Frustrated with vulnerability assessments you must put your blood, sweat, and tears into acting on?

January 16, 2018

Amber Boehm | Manager, Product Marketing | Ivanti

Chris Goettl | Director, Product Management, Security | Ivanti

Continuous vulnerability assessment and remediation should be part of every organization’s security practices. If only the time and manual work involved in that period between identifying a vulnerability and deploying a software update wasn’t such a drain on IT teams. Each time Security hands off a vulnerability report, it can take IT hours of research to identify how to resolve it. And that’s time an attacker can use to gain a foothold in the organization and access to sensitive data. Want a better way? Join us to learn how Ivanti has teamed with vulnerability vendors to drive down time, cost, and consequences by integrating vulnerability scanning and patch management and automating the holistic solution.

Transcript:

Amber: Hello to everyone with us. Thanks for joining. I'd like to welcome you to our security webinar on bridging the gap between security and IT operations. Chris Goettl, Director of Product Management for Security at Ivanti, will be talking about how we make it easier for Security and IT to work together to deliver effectively on their goals, which would be keeping the business secure and employees productive. Specifically, he'll be talking about closing that gap between when Security hands off the Vulnerability Report and when IT is able to resolve the vulnerabilities detailed in that report. 
 
He'll also take you through a demo of how Ivanti integrates patch management with solutions from vulnerability vendors to drive that time to resolution down and help you protect your organization quickly. We will leave time for questions at the end of the webinar, so please do submit those at any time via the Q&A field. Thank you and let's get started. Chris, it's over to you. 
 
Chris: Thanks, Amber. Okay. So one of the things that is a common challenge that I hear about a lot is the handoffs between Security and Operations. There's a lot of times where these two teams struggle to, you know, make sure to get a good handoff. There's a lot of times there's back and forths. And we wanted to talk about those challenges today, and talk about some ways to overcome those challenges and smooth over the process of resolving vulnerabilities cleanly. 
 
So, you know, in looking at the end of last year, there was a Zero Day from Flash Player. This came out on October 10th. And specifically, the threat actor, in this case, was BlackOasis and they were releasing some FinSpy commercial malware using this Flash Zero Day. So there was a scramble. You know, Security teams all flagged this as something that needed to be resolved quickly. Operations teams had to go and put this in place as quickly as possible. So, you know, for an exercise like this where you've got a single update to apply, it's usually pretty easy. 
 
You can find, you know, that one CVE relating to this one software update, and you can make sure to get that distributed out pretty quickly. You know, Flash Player has got a little bit of its own complexities. You know, usually, there's three to four different ways to update Flash Player, even on a single machine. You're going to update Flash for desktop, Flash for IE, Flash for Chrome, Flash for, you know, all the different Flash plug-ins. And, you know, that can be a struggle in itself. But, again, one CVE -- not a huge deal. 
 
Now, what happens… You know, one vulnerability is easy to identify and remediate. What if that number gets to 1,000? I'm pretty sure most of you have seen a Vulnerability Report from the Security Team that's got at least 1,000 vulnerabilities detected. It doesn't take much to hit that. What if that reports 10,000 CVEs? How about 50,000 CVEs? We've got a number of customers who have told me that their report on a monthly basis that they get from the Security Team can be 50,000 or more CVEs logged. So to start to resolve that, you've got to do a lot of research then. 
 
So one of the things that we focus a lot on with the security strategy here at Ivanti is these first five security controls from the CSC framework. You know, the "Inventory of Authorized and Unauthorized Devices," "Inventory of Authorized and Unauthorized Software," discovery and asset management, these are a foundation for any type of security program. "Secure Configuration," making sure that things are properly configured, making sure that you've got good secure baselines, that drift is not occurring, and "Continuous Vulnerability Assessment and Remediation." You know, this is a combination of vulnerability vendors that we're going to be talking about today, and also the patch management vendors for remediation. And "Controlled Use of Administrative Privileges." 
 
So in today's webinar, we're going to zero in on that "Continuous Vulnerability Assessment and Remediation." You know, to be effective at securing your environment, it's a 24/7 operation. Already this year, if you thought that 2018 was going to be boring, I think that, you know, the first week of the year already ruled that out. The release of software updates for the Meltdown and Spectre vulnerabilities kicked off Patch Tuesday on the Thursday before. And, you know, we had a number of companies out across the globe scrambling to figure out even what to do. So, you know, that's yet again one more example of, "Now, I've got some new vulnerability date. It's outside of my normal cycle of what I would be doing. What do I need to do to get things under wraps?" 
 
So, you know, when we look at these two teams, Security and Operations, they have two different mandates. IT, the Operations teams need things to run smoothly, and the Security Team wants to secure the environment. At the endpoint, these two have to work together. What really happens, though, is we end up in this game where we're, you know, constantly throwing things over this gap. You know, bridging this gap becomes a bit of a challenge at this point, especially when things can happen at irregular times. A Flash Zero Day, a major hardware vulnerability that triggers many vendors to update outside of their normal cadence, you know, these things can happen on any interval. 
 
Also, this month, we had the Oracle CPU, which happens to be the week after Patch Tuesday. So in the month of January, we had major security situations going on every week for the first three weeks of the month already. And, you know, who knows? Next week, we may have even more. So starting to talk about how Operations and Security can make this gap smaller, can make it so that we're not throwing things over the wall, we can make this handoff a lot easier, a lot more seamless, and a lot less stressful for all of us. 
 
So, you know, in talking about looking at the differences between these two teams again, this was an interesting quote that we got from a survey we did of 100 CIOs and CSOs, "We have to tear down the traditional view of what an IT operations entity is and what a security entity is." At the end of the day, we both have the same goals. We've got to secure and enable the business. Now, those are slightly different, you know, as far as like what each team is told. It is slightly different in what their mandate is. But at the end of the day, those two teams have to work together or neither will be successful. So really, it's taking those two mandates and making it so that we can execute them together. So smooth IT operations and security for the environment. 
 
So talking about that handoff, you know, how hard can this handoff really be? Well, in reality, it has a lot of complications. There's two teams speaking two different languages. Each vulnerability that the Security Team is assessing could contain thousands to tens of thousands of detected CVEs. So a single vulnerability assessment may find many problems on systems throughout your environment. And then, you know, the same vulnerabilities can appear on many different systems. The same vulnerability can appear in many pieces of software on the same system. 
 
So this becomes very complex very quick and really becomes a matter of trying to deduplicate and figure out exactly what needs to be done to execute the task. So deduplication, researching that list of detected CVEs, this on average can take five to eight hours each time a vulnerability assessment is handed off. You know, if I get a spreadsheet of 10,000-plus CVEs detected, the first thing I'm going to do is I'm going to try to normalize that list. "Okay, if I've got the same CVE on 500 systems, I only need to research that CVE once. Now, am I sure that that's the same CVE, or is that one CVE existing in multiple components?" 
 
You know, that… Let's take Meltdown as an example. You could have Meltdown show up on a Windows system, on a Mac system, you could have the hardware vulnerability. So there are three CVEs here that will potentially show up at different levels depending on which parts of those vulnerabilities are still exposed. So I need to know, you know, how many different levels need to be effectively plugged, and then I can start to actually figure out how to deliver each of those updates. The same thing can be said for that Flash update back in October. 
 
That one CVE could have shown four times on a single system depending on which instances of Flash Player and Flash plug-ins were installed on that system. So then, I would have needed to have the Flash update for Desktop, the Flash update for IE, the Flash update for Chrome, and I would have needed to make sure that each of those got into place correctly. So that research, that deduplication, that normalization of all of these CVEs to understand, "Exactly how do I remediate each of these?" becomes, you know, a full day's work for a lot of these companies. 
 
Also, it's prone to human error. There's challenges with trying to go through and research this much data and make sure that you get everything covered. So a lot of times, each time you get a new vulnerability assessment, there's a little bit of back and forth from the teams as well, "Hey, it looks like you missed this on this system." "Well, did we really? Because we thought we got the right thing in place." Then, you've got to get down into specifics. And again, it takes a lot of time and effort to do that, where they may have said, "Yeah, we got this patch in place," but the Security Team says, "No. There's still another variation of that on the same system that needs to be resolved." So it's very easy to miss some of these things when you get to this many vulnerabilities being detected. 
 
So a mapping -- if we can follow instructions, Point A to Point B, this helps us to understand really what we have to do. And it's actually a mapping that's fairly easy to overcome. You've got the CVE ID from the vulnerability vendors and you've got the software update. You know, typically, the majority of CVEs that are going to be on a system are going to be a software update that needs to resolve them. There are some config updates as well. But typically, those are handled through, you know, GPO. Those are fewer and far between. 
 
You might have a dozen of those on the system to hundreds of software vulnerabilities. A single update for Adobe Reader or, you know, even Java could have 20 to 80 CVEs that need to be resolved just for one software update versus, you know, a handful of config changes that would, configuration-wise, bring that system into alignment. So software updates are the bulk of vulnerabilities you're going to need to remediate. And there is a way to map this data across very easily so you can get down to the normalized list of what actually needs to be done. 
 
Now, you know, talking about how many vulnerabilities could be missing in a single update. If we look at 2017, the last four Java updates that had come out at that point, you know, could account for 79 CVEs for just one product. So that's four updates from Java. If you were out of date by two, three, four, maybe even more of those, that could start to accumulate to a lot of CVEs just for one product that's out of date. If you start to look at… And this information was taken, you know, at the end of October, so some of these accounts are up since then. But if you looked at the point of the year for each of these products, there were a lot of CVEs accumulated for that year so far. 
 
If you were a couple of updates behind for Acrobat, you could have had 146 CVEs accumulating there already. Reader, Safari, TCPdump, Chrome, Flash Player, these are commonly found in a lot of environments and can account for a lot of vulnerabilities. Now, Flash Player actually had a pretty light year, as far as total CVEs. In 2016, the count was well over 300 CVEs resolved for the year. So if you didn't update Flash three, four times, you could have several hundred CVEs just from that one product alone. 
 
So when you start talking about 10,000 CVEs in a report or 50,000 CVEs in a report, really, it doesn't take much to accumulate that. There can be… You could have 1,000 CVEs on a single workstation if you haven't been updating those applications very effectively. So the other part of this that we want to, you know, resolve is the time. You know, the effort that… You know, the old adage, "Time is money," you want to use your time more effectively. Rather than researching a whole bunch of vulnerabilities to find out that you really only need five software updates to resolve it all, you want to be able to save that time and more effectively spend it on other projects that really need your focus, your time and effort. 
 
So that's where I'm going to show you guys, you know, how we're doing things today in one of our security solutions. And, you know, we'll show you a couple of examples. I'll also point you to some knowledge-based articles that show you how to configure these integrations. And then, we'll talk a little bit more about where we're going with this type of capability. So I'm going to switch over now to the Ivanti Community. So today, we're going to be looking at the… So those of you who are familiar with this product, the Ivanti Patch for Windows product, the Patch for Windows is the former Shavlik product. This is one where we've had an open API for the past year here, and we've been starting to work on integrations with different vendors. 
 
A couple of those that we've documented here and I'm going to be showing you a little bit today, you know, this one here shows the API integration with Qualys' vulnerability scanner. And then we've got this one here that shows a similar integration with BeyondTrust's Retina vulnerability scanner. We've done similar with Rapid7. Although, in that case, we couldn't do a clean API-to-API integration. Their API didn't quite give us what we needed. So we actually used an XML report to extract all of the CVEs from there. But we can do the same level of automation around pulling those in to build up that list of updates. 
 
So let me show you one of these integrations in action. We're actually going to look at the Qualys example here. Now, this one is kind of a multistep process. You need to be able to… You need to have the Patch for Windows product in place. You can download our API .zip package here, which has all the details you're going to need for this. There's a step here where Qualys being a cloud-based product, you've got to actually pull the right data down and then we can get at it. So this was something we worked on with the Qualys team to identify the cleanest way to do this. 
 
Step One is getting the data accessible, and then Step Two here is actually taking then that data, and there's different ways to filter it down so you're looking at specific hosts or different things like that. But pulling those CVEs out of there, that's where this PowerShell script comes into play. So I'm going to step through this real quick here and show you guys how easy this integration is to run. Just to, you know, show you guys that I don't have any of this stuff preloaded here, I have a patch group here called "Demo," and this patch group is currently empty. In fact, we're going to go ahead and delete this patch group. And we're going to watch this get created here as we run this script. 
 
So the… Oh, I am in the wrong VM. I've got multiple things open. That was not BeyondTrust, by the way. Let's go over [inaudible 00:17:06]. Close you. Close you… And by the way, that .zip file has the simple steps here again in a README. So we're going to go through some of these steps right now. Just to save on time, I've already done the step where we extract all of the data from the cloud so that it's locally accessible. Here is my local console. You can see I don't have a patch group populated right now. So this is going to go through the process of pulling those CVEs in. So right now, it's connecting to the data that I've downloaded. 
 
This is a list of all the CVEs that my Qualys account has assessed for. And you can see here, I ran into an error. I told the script that I wanted it to look at a specific patch group. Well, it found that that patch group wasn't even there, so it actually created it for me. And now, it's going ahead and it's adding all of the CVEs that it can find. There are some of these that it didn't find. You know? Many of these are configuration changes or, you know, things that we didn't have a patch for. Maybe they were, you know, a hardware or other configuration change, [a port] or a protocol being existing there. 
 
But those remaining ones are all software updates that just got populated into my patch group. So we come over here, refresh our screen, and my Demo patch group is back. I can go in here and I can view… No. Why are you being difficult? There we go. So this populated a huge list of all the vulnerabilities that were detected in my Qualys environment. So automatically, it went and deduplicated and found all the CVEs that it needed, and populated the list of everything that I need to update, and that took me a matter of seconds rather than the hours it may take if you're doing this manually. So that's how simply it can do that. 
 
So the PowerShell script to do this is the… Let me open it up here… Edit that. So it's got a pretty clear structure to it. It's showing you step by step how it's doing things. So you could actually go through and you could modify this to pull from different things. You can have it, you know, select a specific group of systems. You can, you know, have this… You could even take this if you didn't have Qualys or BeyondTrust, and you can modify this script to focus on another vendor. You know, like I said, we've done this for Rapid7, Qualys, and BeyondTrust already. And half of the script, the part where it takes CVEs and passes them to us is relatively the same each time. 
 
The difference there is in, you know, getting to the CVEs from each of the other vendors, which most of them have very well-established APIs. So if you're looking at Tenable or ACAS, or one of those products, you can take these scripts and you can adapt them to pull from other sources. So it's a good starting point for those of you who do need to build something for a different vendor. You know, one thing Ivanti is going to continue to do is, as we have time, we will get back around and we'll release some more of these. You know, right now, we're at a point in our release cycle where the teams are going to be heads-down on some Q1 and Q2 deliverables. 
 
But I'm hoping that we'll have a time there where we can come up for air and towards the latter part of the year, possibly have another vendor or two that we add support for there. But the API is designed around allowing you to integrate with our product in ways that aren't baked directly into the product. You know, is Ivanti going to be able to go out and support 20 different vulnerability vendors? Not likely. We're going to hit the big ones and as we have time, we'll hit, you know, a few more of them. And we're also looking at integrations with other products, things like the password vaults. 
 
You know, this is something where our release that we're looking to have in the earlier part of 2018 here is going to focus on a new version of our API. It's going to add REST APIs. It's also going to expand on some of our credential interactions at the API level. And this is going to enable us to start to open up support for some of the password vaults. So rather than you having to go in and update the credential and the product, you can sync it with a password vault and keep those more up to date. 
 
So you get the idea. You see how simple it can be. The API here is quite flexible in what it can do. I have seen a couple of chat messages already. And it looks like, Amber, you've already mailed a couple of those here quick. But why don't we go through and field some of the questions that we're getting here? 
 
Amber: Sure. So Ken is asking, "Have you heard of [Aristotle Knight] and any potential integration with their vulnerability enumeration?" 
 
Chris: I haven't heard of that one yet. And no reason, again, that we couldn't do an integration there. So that's one where, you know, if you can get API documentation for their product, it's probably something where we can point you in the right direction in being able to adapt one of our scripts to be able to pull from there. You know, otherwise, if you submit a feature request, you know, if you don't have time to build it, it'll get into the running with other ones that I know have been requested a few times right now. 
 
Tenable and ACAS are two of the ones that I know are kind of at the top of the list for who we would target next. But no reason why we wouldn't be able to do another one down the road here. So you get their API documentation, take a look at the two examples that we've got here. Which, you know, each one of these was a little bit different in how we had to do the integration with the vulnerability vendor, but our side of it was pretty much the same in each case. 
 
Amber: It looks like it's AristotleInsight. Sorry about that. 
 
Chris: AristotleInsight, okay. 
 
Amber: But [inaudible 00:23:43] look into that. And then Marty wanted to know if the integrations save the username and the password in a plain text batch file. 
 
Chris: So there's different ways that you can do that. In this case, you know, we used… Let's see here. There's different ways to authenticate, you know, doing it through the authentication types like Qualys supports. They've got a few different types. And depending on how you script that, you can definitely script it using like PowerShell has their SecureString. So, you know, PowerShell has some pretty good integration with password vaults and things like that as well. You could actually grab a credential from a password vault if you're using one, and use SecureString to securely use it in a PowerShell script to go and sync that part of the data. So those things should all be possible. 
 
Amber: We still have some time. So if anyone else has questions, go ahead and ask those and Chris will answer them for you. Give you a few minutes for that. 
 
Chris: Yeah. So there was the one from Kevin here, which actually this is a good thing to talk about roadmap-wise. So Kevin, your question, you're using the SCCM integration for Ivanti. "Will these features work for the SCCM version, or is it only the standalone product today?" Today, it is the standalone product. Now, this is one of the areas that we do want to expand on as well. So Ivanti does have other patching solutions. There's our plug-in with SCCM. You're going to see more of an API type of strategy developing there over time as well. We've got a Q1 release here for that product that is wrapping up some merging of technologies from the HEAT and Shavlik legacy plug-ins.  
 
After that release is done, one of the things that we'll be investigating next is, "How do we bring this same type of integration possibilities to the SCCM stack?" So yes, Kevin, we do want to get there. It's just a matter of when will that get in place. For those of you who might be on like the HEAT or the LANDESK products, again, this API strategy is building out. We want to allow this type of functionality for as many of our customers as possible. So we're going to be looking at how quickly we can get all of our customers to a point where they could utilize this type of flow as well. 
 
So, you know, roadmap-wise, the Patch for Windows product has been on a track where it's been focused on that API FeatureSet for the last couple releases, and that's where this focus is today. But it's going to be expanding. 
 
Amber: All right. So you addressed that question. We have another one about, "Can you share more information about how to integrate with Rapid7 and Ivanti 9.3?" 
 
Chris: Yeah. So Rapid7, and this is one that we were going to look at a cleaner way to do it from API to API, we haven't gotten to that yet. There is… The question is, "Can I find it here easily?" The… We had a way that we did this where we did an integration using a report, and I have… Oh, that's a different API [inaudible 00:27:30]. So there's… Let's put it this way, at some point, we want to publish the Rapid7 one that we did as well. But that one, the API was a bit finicky, as far as extracting the CVEs specifically. So we had worked with the Rapid7 Support Team, and they pointed us to a route where we would extract a report from Rapid7 and then extract the CVEs from there. 
 
So one manual step there that's much easier, you get that particular report, and then you extract the CVEs. But we've got that one. So for that one a bit, for those of you on Rapid7, if you contact me, I can get you the script that we wrote to do that one. And we did actually demonstrate that live with 9.3 in, actually, end of 2016 when we were at VMworld. So when that product set was in beta, we had developed that one as an example of how this integration worked. So we do have an example script there as well, one that could be adapted to use, you know, again, other variations of pulling the CVEs. But it's specifically designed for if you export a specific report, it'll do the trick. 
 
Amber: We also have a question on where we are with integration with Nessus. "When will that be completed?" 
 
Chris: Yep. So this is again where, you know, right now, we've got the Qualys, BeyondTrust, and the report variety of integration with Rapid7. Other ones, I would suggest submitting a feature request. You know, if you guys are on the Patch for Windows product, if you go to the Help, Submit a Feature Request, let us know which ones of those that you're interested in and we can look at that. When we get around to that is the question. We're going to have some time later this year to pull in a few more. In the meantime, if it's urgent for you, again, you can use the examples that we've got today. 
 
If you can get the documentation from Nessus on how their API works, adapting it to that, a lot of the legwork will have already been done for you. But it's just a matter of, right now, we've got to wait for another moment in the Dev Team to free up where we can cram a few more of these in. So submit a feature request, and that'll help Nessus climb the list of who'd be next. 
 
Amber: Oh, we have a question about the webinar itself. The webinar and link to it will be available for review, absolutely. It'll be sent out to you after we are done here. So no problems there. You'll get all of the webinar delivered to you. And any other questions? Let's see. It looks like we might… 
 
Chris: Yeah. So anybody who, if you've watched any of our webinars, the same Webinars page you signed up for, if you go down just a little ways, you'll see the recorded webinars. And underneath that, you would get to a page where you get to see, you know, the recorded version. You'll also see the slide deck available there to be able to take a look at as well. So all of that's always available afterwards on our Webinars page. 
 
Amber: A link will be sent out as well for easy access…
 
Chris: Yep. 
 
Amber: ...if you see that in your inbox. Anything else anyone would like to ask in these last few minutes? Or Chris, anything you have to add? 
 
Chris: Nope. That's it for me right now. 
 
Amber: All right. Give it just another minute.
 
[00:31:19]
[silence]
[00:31:35]
 
Amber: We do have a question going back to endpoint security, a question of whether or not to upgrade. Can you go back to talking about that roadmap for bringing more of this into our other FeatureSets and where we're going with those? 
 
Chris: Yeah. So to do… You know, further integrations with any other vulnerability vendors is probably going to be the latter half of the year before we do come back around to that. The development teams on this product are focused on some releases early in the year here. So when we do get a free moment, we're going to look at the next couple of vendors on the list that we've been getting requests for. So make sure and submit some of those requests there. And it looks like the question is… I'm not quite sure of the feature request you have. 
 
"Feature request to import customer patch list." So depending on what you're doing, the patch group has a few different ways that you can import a list of patches. If you do this import from a file, you can actually… So this is a common case that is used for...healthcare is a good example. Like each month, your healthcare vendors, like the devices or things like that, if it's a heart monitor or whatever, they'll release a list of what updates are approved for deployment to your systems. So usually, they'll do that in some form of a report. If you can get a line-delimited list of the KVs, you know, that you need to populate, you can do an import from a file and pull a bunch of those in at once. 
 
And also, for those of you who have not seen it before, the… Let's see here. Go to Support, Product Documentation. The API that we used for those vulnerability vendor examples, that API guide to create integrations with our API is out here on our Documentation page. So you can actually interact with… You can kick off scans, deployments. You know, we've got some basic examples that show even how to patch a cluster node by node using a script, and that's using both our API calls and different API calls for, you know, the Windows cluster, the features that they have in there. Interacting with our credentials, you can actually populate a credential from a password vault. 
 
You can manage machine groups. So if you wanted to script populating of machine groups from another source and then patch groups, you know, this one… If you wanted to import a list of specific patches, that patch groups example gives… This one is showing different things like getting a credential, using a credential. This one is the integrating with the vulnerability scanner. Here's the cluster example using both ours and the RSAT Clustering and Failover Clusters. I think there's a patch group example down here. Maybe not. 
 
If you go into PowerShell and look at the Help through there, it gives specifics on each of these commands as well. But being able to populate a patch group, you can populate that patch group by KV, by CVE, by a number of different ways and be able to build up a list of updates that you want to deploy. So you could use it to populate a list of patches from an external source. You can script syncing of patch groups from one console to another using the API. So basically, contact one console, say, "Give me everything from this patch group," and replicate it over here to this console. 
 
So there's a number of ways you can do things like that. If you do have something more that you're looking for in that feature request you submitted, the best thing to do then would be to follow up with the Support Team, asking about the specific request idea that you were looking at. And they'll contact the product owner and product manager for the product, and they'll get an update for you on specifics around that. 
 
Amber: All right. That's it for our questions and chat questions as well. So I think we are done at this point. Thank you all for joining us. And you will, as we noted, be able to access this webinar online very shortly. Thank you again. 
 
Chris: All right. Thanks, everyone. And thanks, Amber.