Virtual Event Recap: Forrester Total Economic Impact of Ivanti Security Solutions

In early October, Ivanti hosted its first ever virtual event: The IT Leadership Summit, or #ITLS18 for social media. There were a total of 30 presenters, including Forrester analysts, product marketing managers, director-level IT professionals, and executives.

Here is the video and transcript from the Forrester TEI Keynote, featuring:

• Sean McCormick, Senior TEI Consultant
• Chris Sherman, Senior Analyst

Sean McCormick: Thank you for joining today's webinar on "The Total Economic Impact of Ivanti Security Solutions." My name is Sean McCormick. I'm a Senior Consultant on Forrester's Total Economic Impact Team, as well as the author of the recent TEI study published on Ivanti Security Solutions.I'm joined here today by my colleague, Chris Sherman. Chris is a senior analyst on the Forrester Security and Risk Team and focuses his research on helping security and risk professionals make strategic decisions regarding endpoint security and data privacy.

Today, we will start by having Chris give you an introduction to the market trends in the endpoint security and risk space. Then, I will provide an overview of what TEI is. Afterwards, I will walk through the results of the Total Economic Impact Study on Ivanti Security Solutions.

So, now I'd like to turn it over to Chris to provide a market overview.

Chris Sherman: Thanks, Sean. So organizations will frequently come to Forrester worried that their endpoints are getting targeted more and more. And survey data backs us up. User endpoints such as employee-owned devices, corporate-owned devices, and mobile devices together make up the asset type that's most often targeted in external attacks. And also, while mobile is definitely on the lower end in terms of incidents, it's been steadily increasing over the years. And almost one in five external breaches today involve a smartphone or a tablet. And the specific threats are attracting more attention to endpoint security stacks than ever.

Now, where mobile malware and traditional malware still, you know, cause concern, the more pressing concern for our clients is the fact that many broad attacks that once used only file-based malware are now looking more like targeted attacks and they'll use a fileless malware, user exploitation, credential theft, etc. Overall, we see over half of all attacks, both targeted and broad, you know, leveraging only fileless attack techniques now living off the LAN, so to speak, by using trusted applications like PowerShell, Exec or WMI to accomplish their goals. Of course, targeted attacks are also a major concern, you know, especially since its incidences has been increasing over time. And, you know, other threats such as ransomware or network attacks can also easily lead to data loss or expensive remediation cycles.

So what are organizations doing today to protect themselves from endpoint attacks? Well, for most, investing in new technologies seems to be the answer. But, you know, it's not always clear where their money should be invested. For years, we had, you know, blacklisting-based AV giving the best solution available, but clearly, this doesn't work today against modern malware. You know, there's been a lot of talk about, you know, building out more advanced detection capabilities, but this requires equally advanced security staff in most cases. And just to add to the confusion, the number of options are increasing.

Now, I've listed the top endpoint security technology buckets that we track in our annual security survey of over 3,000 buyers annually here in the slide. And you have traditional blacklisting-based AV, endpoint detection and response or, you know, app whitelisting and privilege management containers on the app control bucket, isolation technologies like sandboxing, and of course, patch management. And there are many more. But, you know, as the commodity malware threats, you know, around the world get more advanced, more companies are now looking for better ways to improve their stance against modern adversaries.

You know, many organizations that I speak with, you know, don't feel that they are really protected against, you know, any adversary that goes beyond a known malware. And this decrease in efficacy over time, you know, probably explains the 10% decrease we see year-over-year in the blacklisting-based AV. But with all the focus today given to detection, you know, prevention must not be forgotten. Now, for example, considering the number of vulnerabilities doubled from around 6,500 in 2016 to over 14,000 in 2017, you know, we would expect a greater increase in patch management adoption over the same time period. But as you can see, this hasn't really been the case. And with so many options on the market, you know, the bottom line is that it's easy to forget the fundamentals.

And this confusion has led to the number of total endpoint security agents to balloon for most organizations. Now where we once saw, you know, just maybe a couple different solutions on installing endpoint, today, the average enterprise deals with over six endpoint security agents per endpoint. And this has led to inefficiencies and a lot of just internal friction, especially when trying to build detection into the mix. And oftentimes, these tools require very different skill sets. And oftentimes, there is overlap in terms of the attack vectors addressed.

But how are successful organizations addressing these gaps today? Well, as I mentioned, you know, we see many organizations neglecting the fundamentals, right? The bottom line is successful organizations won't leave their doors wide open by focusing on the latest security buzzword and neglecting the basics. Ideally, you want to increase the amount of work for the attacker trying to get access to your sensitive data first and foremost through prevention technologies. At a minimum, it's clear you need to focus first on reducing that attack surface. And this involves keeping, you know, your endpoint operating system and applications up to date. Prevention eliminates vulnerabilities and noise essentially. Patching the most critical vulnerabilities first can help lower the amount of time, you know, these organizations spend on detection and response cycles. You wanna prioritize your patches ideally based on the risk posed by the associated vulnerabilities.

And furthermore, if you can prevent interaction, you know, such as stopping a known bad executable through blacklisting or another approach, you know, why not? But remember to go beyond just file-based malware and look for solutions that prevent known bad behaviors, you know, especially in the case of ransomware. So ultimately, if you can use prevention technologies and strategies to eliminate 80% of the attacks against your organization, you can focus your staff's time on the attackers that have the motivation and the capability to do your company the greatest harm.

And there are a number of benefits that Forrester clients find to such an approach. You know, many of these prevention-focused tools don't require prior knowledge, you know, of the tools or techniques used by the attacker. And as such, offer superior zero-day malware and exploit protection. Prevention measures such as application privilege management allow you to reduce your attack surface to a more manageable level and limit the number of applications that you need to deal with in the first place. And this ultimately reduces the burden on your team and gives you a better posture in which you can detect new and ongoing attacks. You wanna create a scenario where you ideally have controls in place to prevent both the known and unknown malware and exploits, as well as preventing the known bad actions potentially, you know, taken by exploitive processes or malicious executables.

By implementing effective prevention technologies, again, you ideally reduce your overall exposure, you know, your zero-day malware and exploits, both of which are especially difficult to protect against with tools focused on detecting the known bad. Ideally, your goal should be to reduce the noise seen in subsequent detection layers. And in the end, you wanna strive for this balance between prevention, detection, and response or remediation. Focusing only on new products, you know, such as EDR or forensics tools will only create more work with little added value if you aren't doing these easy kills through threat prevention. Ultimately, we see the most mature security practices balancing prevention, detection, and response actions to ideally achieve a continuous cycle where one feeds into the next.

So to back up this point of view, we worked with Ivanti to quantify exactly how much time, effort, and ultimately, money can be saved through such an approach, using our TEI methodology. At this point, I will pass the ball to my colleague, Sean, who will explain the TEI study and its outcome. Sean?

Sean McCormick: Thank you, Chris. That was great. So let's move into discussing what Total Economic Impact is and why it's important to understanding the value of Ivanti Security Solutions. TEI is a methodology that we use at Forrester to articulate and justify the value of a technology investment. Why is this important? Well, we surveyed 825 IT decision-makers and asked them if they see value in developing a business case for their technology investments. Over 90% agreed that it was important. Now, the next question then becomes, why TEI? Well, TCO or Total Cost of Ownership helps to articulate the value of only cost and cost savings. ROI incorporates the business impact of technology investments, including benefits. But TEI takes it a step further by incorporating the risk and uncertainty as well as the strategic impact through flexibility and options.

Now, total economic impact consists of four components: benefits or the added revenue and business benefits an organization experiences. Costs, those are essentially the upfront and ongoing costs of adopting the technology. Flexibility helps to incorporate the strategic value of future investments enabled by the original investment. And then lastly, across all three variables, we adjust for the riskiness and uncertainty of that investment.

So for this study with Ivanti Security Solutions, we took a multistep approach. First, we did our due diligence, speaking to Forrester's internal experts and Ivanti subject matter experts to learn about the value proposition of their security solution. Then, we went out and interviewed four Ivanti Security Solutions customers who have been utilizing their service for multiple years. From those interviews, we were able to create a financial model and write up a case study, which is published on Ivanti's website. And I would encourage you to go there and download a copy to read for yourself.

So a few disclosures before we review the results of the study. This study was commissioned by Ivanti and the interviewed customers were provided by Ivanti. Forrester does not endorse Ivanti or its products.

Now, let's get to the results. Ivanti provides security solutions to help its customers reduce the risk of ransomware, malware, and other cybersecurity threats from infiltrating endpoints. The security solutions include automated patching for both the operating system and third-party applications, device control, application control, privilege management. Also included is extraction, which is an IT reporting dashboard, and hardware and software discoveries, as well as inventory.

So, prior to using Ivanti, the customers were typically behind on their third-party patches, leaving them susceptible to ransomware and other threats. Some customers attempted to manually patch, but quickly realized that they had no controls to enforce updates across end points. And these limitations led to an inconsistent patching. In addition, these customers had ever-expanding application catalogues and they lacked the visibility into the freeware or other applications that were being installed by users on the workstations across the organization. And so this left customers quite vulnerable to cyberattacks. However, with Ivanti security solutions, these same customers were able to reduce the size of their application catalogue by whitelisting applications and ensuring all of the third-party applications and operating systems were up to date with the latest security patches. Customers now had visibility into all the endpoints and could produce compliance reports quickly for auditors while also ensuring a much higher degree of security across their organization.

So in our TEI analysis, and we identified a 3-year present value return on investment of 176%, a net present value of $2.3 million, as well as a payback period of 7 months after implementation was complete.

Now, naturally, you want to know how we came up with those numbers. Well, first, we interviewed four Ivanti Security Solutions customers. These companies represented a variety of different industries that range in size from $1 billion in revenue and 5,000 employees to over $10 billion in revenue and 10,000-plus employees. The number of endpoints also varied between 17,000 up to 45,000, including both workstations and servers.

Before purchasing Ivanti, the interviewed companies reported manual processes that made it difficult and cumbersome to update all operating systems and third-party applications. Two of the interviewed companies didn't have a way to enforce updates across all endpoints, which made it difficult to keep up to date with the latest patches released like third-party applications and operating systems. In some cases, they found themselves multiple incidences behind the current patch version. In addition, alternative solutions were not meeting the needs of the customers we spoke to. And so, companies utilized point solutions that were ineffective and in one case, didn't even work at all. The interviewee that we talked to said when they implemented their previous solution, they had issues right from the start. One example was the detection logic wasn't finding the correct number of vulnerable endpoints. And so they told us that their previous solution, as ineffective as it was, was also more expensive than Ivanti.

Strategically, organizations had a need to adopt more consistent cyber security practices, including patching and application control. And one interviewed organization developed a cyber security strategy adopting the Australian Signals Directorate's central eight recommendations for securing enterprises. Now, this list included application whitelisting, patching applications, patching operating systems, and privilege management, all of which they were able to obtain through Ivanti.

Now, as these companies searched for a solution, they knew it needed to include automated patching, additional security features beyond just the patching or the patch management. And then, they also knew that they wanted to be able to proactively meet auditors' needs. So with Ivanti, they were able to reduce the risk of cybersecurity threats by 40%, they were able to improve productivity through their automated patching, and then, also saved time and money on compliance reporting. And all the while, protecting users from themselves using Ivanti's privilege management solution.

Now, I always think it's a good idea to hear some of the impacts Ivanti has had directly from the customer. So an associate director of infrastructure security told us had they not patched, they most likely have had a breach or incident with WannaCry. Furthermore, they said they deploy 6 million patches across all of their endpoints each year in multiple languages and they only need 5 people to support all 50,000 devices. But without automated patching with Ivanti, they would need 25 people to do the same work. And that's an incredible savings being able to reduce the workload by 5X, so quite a benefit that this organization was getting.

So based on the interviewed companies, Forrester constructed a composite company and calculated the associated ROI for that composite organization. The composite organization is representative of four companies that Forrester interviewed and it's used to present the aggregated financial analysis in the next section. And to describe this organization, it's a multinational financial service and insurance company with annual revenues of $7.5 billion. And they have 10,000 employees working across numerous locations around the world. And the organization has a strong brand. They are a strong brand in global operations presence and a very large customer base. And also a strong online and offline presence. Now, from a technical perspective, the company has 5,000 servers and 10,000 workstations that require constant updates and attention in order to protect customer data and maintain compliance with financial regulations across the globe. They purchased Ivanti endpoint security and endpoint manager along with endpoint manager including application control and extraction reporting.

In our study, we found three benefit categories to quantify: improved productivity in patching and reporting, which resulted in roughly $833,000 of value. Cyber security risk reduction, which resulted in a cost avoidance of $585,000. And legacy software cost avoidance, which saved $2.1 million for the composite organization over 3 years. Now, let's take a deeper look at each of these benefits.

One of the most basic yet critical aspects of a cybersecurity strategy is patching. Seemingly easy enough, ensuring that all systems, including third-party applications are up-to-date with the last patches can be quite time consuming and difficult for organizations without the right tools. Prior to adopting Ivanti, patching was a manual process that consumed a considerable amount of time and resources. Adopting Ivanti Security Solutions helped reduce the number of resources required to support patching activities. And before Ivanti, teams would not be able to schedule patches and reboots as the process for patching would be tediously manual. Instead, they would have to push out patches to small subsets, monitor for issues, then decide whether or not it was safe to push out to the entire organization. And of course, with Ivanti, patching could be automated. For instance, deployment groups and profiles would be set up. An example might be a file server or print server. And then, each one of these groups would be assigned a different frequency of patching. This helped reduce the amount of upfront workload required to identify and schedule patches. Additionally, once these were set up, vulnerability assessments could be run to identify any systems that needed to be incorporated into the patching group or profile.

Now, it's also important to note that ad hoc patching is also available for specific issues that arise. You know, the ability to pull back patches that may cause issues might be an example of that. So overall, the automated patching capability reduced the amount of resources required to complete patching activities by two-thirds.

Now, from a reporting perspective, Ivanti extraction reporting can be leveraged to streamline compliance reporting and improve visibility in the cyber security matrix. Extraction dashboards, which are part of the Ivanti endpoint security solution, are the reporting solution that helps provide compliance metrics, software licensing information, and other cybersecurity metrics. Interviewees stated that Ivanti reporting helped them reduce the time it took to meet their auditors' needs, saying that with extraction, dashboards could be set up and used to track compliance metrics. Then, when it came time for the compliance audit, these reports could be emailed to the auditor very easily. Now, the overall time savings in the audit process was right around 75%.

So overall, for the composite organization, these efficiencies saved nearly $833,000 over 3 years. Now primary need for all the interviewed organizations was to improve their cybersecurity. With ransomware and other threats on the rise, it became increasingly important for these organizations to act. And having Ivanti endpoint security solutions address the first five controls and more for that matter, of the Center for Internet Security's critical security control list. And so, in addition to improving their overall cyber security, companies were able to reduce the number of minor incidents requiring helpdesk support and reimaging. Now, one interviewee said that by limiting the software that could be installed from random places across the internet, they were able to reduce the amount of reimages from five per week down to zero. Now, that's quite a bit of savings and quite a bit of time savings for those teams. But for our composite organization, Ivanti reduced the risk of a large incident occurring by 40%. Now, this meant that they were able to avoid the potential cost of about $235,000 per year or on a risk adjusted 3-year present value basis, the cost avoidance was $585,000.

Now, prior to adopting Ivanti endpoint security solutions, the interviewed organization had deployed other patching solutions that lacked automation capabilities or didn't function as expected. Now, these legacy solutions were soon retired once Ivanti was deployed. That saved the interviewed companies an average of about 30% to 50% in license and support costs each year. Now, assuming that the average software solution cost per management server and per endpoint was, you know, about $1,000 per management server and $42 per endpoint, the composite organization was able to save over $850,000 per year, which equated to $2.1 million over 3 years on a risk adjusted basis.

Now, additional benefits were reported by the interviewed organizations that were either qualitative in nature or were not quantified due to limited information and limited supporting data. Now, these unquantified benefits included improved customer experience with security risk reduction and they also included improved overall security through Ivanti partnerships. Now, with those Ivanti partnerships, what we found was that having a strong cybersecurity strategy can sometimes require organizations to work with other companies outside of Ivanti. And in these cases, Ivanti offers a partnership network and will suggest partners that can fill that need. Now, one customer we spoke to said that Ivanti is a huge part of their security posture and they bring other solutions they don't own through their partner program, helping to meet all of their cybersecurity needs. So this means that Ivanti has become more of a partner to them from a cyber security perspective, helping them to obtain the needs and fill the gaps that they have, which is a huge value for any organization.

Now, the cost savings provided by retiring legacy solutions was partially offset by the license and support cost for Ivanti endpoint security solutions. Now, with Ivanti, license costs are calculated based on the number of endpoints, you know, including workstations and servers. And the license and support costs were assessed annually and really depended on the number of servers and workstations licenses as well as the products purchased from Ivanti. But for our composite organization, what we assumed, they had 5,000 servers and 10,000 workstations for a total of 15,000 endpoints or nodes. And the upfront cost for Ivanti was about $602,000, with annual ongoing costs of about $239,000 for maintenance fees and content subscription. Now there were some additional upfront costs incurred for implementation and training. And that cost equated to about $85,000 during the deployments.

So, with all those factors considered, the results demonstrated a 176% return on investment, a $2.3 million net present value over 3 years, and a payback period of 7 months after deployment. And that is the total economic impact of Ivanti Security Solutions.

So I want to thank you for taking the time to learn about the TEI of Ivanti Security Solutions. If you have any questions, we urge you to reach out to an Ivanti representative for further information.