic, only a small number of remote workers needed support. A good example of this is Microsoft System Center Configuration Manager (SCCM) customers and the push to InTune. Ivanti has a third-party updates plug-in for SCCM that allows a company to easily publish hundreds of non-Microsoft application titles into SCCM quickly and easily. This saves companies an average of two to four hours of effort to package and test third party updates as they release.
Prior to COVID-19, companies asked if there were plans to support Microsoft InTune with our third-party updates solution, but it was not yet a requirement. Most were either evaluating or in early planning phases and had not yet rolled out. Since COVID-19 this has become a common question and requirement, so it was fortuitous we already had a release planned for November 2020 to deliver InTune support.
This same pattern plays out across many IT solutions. Ivanti’s proprietary patch solutions already had the ability to support remote users so what was previously ‘nice-to-have’ became ‘essential’.
Other capabilities like Remote Control, Discovery and many other IT tools used daily suddenly needed to shift off premise in their coverage. The Ivanti Neurons launch delivers on many of these needs. IT can no longer rely on a user to be on network or to be connected to a VPN to receive support. They need solutions that transcend the network and VPN providing seamless support for their customers.
Tell us about Ivanti Neurons – how is the technology helping security teams?
Ivanti Neurons provides IT organisations with the capabilities they need to evolve. Many of the challenges we face today arguably have been solved in some way. What IT organisations need now is a means to solve problems at scale, while transcending the traditional network boundaries and with the ability to shift left.
Ivanti Neurons for Discovery: Know what’s on your network, make sense of your asset data and expand visibility. Ensuring there are no gaps or unmanaged devices is critical to securing your environment’s attack surface. Continuous discovery is essential to achieve better security. Finance and IT need to know how many assets they are managing, software inventory and usage. IT needs to ensure it is controlling change throughout the environment to facilitate Business Continuity. Ivanti Neurons for Discovery provides active and passive discovery capabilities, connectors to multiple data sources to achieve device and software reconciliation projects in days rather than months.
Ivanti Neurons Workspace: Provides a shift-left approach so first-line analysts can provide a better user experience to your customers. Ivanti Neurons Workspace brings the tools your analysts need to achieve a 360-degree view of devices, users, applications and services with real-time data. The automation capabilities and customisable actions allow your first-line analysts to take on actions previously escalated to specialists by taking advantage of powerful diagnostic and remediation capabilities.
Ivanti Neurons for Healing: Hyper-automation transforms your enterprise. Ivanti Neurons for Healing provides always-on automation-powered bots that detect and resolve issues. Self-healing endpoints and edge devices help optimise device performance, health and security throughout your environment. Automation bots can detect configuration drift or performance issues and resolve them before a user even becomes aware of them.
To what extent will the future of cybersecurity be hyper-automation?
Threat actors retain the upper hand. They only need to find one weakness while we need to defend against everything. Budgets are constrained, resources are limited and skill sets may be spread thin in the security space. Hyper-automation is the key to scaling our activities. With the same number of resources, we need to configure and set in motion security capabilities designed to make intuitive decisions quickly, drive awareness and anticipate rather than respond reactively to threats. Too often the tools to detect a vulnerability are different than those used to prioritise risks of one vulnerability versus another and most importantly the remediation of those vulnerabilities poses the greatest risk to our environment.
Any advice for CISOs looking to improve their security posture?
Don’t let a good crisis go to waste. Executives are tuned into IT security issues right now. Use this opportunity not to ask for money, but as a means to educate and drive awareness to the C-suite and the board. This can drive cultural changes in an organisation to help others think about security issues and facilitate change.Click below to share this article