Ivanti Blog: Posts by

A Question of When vs If: The Need for Your Security Incident Management Plan

Wed, 08 Sep 2021 22:11:07 Z

Should all incidents be treated the same? Seems like a simple question, but the answer can have big implications.

Think about an employee who contacts the service desk, complaining they can’t log onto their email. If the issue is due to a ‘stale’ password, dropped connection or configuration issue after an update for the email server, then the impact on the organization can be quantified to the lost productivity for the impacted employee or employees. But if the outage is due to some malicious activity and the email outage is the first indicator of a larger security breach potentially affecting more mission critical applications, data or infrastructure, then the impact to the organization can be very far reaching.

The Service Desk as IT’s Front Line for Security Incident Responses

For most service management teams, incident management is focused on resolving incidents quickly and getting employees back up and running again. That practice works for most incidents, but as with the above security breech example, security-related incidents should be handled differently because of the higher potential risks and impacts. Even with dedicated security teams, the service desk will be IT’s face to the organization’s employees and the front line when a security incident occurs, so it needs to be an integral part of a coordinated response. Throw in the fact that service teams often act as the hub for communication and coordination during major incidents and the case becomes even stronger.

Since the worst time to plan for how to deal with a major security incident is in the middle of one, service teams need to proactively plan and prepare for how to handle security incidents. Otherwise, as one IT director said, “You’re trying to build the airplane while on final approach.” Given the increasing frequency and threat of security-related attacks, for most organizations it’s a question of “when” the next major security incident will occur, versus the question of “if.”

Your Security Incident Management Plan

One suggestion for service teams developing their Security Incident Management (SIM) plan is to do so in coordination with not just other IT teams, but ideally also with other departments that may potentially need to be involved. Why? Because a major security incident may have business impacts well beyond the scope of the immediate IT issues, such as legal responsibilities, privacy risks, and governance questions. That’s not to say everyone should be involved with each security incident, but a response plan should be comprehensive in dealing with and mitigating risks from a wide range of potential impacts.

When you start developing your SIM plan with your extended team, define the roles and responsibilities for involved team members. Think about leveraging models like RACI (Responsible, Accountable, Consulted, Informed) to help map out these roles and responsibilities based on type and scope of security incidents. Find and agree on the touch points for each team, not just for the Security team. Don’t wait until a breach occurs to determine who needs to approve specific actions; make it part of your SIM plan, along with response times and alternative approvers so requests don’t “hang” during critical moments and are instead automatically routed for timely approvals.

Also think about what data and information you need to capture during an incident. This can help in the moment when trying to figure out the incident scope and response, but also afterwards when things settle down and you’d like to evaluate and improve your response.

Similar to pilots preparing for a flight, one tactic IT teams use are checklists for what needs to be done, including for operational tasks like isolation, shutdown, recovery, and testing for different types of services, applications, devices, assets, and CIs. They also leverage automation tools as much as possible to remove as many manual steps, checks, notices, and approvals as they can, reducing the risk of things “falling through the cracks” when in the middle of a security response, as well as ensure additional levels of governance.

Once you complete your SIM plan, train and regularly practice the plan with your staff. Train them to quickly identify and confirm possible security incidents. Use practice runs to check the thoroughness and effectiveness of your procedures, including mitigation and recovery, looking for areas to improve.

SIMilar Position as Your Disaster Recovery Plan

One IT directory thinks of their SIM plan similar to their Disaster Recovery (DR) plan—"it’s good to have it ready but you hope you don’t need to use it.” But should you encounter a major security incident and need to activate your SIM plan, be sure to invest time soon after the incident to determine how you would improve your response. Plan to review the incident before memories fade, and gather the data and information collected during the incident.

During a review with the response team, investigate and determine the background for the incident. Answer the “news reporter’s” questions of “Who, What, When, Where, How and Why” for the incident. Keep in mind some of the answers and information may be needed for future legal proceedings.

Also evaluate your organization’s overall response. Analyze and grade how quickly threat identification, mitigation, and recovery happened. Gauge the effectiveness of current defenses and training, look for areas to improve, and apply lessons learned to be better prepared for the next threat.

For major incidents, prepare a report for the executive team along the lines of an “After Action” report used in the military. Summarize some of the key findings from your review, including an analysis of the speed and effectiveness of the response. Don’t forget to include possible financial and legal implications your extended team can provide.

Sample Questions to Begin Your Post-Incident Review

Here are some sample questions you may want to consider asking in your review. There are more questions you may have, but these are meant to help you get started as you work to improve your response to security incidents:

What type of incident was it?
How was the incident first detected?
Was the severity initially gauged correctly?
How well did the response plan work? Any steps not followed? What steps helped? What steps didn’t help?
Was response leadership clear? Was it effective and timely? Does anything need to change?
Any data or insights that could have helped?
How well did the security infrastructure work? Are there improvement opportunities in vulnerability management?
Was communication among teams effective and timely? What worked well? What didn’t work well?
Any other teams who should have been included? At what stage?
What could be improved to handle the next incident? For all types of possible security threats?

Forewarned is Forearmed

Security breaches and incidents, or at least attempted ones, are bound to occur given today’s changing threat landscape. But being forewarned is forearmed. IT service teams—along with the rest of IT and the larger organization—can be better protected and prepared, with well-documented plans for a coordinated team that’s ready to respond to and mitigate the risks from future security incidents.

Just Released: 2020 Gartner Magic Quadrant for ITSM Tools Recognizes Ivanti a Leader

Mon, 12 Oct 2020 20:13:40 Z

We’re in the early autumn season here in the northern hemisphere, with the weather getting cooler and the nights longer. That growing chill in the evenings encourages staying inside and reading by a fire for enjoyment and enlightenment. But even if you’re an early planner who already has their fall reading list mapped out, there’s one key report you should move to the top: the new 2020 Gartner Magic Quadrant for IT Service Management Tools, just published and ready for you to view.

If the Gartner Magic Quadrant report is new to you, here’s a quick overview. Gartner analyzes the top vendors in the ITSM market every year and evaluates each vendor on its ability to execute and the completeness of its vision. It’s important to note the Magic Quadrant is not a direct evaluation of individual tools but is a helpful resource and starting point to help IT organizations identify possible solutions.

Get started today by reading the Magic Quadrant for ITSM report for Gartner’s analysis of the top vendors in the IT service management marketplace, including Gartner’s:

Overview and vision of the ITSM landscape
Strengths and weaknesses of each vendor
Guidance when seeking an ITSM solution

Check out the visual summary of the 2020 Gartner Magic Quadrant for ITSM 2020:

Ivanti on the Gartner Magic Quadrant

We at Ivanti are excited to be named a new leader in this year’s report! Our team is proud of the progress we’ve achieved in this year’s Magic Quadrant report, continuing our multi-year run of improving our Magic Quadrant position. But we’re most proud of the benefits we’ve helped our customers realize as they use Ivanti solutions to automate and improve their service delivery, business outcomes, and user experiences. Our modular design and cloud-optimized system have made it easier for teams to select and deploy the functionality they need now and in the future.

Over the past year since the last Magic Quadrant report, we’ve released several notable enhancements to make life easier for IT service management teams by speeding resolutions and helping them discover, optimize, and secure IT assets. These enhancements include our always-on, automation-powered Ivanti Neurons for Healing bots; automated diagnostic and specialist-level remediation workflows; Virtual Support Agents; automated phone interactions; and integrations to thousands of cloud-based applications. And we’ll continue building on our vision for modern ITSM that delivers better user experiences and business outcomes.

Nayaki Nayyar, Ivanti Executive Vice President and Chief Product Officer, recently commented:

“In our view, to be named a Leader in the Magic Quadrant for ITSM Tools is a significant milestone in Ivanti’s history and a true testament to the execution of our product vision and strategy. Ivanti is transforming IT service management with the Ivanti Neurons platform that enables organizations to autonomously discover, heal, secure, and service from cloud to edge with automation bots, as organizations try to address the explosive growth of devices, data, and remote workers.”

We see the Gartner Magic Quadrant report as a trusted resource to help IT leaders select tools to meet their specific needs. We invite you to access the full report and see what Gartner has to say about the ITSM market and its top vendors.

Ivanti Neurons Workspace: Deliver Faster Resolutions Without Disrupting Your Customers

Tue, 18 Aug 2020 10:44:04 Z

When was the last time an IT conversation reminded you of the movie “Casablanca”? That happened to me recently when I was talking with another IT professional about Ivanti Neurons. We discussed how Ivanti Neurons will make life easier for IT by delivering more self-servicing, self-healing and self-securing experiences. He agreed Ivanti Neurons would be a big help reducing incidents but then said, “We’ll always have tickets.” Ok, maybe this isn’t on the same level as “We’ll always have Paris” but cue the Casablanca flashback.

He was correct, of course. End users will still have issues IT will need to resolve. But add rising expectations for better customer-service experiences, ideally resolving incidents without any disruption or escalation delays, and the demands on the first-line team keeps growing.

Helping the first-line team do more on their own is one outcome Ivanti Neurons Workspace delivers. IT teams using Ivanti Neurons Workspace are finding it’s helping them become more efficient and effective, and greatly reduce escalations by safely providing first-line teams with the required tools for more first-call resolutions, using automated tasks pre-defined by specialists, so they can resolve incidents faster and easier, and deliver great experiences to end users.

Ivanti Neurons Workspace augments IT teams by providing—in a ‘single pane of glass’—the real-time device and end-user insights provided by Ivanti Neurons for Edge Intelligence, with automation-powered bots for pre-defined actions, and also full remote control functionality for those times when IT just needs to reach out and take control.

Offering examples always helps me understand a new solution. Let me share a few where Ivanti Neurons Workspace has delivered better IT outcomes and end-user experiences.

“I was misinformed”

How often does your team start working an incident by asking the end user a bunch of questions to figure out what’s going on? Often the end user may not know the answers, or your analyst must guide them through the steps, especially now since ‘just stopping by’ isn’t an option these days. Or your analyst needs to use several tools to discover what’s going on, and you have a recipe for an engagement that may take a while before the end user is back to work and the analyst can move onto other tasks.

The ‘After’ picture with Ivanti Neurons Workspace is much easier. First-line analysts have immediate access to key IT information on users and their devices, such as:

All associated devices for the user
Device state, including running processes and services
Active Directory status
Group memberships
Incident history by user or device
Installed software, applications, and patches
Network status
Application connectivity

All this information and more is presented to an analyst in one screen, sometimes faster than if the analyst had the device in front of them. Add in the ability to ‘drill down’ into specific attributes, all without bothering or asking the end user to do anything. Your analysts will be a big step ahead in figuring out what’s going on and understanding the end user’s experience.

“Round up the usual suspects”

Quick insight is the first step to resolving incidents. Most incidents aren’t unique, so there are likely common actions a specialist could take to resolve incidents and requests. Ivanti Neurons Workspace safely provides many of these specialist-level actions to the first-line analyst within the context of an incident without providing full access. Such actions include:

Resetting passwords
Unlocking accounts
Changing or assigning group memberships
Flushing the DNS
Updating drivers
Stopping processes and services

These actions employ the same automation engine as used with Ivanti Neurons for Healing so the underlying workflows can likewise be updated, extended, or created anew to provide more automated actions to augment first-line analysts. If an incident isn’t one the first-line analyst can resolve, it can be escalated to a specialist with all the actions and diagnostic information logged.

One example is repairing a device encountering too many crashes or BSOD (Blue Screen of Death). Okay, one crash may be too many, but several is obviously too many. Either way, having the BSOD dump files helps IT diagnose the cause. A workflow in Ivanti Neurons Workspace could reach out to the device, get the needed files, compress them, and send them in an email to IT, all without bothering the end user or doing a remote session. The end user keeps on working while IT analyzes the dump files.

“Play it, Sam”

The extensibility of Ivanti Neurons Workspace means IT teams will be able to automate more and more diagnostic and remediation activities and make them more easily and safely available to first-line analysts. Your specialists can develop the automated actions the first-line team needs to resolve more issues on their own, turning escalations into first-call resolutions.

And with fewer escalations, specialists will have more time to conduct other investigations and innovations. Take the earlier BSOD example. Specialists could use Ivanti Neurons to see if other similar devices are having too many BSODs, identify those devices, analyze their dump files (again, without bothering end users), and see if there’s a common cause, like a device driver that needs updating. Oh, and that driver update? That can be automated with Ivanti Neurons Workspace as well.

“I think this is the beginning of a beautiful friendship”

Ivanti Neurons Workspace, along with the rest of the Ivanti Neurons solutions, promises to make IT more efficient and effective. Some IT teams are already seeing results such as:

Deeper device and user insight in real time
Faster issue resolutions
Fewer escalations
Quicker identification of problem trends
Greater security compliance

And delivering more “Shift Left” outcomes and exceptional user experiences.

Learn more and see Ivanti Neurons Workspace in action here. Hopefully it’ll be the beginning of a beautiful friendship.