Learning from Atlanta: 5 Steps to Securing Government IT

May 10, 2018

John Rush | Sr. Systems Engineer | Ivanti

Chris Goettl | Director, Product Management, Security | Ivanti

The City of Atlanta was rocked by cybercriminals that locked up critical systems and applications earlier this year. With paralyzing security threats now aimed at state and local agencies, the public sector is scrambling to find ways to secure their environments before the end of the fiscal year.

Join Ivanti's Chris Goettl, Director of Product Management for Security, and John Rush, Senior Systems Engineer, as they talk taking security to a new level in your agency in just five steps. 

Transcript:

Chris: Hello everyone. Welcome to this Ivanti webinar. Today, we're gonna talk about a bit of detail about what we learned from the ransomware attack on the city of Atlanta. And you know, it's kind of a good example of the importance of securing your IT infrastructure.
 
So, we're gonna go through several steps that are very important to securing your environments, and talk a little bit more about exactly how this attack worked, how it's been different than some previous attacks you've seen, and just in general, getting into what would have stopped this from being as impactful as it was.
 
So the SamSam ransomware is the ransomware family that was used in this attack on Atlanta. And you know, what happened, in this case, was the threat actor, in this case, is actually acting a lot more proactively than your average ransomware attack. Most ransomware, there's a lot of pre setup from the attacker. They gather a bunch of intelligence about the target, whether it's a single company or, in the case of the [inaudible 00:01:15] attack last year, a region, they will gather intelligence about the best way to impact this environment. A lot of times, that involves gathering a bunch of email accounts, things like that, trying to craft different phishing scams or other things that they're gonna target that with.
 
Now, with the SamSam attack, the threat actor in this case and the ransomware itself took on a very different approach. There was actually no phishing attempts involved in this attack. The SamSam ransomware was developed around using other attack factors through vulnerability exploits and through, you know, either password guessing or using other capabilities to match passwords to further the attack. And they also went as far as to keep on pushing the attack along as they went. So the threat actor, in this case, was taking on more of a behavior of an advanced persistent threat, what you'd normally see in behavior in more of a data breach scenario. So, it's kind of an interesting combination of circumstances here, and an interesting way to look at this because it is a new direction that's now being taken into other spaces as well. The success here has already started to hit healthcare companies with similar forms of attack using SamSam as well.
 
Now, you know, taking a step back here before we get into more detail about the attack, the things that it was doing, this is some of the public information that was released about what the costs were for the city of Atlanta to respond to this ransomware attack. You can see here there's a bunch of line items from Cisco, from other staffing emergency incident response services, they were probably, you know, getting a bunch of teams in from different groups to be able to respond to these attacks, tried to recover systems as quickly as possible, and even to offset services that were impacted like a lot of the crisis communications emergency incident response services. They needed to stand up additional, you know, ways of serving those services for the city until they got everything recovered. But just in the hard costs here, this is $2.7 million in costs to the city of Atlanta for this attack, and that doesn't involve all the soft cost, the cost of, you know, having 5 of the departments throughout the 13 departments across the city be impacted to a significant degree. 
 
Having your city council members, I believe, if I read correctly, there were cases where three council members were working on a single laptop and having to share that and that laptop was actually an older piece of hardware that they had to pull out of a closet to get up and functional so that they could get these people back and working because they were still trying to recover their actual devices. So, the $2.7 million you see here, this was not the end of the costs there, this was just the line items for, you know, what they paid out in responding to things like this. Now, each of these articles, you can go in and read more detail there. They actually go on to talk about how if there would have been a more proactive approach here, this would have been significantly smaller. The investment that would have been made up front rather than post event.
 
So, let's talk a little bit about...more about SamSam specifically. This ransomware, again, it's unlike most ransomware we've seen, it's not using a user targeted attack. A lot of ransomware will either, you know, use email, phishing attempts, they'll do watering hole attacks through web-based attacks, or a document that's crafted to exploit a vulnerability. SamSam did not use those types of attacks in this case. It was actually using, first of all, a server exploit or public facing servers. So one of the components that SamSam utilizes is the JexBoss open source tool for testing and exploiting JBoss application servers. It's a pen testing software framework. So utilizing a tool that a security team would legitimately be using to test against an application framework, the attacker was able to probe into the public-facing Java servers that were running, find an exploitable system, and that JBoss application server became a remote access Trojan for the attacker. So, JBoss, just look at more detail there. JBoss is a Java development environment. So this is a vendor that's created an ecosystem that makes development around Java applications much more effective. And it's, you know, a common platform to see in a lot of environments, especially healthcare, which is where this, is kinda, directing now. But for the city of Atlanta, they were able to find ways of exploiting into these Java environments on vulnerabilities that had had updates available for them prior to this event, but they weren't being maintained.
 
So, from that point, this application server became that external access point. From there, they used that platform as a remote access Trojan to allow them access to the broader environment. And then they used a variety of other things. So they will try to guess weak passwords, they'll utilize other software vulnerabilities to extend themselves to other systems, and they also can use this tool called Mimikatz. This is a password recovery tool, so once that compromised the system, Mimikatz allows me to go and look at, "Oh, hey, here's all the users on there. Here is the passwords that are there." And then they can use a combination of...basically, trying to match hashes to see what password matches with the passwords for these different accounts. And from there, they were able to extend themselves out further and further into this environment before they recognized a point where they felt they had a critical mass to launch the ransomware phase of their campaign. 
 
So before, when I said that this was an active threat actor, this is typically the way that a lot of the big data breaches that have occurred, you know, Equifax and Target, and many of the other vendors who've had very notable very large data breaches, Yahoo, and many others, this is the type of attack that would be happening there. They find an external way to get in. In this case, that's JBoss application server. They would, from there, be able to attack using a variety of different tools from other software vulnerabilities, too weak passwords, to using tools like Mimikatz to even get additional passwords that are a little bit stronger. From there, they are extending themselves out and getting control over that environment to a scale where they are well penetrated and they're gonna be very difficult to unroute. So once they got to that point, that's when they'll launched the ransomware.
 
Now, after the ransomware was launched, these threat actors continued to push the attack further as well. So again, unlike most ransomware, at the point where they launched the ransomware, the attacker is sitting back and letting the more of the services side of their operation start to take the support calls and everything on how to set up your Bitcoin account to do all these other things. Well, in this case, these guys stayed active throughout the entire attack making it a bigger and bigger struggle for the city of Atlanta to respond to this attack. So, it was very challenging to be able to respond to this. It was a very persistent threat, it was one where the attackers all throughout were working very hard to thwart any recovery services. And as you saw before, it was very costly in the services that were needed to bring in to bring this attack under control.
 
All right, so let's talk a little bit about, you know, what are the steps that could have been taken in advance to plug these vulnerabilities to reduce the methods that the attackers, in this case, were utilizing to gain access to this environment. You know, there's no 100% percent security. I think that's a very plain and simple statement. There's just no way to be 100% guaranteed secure. What you can do though is you can eliminate the common threats, you can mitigate the majority of risks. You know, what we're about to go through here, the steps that we're talking about, there are several studies from the [inaudible 00:10:13] organization here in the U.S. to other security groups across the globe like the Australian Signals Directorate, UK Cyber H. Q., others that have done similar studies showing that doing these things well, you can mitigate or eliminate 85% to 95% of common cyber threats, which were utilized in this attack.
 
So, what we're talking about is providing an effective defense-in-depth approach. Making sure that you can discover the breadth of the attack, the breadth of the risk, reduce the attack surface significantly, detect malicious activity, take actions to solve problems, and be able to analyze data for insight into issues. Now, there's a lot of technologies out there that can provide these capabilities. There's a lot of solutions that, you know, oh, yeah, add this layer, and you've added one more layer of defense. 
 
One of the biggest problems with solutions today is trying to deliver the level of security while balancing that with the user's needs. Most security controls fail to succeed in an environment because the business has been crippled or the user experience is so painful that the business decides to throw that security control out. And you know, if you go back in time to your first fond memories of trying to implement a software whitelisting, you'll probably understand very clearly what I'm talking about.
 
So, one of the first things to do in any security program is make sure that training and awareness become part of everybody in the company's daily lives. You know, this is something that we believe very strongly in. Ivanti doesn't have any specific training software or anything like that but we utilize training routines within our own organization, we use one of the leading phishing vendors out there, we regularly will phish our own users, and if you get caught by one of those phishing scams, we track that, we bring that person into some remedial security training, point out the areas where they failed to notice that that was a phishing attempt, and we work to make sure that our users are more aware of security threats. We also do additional security training through other modules that talk about everything from, you know, why patching is important to, you know, different things like GDPR and why that's a critical issue for us, and a variety of different regulatory and security topics across the board.
 
So, what the training program does though is it also gives you a way to identify more of that risk to your environment. So, as you go through this, think about a couple of stats here. This came from the latest Verizon 2018 Data Breach Investigation's Report. Phishing attempts, internal training in companies where they basically pull these stats from are showing that in a year span 78% of users in a company that's effectively doing, you know, phishing and security training, 78% of their users did not click on a single phishing attempt all year long. This is up from previous years where we were seeing as many as 30% of users were opening those emails and 12% were clicking on those attachments pretty regularly.
 
Now if you look further into this, those remaining 22%, these are people that...they clicked at one time during the year. They might've got caught by one phishing attempt but they didn't get caught by another one. So, this one goes to show that yes, there are still cases where everybody has a bad day. If you get caught at the wrong time or if you see something that oh, hey, wait, wasn't I expecting that, and you clicked too quickly without looking and thinking about what's going on, you can easily fall into this trap still. There's no 100% even through all the training in the world. But the really notable piece of this is this last step. Four percent of these people are repeat clickers. They can't help themselves. If you put a keyboard and mouse in front of them, if something appears on the screen, they're clicking without even reading, without even paying attention, without even acknowledging that that click is actually already happening. They're just automatically trained to do that. So the importance of this is the phishing training, the security training is working, it's becoming effective, but this is also helping you to flush out one of your greatest risks, which is the user.
 
Now, the SamSam attack didn't go that route but many other ransomware attacks do. With that though, you can take those repeat clickers and you can secure them more. They become the people who you're going to put into the more restrictive bucket. So this type of training and this type of acknowledgment of the people who are your most risky is critically important to how you're going to implement your security controls. This is gonna help you to weed the people down to the buckets where they need to be. Those 78%, you could trust them a little bit more. Those 22%, you could restrict them a little bit more. That last 4% of that 22%, the subset there, those are the ones where you put them into the most restrictive and until they can prove that they're being more diligent, security-wise, you have grounds to be able to control them and secure them more. So that's a critical foundation to any security program.
 
Now, as we said before, again, this would have been a layer that, in the case of the ransomware attack here in Atlanta, they would have bypassed this type of training, so we do need additional protection, and let's talk about that. So one of the most important things is discovery. If I can't see it, if I don't know about it, I can't secure it. There is more than likely several devices throughout the department in Atlanta that were compromised in this case where they probably weren't captured in an asset system correctly, they may not have the had all of the different security controls laid down on them correctly, they may not have even been aware to IT [SP] as to what role that system might have been playing. Discovery is a core part or core tenant of any security program. Making sure that you understand whats in your environment from both a hardware and a software perspective. Now we can start to actually apply security measures to those.
 
Patch management. This is the largest reduction in attack surface that you can apply. As we talked about earlier, the first piece of the attack, in this case, was to exploit a software vulnerability, and from there, then utilize a variety of software and password exploits to be able to go further with that attack. But through many parts of this attack in Atlanta, software vulnerabilities were utilized to take over more and more real estate throughout those departments. So, whether it's an SCCM environment or, you know, an environment where you need to push patching out through another method, we've got a variety of patching solutions, a couple of which we're gonna talking about here today. And we have the ability to help you patch, not only the Microsoft apps but third-party applications and extend beyond that to Windows and Mac as well.
 
All right, moving one step deeper, admin rights. This was another critical piece of why the attack on the Atlanta was so successful. Weak passwords that could have been configured properly through GPO, through configuration management to make sure that stronger password policies were laid down. And also privileged levels that would have reduced admin privileges down to just enough privileges for those users to do their job. We've got the ability to help with the many parts of this. So there's kinda two aspects to this that we're gonna focus on today, just enough elevation. So I can take a local admin and I can provide them with just enough of those administrative rights to be effective. And then the other approach, which is more effective but also a little bit harder for some companies to implement, which is making sure that the user has the right level of privileges just in time for what they need to do. So this is taking a standard user and elevating app privileges or access to install a printer or different things like that for just the things that they really need but taking all other administrative access away. So we have the ability to come at this from both directions.
 
Now the last piece here, also very important, is you need to have a level of application and zero-day protection. So we've got also the ability to provide a variety of different application control models. We refer to these as different trust models that you can implement throughout your organization so that you don't have to put up with the pain and the maintenance of traditional whitelisting and blacklisting techniques. You can take a combination of more dynamic trust models and you can also apply more specific contextual rule and you can provide your environment with the right level of application control protection for the different user structure environments. 
 
You may have parts of your environment where you only audit the users, or maybe you'll do that for a trial period while you're ramping up. You may take other groups, like your IT group, into a self-authorizing mode, or here at Ivanti, where we've got a lot of development organization, these guys need to add new components regularly, so we put them into a bucket of self-authorization and make sure that they understand that they're taking on more responsibility to secure their environments but giving them the flexibility to work. And then taking it into that code restricted mode where we can put those users who don't need as much flexibility, and especially those users who are our repeat clickers, our high-risk people, and putting them in that more restricted bucket. But with this down[SP], we've got several layers that are helping us to plug the different types of vulnerabilities that the SamSam attack on Atlanta was exploiting to be so successful.
 
So one of the things that we will touch on here specifically is called trusted ownership. This is the simplest of our trust models for application control, and one of the reasons why we'd like to talk about this one, in particular, is it shows how powerful application control can be without being overly complex or costly. Trusted ownership comes down to a very simple rule which is ownership of the file that's being executed. If it's owned by a trusted account, it's allowed, if it's not, it's denied.
 
So we're gonna show you an example here in just a few minutes, and I'm not gonna steal John's thunder because this is a cool demo on it's own but he'll explain more about that in just a moment.
 
And then the last piece, insight. Making sure that we understand the risks to our environment, making sure that we've discovered and have found all the assets that we're tracking the critical issues out there. If we find an exception, did we make sure that was documented? Are there reasons why that was an exception? From there, you know, we could take additional steps. Okay, this is something we do need for this reason. It's a critical app that has a dependency on an older technology, how can we mitigate that further? Can we segregate it from the direct internet connectivity? Can we segregate it from other user environments? Can we lock down user permissions to be less restrictive? What are the additional steps we can take due to that exception? 
 
But now, we've got a place where we can see across all those different environments, across those different data silos and look at the environment holistically and see what risks we have. We're gonna show you several dashboards that are more security focused but we've got the ability to integrate with many of the service management vendors, change control systems, phone systems, SCCM, there's connectors for many different environments for this reporting platform, so you can pull together all the right information from many data sources to get these insights. And then again, providing those in the different levels of reporting that each of the different roles throughout your organization may need.
 
All right. So, just recapping, training and awareness, critical to making sure that your security program's successful. Discovery and insight, knowing what's in your environment, making sure that you can report on that and also get visibility into your environment on a regular basis. Patching the OS and applications, providing effective privilege management whether it's taking away admin rights fully or reducing admin privileges in certain key risky areas if somebody doesn't need that. Application control. Again, making sure that you've got that additional app control and zero-day protection that's required to stop common threats today as well. These things combined together would have been a significant barrier to the success of the attack on Atlanta, and kind of a starting point foundation for any security program that you'd wanna put together.
 
All right, getting into the product demo. John, I'm gonna hand it over to you.
 
John: Thank, Chris. Let me switch over things here for just a second. So, many of the things that Chris was talking about... Oh, I just wanna do one thing here. Many of the things that Chris was talking about are part of the defense in depth. You can't just do one thing anymore. You have to have layers in order to get where you need to be. You have to have antivirus in place, you have to have your patching in place, you have to have the application control in place, device management, many of these other things. So I'm gonna touch on just a couple of those pieces here to get started.
 
The first one is in the patching scenario. We've been doing patching for many, many years and it allows us to provide to you the same story on how to set up automatic processes that scan and patch your test machines, scan and patch your production machines based on a level of patches that you look for. I'm not gonna go to great detail here on all those pieces but generally speaking, once you set up what's called a machine group or a group of machines that you wanna treat together for the purpose of patching in, basically, a two-step process, choose the machines, choose the scan template that you want, you can then go out and begin to scan your environment to find out what patches are missing.
 
Now, to kinda understand what's going on there, two things are all that's running. A machine group for us is nothing more than, again, a combination of machines brought together for the purpose of patching. I can point to an active directory, pull my information in based on an OU within the organization. I can simply grab that piece and bring it in. I can add IP addresses, IP ranges, but I can choose what it is I wanna do from there. I can also choose simply by machining name, the type of machine, the name of the machine. And then finally, especially in the datacenter, server capabilities. So I can point to an [inaudible 00:25:53] host or to a V center server, and actually see online and offline machines that I wanna be able to patch. And now, I'd add those to my machine groups. It's a very unique capability we have. The ability to patch templates, for example, we use V center to convert the templates back to a VM, we bring it up in a protected mode, we patch it, we shut it back down and turn it back into the template. And that's all done behind the scenes from you. The user doesn't have to actually do any work to make that happen. So the machine group is the lowest level that is. You know, this is what we wanna do, these are the machines that we wanna be able to patch.
 
The second one is, what do I wanna look for? Those are scanned templates. And again, I'll just, kinda, show you what that looks like. It allows you to either choose at a very high level. I'm looking for security patches of all criticality. And over here on the left, all of the products that we support. Or maybe, in your server world, maybe you're only interested in critical and important patches, and for again, instead of everything, you might be very selective. For example, on my servers, I might only have Adobe Reader on the machine so that I can read documentation. And I slide down here to the Microsoft categories and I go into Microsoft then I begin to look at the pieces that are there [inaudible 00:27:10] it. And maybe, again, I'm interested in the latest versions of .net, but I've got older machines that have older versions of .net that I don't wanna patch. I can go down and choose the specific applications that I'm looking for. I can even get down into the operating system and say, "I'm only interested in what goes out of server 2008 R2, 2012 R2, 2016 with the server from 2016.ned
 
So I can be very specific about what it is I'm looking for even to the point where I might create a subset of patches and call them my May update. And so, I can say let's just patch our May updates or our approved patches. At the end of the scan, where we'll see the result of that scan in a couple of different ways. I'll just go one more step here. And I can view the information. Now, we have automatically generated reports. So this one is called the executive summary. And again, it's exactly that it, the high level summary that says on this date, at this time, I scan these machines, with this patch templates, and this is what I found. I'm missing 46 patches, 7 of them are critical.
 
So, it really allows me to understand the status of what's going on in my environment and I can even go down to the actual patch level and see the individual patches that are missing on a particular machine. So let's say on the Windows 7 client, I wanna go ahead and deploy a patch, I'm gonna select this Enterprise Patch, right mouse, click say, Deploy, and I am now actually ready to deploy the patch.
 
So, in about six mouse clicks, I have chosen the machines that I wanna scan, I have chosen what I wanna scan for, I have viewed the results of the scan, and I am now actively patching that. And that's the manual mode.
 
Also, again I'll go back and touch on the scheduling of this. So I can say, you know, what I want to do is I got two sets of machines. Here's my test machine. I wanna scan those with my approved patch list, I wanna do it on a recurring basis on the day after patch Tuesday. So the Wednesday, after patch Tuesday, which twice a year if you use a regular calendar, comes before patch Tuesday. I'm gonna say, on the Wednesday after patch Tuesday, go ahead and patch my test systems. Schedule that process. And then I come back here and say, and then a week later, or by seven days of that or eight days after patch Tuesday, go ahead and use the same scan template, the same deployment process, and patch of my machine. So I have a full blown system going on.
 
Also, what we provide is real-time feedback. So, you can see right now I'm in that process, I've scheduled the events, and then very quickly, we will begin to execute, go through the process, and we even control things, like when to reboot, type of reboot, script that you might wanna run ahead of time. So that's the patch for Windows product that we have. Lots of organizations use this. You can use this both for workstations or servers. We have a very good solution for laptop computers because we can manage those machines that are off networks through a Cloud component. But as you can see, in real time, I'm executing the update. So I'm gonna stop there with this product and just kinda minimize that for now.
 
For those organizations that are using system center, we have a slightly different business problem to solve. More than likely, you are successfully patching the Microsoft applications with system center, but the reality is you're not patching third party content, that's not a built-in capability of system center. Therefore, we wanna be able to provide the metadata, the content, a catalog of patches for your organization and we do that through what we call the patch or system center plugin. This plugin provides you a catalog of all of the third-party applications that we support, it allows you to view those plugins based on the information I have, and it allows you to publish those contents. What this does is it actually drives the contents into the WSUS environment. Then, after everything's run through, after it's been published, after it's been synchronized, so sometime, overnight, for example, the next morning, you'll be able to see those third-party applications right alongside all of your Microsoft applications. 
 
So, if again, if I do a search for a W here, I can see that information and I got a number of patches. Now again, in my test environment, I don't have anything right now that requires. The other thing is because we're so tightly integrated, wherever there's a pick list, wherever there's a choice, you will be able to see that. So for example, if I go down here to Product and choose buy Product, I will then be able to search based on 7-Zip, Adobe Acrobat, we're down here to browsers, Chrome, CCleaner. So it allows you to use the same infrastructure that you have in place today to go ahead and patch those third-party applications in system center. Again, this requires system center, this is not a standalone product, it needs a system center interface, it uses the same system center agents without modification, it uses the same system center databases, the same WSUS server, the same WSUS server database, there is no additional infrastructure changes. It is literally a product, and I feel very confident in saying this, if you decided to buy this product today, you could patch tonight. That's how simple this is to implement because, again, it's using your already existing work goals, already existing process.
 
So that's patching the operating system with the Microsoft to patch the operating system and Microsoft applications and the third party stuff with our patch content. So I've showed you the two patching solutions. Again, the standalone patch for Windows that patches everything that's a replacement to windows update, and the patch for system center that uses windows update and system center to do the patching.
 
I'm now gonna change gears on you and talk about this application control that Chris was talking about. Again, there's depth and defense. So, I've got antivirus blocking the known things that I have, I've got the patching and the operating system that's taking care of the vulnerabilities for the operating system, I've got the patch and the third-party applications which is taking care of the vulnerabilities that are in Adobe, in the browsers, and those kinds of things.
 
So, the next step is okay, that's great, what do I do about, you know, this application control and this license or a privilege [inaudible 00:33:39] what we were talking about. So, again we have in this environment our user work space manager. Now, in my case, I'm showing all of the products in that category, application control which is, again, the one I'm gonna show you now, environment manager which is the best way to describe this is GPL on steroids, we can really control the environment, we do several process...I mean, we do incur [SP] processes against those things, we can manage the environment, we can see what's going on out there, and then performance management to help you reduce log in times if you're in like a Citrix environment or something like that.
 
So, in this case, I'm gonna go ahead and launch the application control console. This console, again, is really just a rules manager if you will. Now, the basic, out the box functionality, if you implemented this today, we will use what's called trusted ownership. The easiest way to understand trusted ownership is when you look at a file owner. So we have system, administrators, administrators and trusted installer, and I'm gonna just minimize this for just a second. So, I'm just gonna go into my...I'm gonna find Notepad here. I'm gonna go open in a new window. The Notepad opens up for me, it executes, it works just fine in the environment that I'm in. And the reason that happens is, again, I'm not gonna go to it...quick here, I'm going to go into Windows, System 32, I'm going to do a search for Notepad, and if I right mouse click and take a look at Notepad, under the properties, under Security, and Advanced, I can see that this is owned by a trusted installer. It's owned by a trusted installer. And that's one of my trusted applications. But watch this. If I copy, let's do a standard copy, and I paste Notepad onto my desktop, and now, I...same application, same EXE, all I've done is moved it. And I go back to Details, and Advanced, and I now see that it's owned by me. Ownership is extremely important in our model here.
 
So for example, I gotta bring my interface back up. For example, Java might fit into that category of trusted applications. It was installed correctly, it was installed by the administrator, it's running exactly the way it's supposed to run. And one of the things with ownership is we can also allow subprocess to execute. But what if one of those subprocesses goes out to a bad website, downloads an EXE file, and tries to run it in your environment? It won't be on this list. It's almost like going to a nightclub and getting up to the door and the guy goes, "You're not on the list, you can't get in." And that's exactly what this is. Even though the application has been downloaded, that EXE will not run because it's not part of the trusted ownership. So that's the first level of understanding how this all works. 
 
The next level then is, "Okay, now we've got that set, now, let's set up some conditions." So again, let's say for our administrators, as Chris has mentioned earlier, I'm gonna make them a self-authorizing group. In other words, if I'm logged on to the machine and I'm an administrator and I try to run something that is not owned by a trusted owner, I'm gonna be prompted and I'm going to have to check a box or even perhaps log in, and using my passwords to access that application. But at least I'll be able to do that. For your main users, I'm gonna put those guys in a restricted mode. Meaning that unless I explicitly say it's okay, they're only gonna be able to run those things that fall into that trusted ownership model. 
 
So again, let's say, for example, I want to allow them to execute a particular file, maybe it's a specific application that's in your environment. If I'm part of the HR group, maybe I wanted to say there's a whole folder out there of files that I want them to be able to run. If I'm the SQL manager, even though I don't have the administrative privilege, I can allow that application to run as a trusted app based on the information I have. I can go out, for example, and choose individual apps that I wanna be able to allow or not allow. So I can be very explicit, this is very much like standard whitelisting, blacklisting. I can also go out and do the same thing. And I can, for example, I can deny a file. You know, so again, let's just say Notepad, for example. The problem with this methodology is if somebody decides to rename Notepad to Notepad with two Ds, it would execute. So maybe instead, I would add this as a signature item, I would find that same file, I'm just gonna grab one here. I'm just gonna grab this one, and it has a specific hash. 
 
So even if I rename the file, it won't execute because it's not in there. So that's how I kinda set things up. I have this bar method where I can say audit, self-auditing restricted, or so forth. And then finally, what we were talking about earlier was user privileges. So again, this is where things get kind of interesting. So again, I'm blocking everything from executing. However again, I can go and say but I'm going to raise the privileges for this particular application. So let's say I'm allowing somebody to download a particular file, and I'm even gonna allow them to make it allowed to run and I'm going to control...I'll even let them install it as a trusted owner. So it's gonna change that file to a trusted owner type.
 
Here's another great example. In order to change my clock down here, to change the time, I have to be an administrator. But what if, I, again, I restrict my users and right mouse click and say, I'd like to add a windows component. I'd check the date and time, and I'll let them do things like maybe run one of the software, change the displays, whatever it is I want to be able to give, I can give them explicit capabilities to do that. Now I can also identify a self-elevation capability, which means that it's gonna find out all items except for the ones that I have below or only to the ones that I have below. So again, I have these self-elevation options even to the point where I can, again, make these items allowable, install them, hide them, run as administrator capability. And so it allows me to have complete control over what's going on in my environment.
 
The last piece of this is sometimes, you wanna be able to give somebody a momentary or a temporary access to something. So, we can even provide a dialog box that pops up and says, "Hey, I'd like to choose a specific windows application or component, browse for it, I'd like them to allow me to use it." I want it to be set to me based on a phone number and say, I only need the privileges for an hour. And what will happen here is what I hit the...when I send this information, when I request this, it'll send information to someone in your support organization which will then call them back or provide them with a response code so they go and type that code in and they can move forward with that application.
 
So these are all the types of things that we wanna be able to do in this environment. And then finally, again, going back to the management pieces, once I have that all in place, I can begin to monitor the agents that I've got installed, the information that's going out, I can take a look at that in the events log, I can see what's been happening, what applications have been authorized, I can see when they did it, who did it, why they did it, and I can begin to understand what's going on in my environment and be able to control that information based on that.
 
So that's, again, the application control part of the discovery of the conversation, so we're now patching the operating system, we're patching the third-party applications, and we're executing the application control piece.
 
The final piece is the ability to run these reports. Now, again, if you haven't seen it before, this is our extraction products. This actually comes with every Ivanti product. It's licensed for use. And it allows you to see in a very graphical user interface pie charts, bar charts, graphs, lists of information. I can set all sorts of different categories of things that I'm looking for. I can take a look at my management server, I can take a look at denied executions, I can take a look at patch requirement. The real beauty of this solution, however, is not necessarily the fact that it's a dashboarding tool because there are many companies that make a dashboarding tool. What is unique about this one is the way that you can build your applications, you don't have to be that SQL person, you don't have to understand inner joins and outer joins, you don't have to understand what a select star from table where clause kind of stuff. 
 
It allows everybody in the organization, based on their profile, based on who they're logged in as will then determine what they have access to, and from that and through a list of components that we've got pre-created, they simply choose the palate, drag, and drop, and create the information that they want. And they can even drag down and see that information. They can see the records behind this data. View that information. I can export that data. It's all real-time content as well. So let's say, for example, I just wanna see the updates that have not yet been installed. I can click on that kind of the filter component, and it'll update all of the other factors showing me just now, just the required updates. Again, if I go down and take a look at all these different types of chart that can be created. This is denied execution. Part of that application control that I was just showing you. Here are patches with the greatest risk. Now, this is coming from our patch information and it's coming directly from the database. And again, this is real-time information. And again, I'm nuts[SP] over this. We're taking a look at the critical patches from our patch for windows product and so forth.
 
So again, it's highly valuable information, very easy to use. This is the kind of thing you can put up on a dashboard, on one of those big boards in your data center, and you can see all of this information. And again the beauty of this one is you don't necessarily have to know anything really about the data, it's nothing more than a point and click to create this information.
 
And so with that, I'm just gonna summarize. We're getting closer to the time for our Q&A, but again we're talking about, as we had before, we're talking about the ability to do all of these five things. So, Chris, I will let you come back in here.
 
Chris: All right, thanks, John.
 
So, you guys have seen a variety of different technologies here in play. Again, with this, there is a number of studies out there that's showing the effectiveness of this type of layered strategy. You know, if you're familiar with things like the stance of CIS framework, this is zeroing in on the, kinda, top five security controls. They're the ones that are gonna be the most effective, give you the most bang for your buck.
 
So that's where, you know, Ivanti has a lot of other capabilities that could help broaden your security program even beyond that getting into service management to handle incidents and getting into full asset suites that can help you to manage the asset lifecycle from start to finish to be able to start to do things like identify assets as they're coming in and make sure you're monitoring them always through until end of life. I mean, if they're obsolete getting them out of the environment. There's a lot of different components here beyond these five steps but what we've done here today is looked at this particular attack, frame this up from if you could take five steps to take the teeth [SP] out of this type of attack, the city of Atlanta would have had a very different experience trying to thwart that attack than what they did experience.
 
So, at this point, we'd like to take any questions that anybody might have. Feel free to jump into the Q&A and shoot any questions over. If you have anything in particular, we'd be more than happy to jump back into any of the solutions we just talked about and answer any other questions you might have.
 
Man: [inaudible 00:46:36]
 
Chris: All right, not seeing anything yet. We'll give it one more minute here just to make sure that anybody who's having their question in right now can still that answered.
 
All right, there is one question here. Is this the replacement for [inaudible 00:47:06] or subset on the replacement?
 
So, that's a good question, Andrew. So, we can... If you wanna get a lot more detail about that, we can absolutely do that. What you're looking at here, the same technology capabilities are available on the platform that you'll be moving to with [inaudible 00:47:24]. What we were focused on today is more of our security focus products. The [inaudible 00:47:30] replacement is our whole endpoint management platform. So this would be, you know, if you're not using Microsoft system center, this would be a full replacement for that level of assistance management product with a lot of other capabilities as well including our security capabilities, patch management, device control, app control. You know, those capabilities are all in there as well. So the technologies we talked about Andrew, would be available in that replacement product for [inaudible 00:48:00]. But that particular product was not one of the ones we show here today. Reach out to us though, we'll be more than happy to set up a kinda one on one conversation with you and even get one of the UEM product managers involved to talk to you through the kind of the migration and the upgrade strategy for you.
 
All right, that is the only question we have right now. Any final questions? All right, otherwise, we'll go ahead and give everybody [inaudible 00:48:41] back of their day. Thank you for joining us today. Again, you'll get some follow up after this. If any of these were of particular interest, feel free to let us know. We'll be more than happy to go much deeper into any specific areas. If you're in an SCCM environment, if you're coming from an environment that's using [inaudible 00:49:00] or something like that today, if you're looking for a full endpoint management suite along with the security features, again, we've got a variety of solutions to handle a variety of environments. But the same level of our capabilities, we can provide no matter which of those scenarios you might be in. Thank you.