Learning from SamSam Attacks: 5 Steps to Securing Healthcare IT

September 20, 2018

John Rush | Sr. Systems Engineer | Ivanti

Chris Goettl | Director, Product Management, Security | Ivanti

The City of Atlanta was rocked by cybercriminals that locked up critical systems and applications earlier this year. Now, these paralyzing SamSam attacks are targeting the healthcare sector. Just in the last month, 7,000 of LabCorp’s systems were impacted in 50 minutes by a brute force attack. With this target on IT’s back, healthcare organizations must find ways to better secure their environments, and quickly.

Join Ivanti’s Chris Goettl, Director of Product Management for Security, and John Rush, Senior Systems Engineer, as they talk taking security to a new level for healthcare IT in just five steps.

  • Get insights from recent cyber threats now targeting healthcare
  • Learn why a handful of solutions can protect against up to 95% of cyberattacks


Chris: Good morning, everyone. My name's Chris Goettl and joining me here today is John Rush. Thanks for joining us, John. And today we are gonna be going through, talking a little bit about some healthcare related security topics and specifically, we're gonna be looking at a group of ransomware called SamSam. Many of you are probably familiar with these guys. It's a ransomware family, but also a mysterious threat actor by the same name because they don't have a better name at this point. But we're gonna look at this particular ransomware family, how it has been successful, a few high profile, you know, targets that they have hit in the secure...in the healthcare space. And then we're gonna get into a little bit about, you know, how can you strengthen your security program to help defend against attacks like this.

So, as we go through this, if you do have any questions, please throw those into the Q&A section, and you know, after a few slides here, I'm gonna switch over to John and he's gonna take us through the technical demonstration of a few of our Ivanti products that are going to give you an idea of what we can do to help in some of these key areas.

All right. So first, let's start with the simple question of what exactly is SamSam. You know, so this is a family of ransomware. It's been developed and released in late 2015. It is being developed privately by a group of threat actors believed to be out of Eastern Europe. It is frequently updated and one of the dangers there is that this is...it's not off-the-shelf ransomware as a service. These guys are building an interesting ransomware platform that is only used by them and is very effective, frequently updated to avoid A/B detection, endpoint defenses, other things like that.

So the things we're gonna be talking about today are, they're common tactics and the ways that make them successful and measures that you can take to try to reduce the potential for this type of attack to be successful or slow it down so that your detect and response capabilities can catch it before it gets out of hand. One key thing about these guys is unlike most ransomware attacks, SamSam attacks are a focused attack. It's not a blanket phishing campaign that starts off or something along those lines. These guys basically identify targets and then they are part of the attack pretty much all the way through, and we're going to talk a little bit about some of their methods.

So a typical SamSam attack, you know, the phishing and other, you know, user-targeted methods are commonly used in a ransomware as a service campaigns, but that's not typically the way that SamSam ransomware attack starts off. SamSam attacks will target public facing servers or services. So, one of the examples was earlier this year, the attack on the city of Atlanta, they exposed vulnerabilities in Jboss Java development Servers and used those to gain access to the environment. Several others including one of our cases that we're gonna talk about today, they use brute force attacks on public-facing VPN and RDP services that allow them access into the environment. From there, they spread out through the network, reaching a critical mass before they actually launch the ransomware. So typically, when an attack like this finally gets detected, it's usually when the encryption starts happening and at that point, it starts happening in parallel across many systems at once and this is one of the things that kinda makes these guys so successful at what they do, is they reach a critical mass before doing the things that will make them most detectable.

They are, you know, doing a per system ransom, but they also get up to a point if they reach enough systems, they offer a "reasonable" because, in the case of ransomware, you're extorting people for money. What's reasonable about that? Well, in this case, offering, you know, roughly $50,000 ransom for the entire environment versus, you know, 2,000 to 3,000 in Bitcoin value per system becomes very reasonable when you get to the volume of systems that they typically impact. Again, this threat actor is active throughout the whole attack, so this is not like your typical ransomware attack. These guys are behaving more like in, you know, it's behaving more like an advanced persistent threat. It's a real adversary in your environment throughout the course of this attack.

So that's a little bit about what an attack looks like there. Now, a little bit about the, you know, how successful have these guys been. Again, their average ransom paid out is around $50,000. They're averaging around $330,000 per month. And since they've been in business in 2015, they've...there's an estimate of roughly $6 million that they've collected in ransoms since they first launched in 2015. So these guys are believed to be a small independent group. If that's the case and this is their full-time job, those guys are doing all right. So it's been a very effective threat platform and their methods are definitely working. So we wanna try to identify some of the commonalities between these and ways that you can tighten your security in your environment to defend better against this type of attack.

So let's talk about a few high profile cases that have happened recently in the healthcare space specifically. The first one here was an attack on Allscripts. This one happened in January. Little bit more detail about this and you'll have links to those incidents, the news articles about them in the presentation as well. But a little bit about this one, the attack was detected pretty quickly, but it took about four hours to figure out that it was a full-blown ransomware incident and really start to kick things in gear. This variant was undetectable by antivirus, again, you know, regular antivirus capabilities did not detect or be able to stop this. They tried to react as quickly as possible, but, you know, they ended up getting things to the point where it was contained and recovering roughly within 24 hours, but it really took another 6 or more days before they actually had their services back online.

So the lessons learned on this one, they kinda went through in this article and talked a little bit about Allscripts and, you know, the reactions that they had, the areas where they struggled. There was a lot around communications as an incident like this does occur. Communications is very important, especially in light of things like GDPR, disclosure of an incident like this is very important in a public facing event like this, communication with your customers, with patients and other things, is also very important. And they had some conflicting information as they were kind of communicating out to the public around this. Some of the security controls that they ran into it and it was no one silver bullet that would have helped here, it really is defense-in-depth multiple security controls working effectively together that's needed to defend against an adversary like this. Least privilege, proper patch management, good detection capabilities, and good recovery capabilities are all critical to defend against a threat like this.

So one thing that I did link to here is the SANS Incident Handlers Handbook. It talks about many of the steps that help in a case like this, preparation, making sure that in the healthcare space, ransomware is definitely a real threat for all of your environments. Making sure that you're prepared for a ransomware incident that you rehearsed how you would react to that, how would detection potentially come in? Who are the people who would be contacted? What are the immediate things that you would start to lock down or turn off in a case like that where you've got an outbreak of a ransomware incident? And then getting into identification of and containment of that real-world threat if it occurred, how do you identify? What detection mechanisms do you have in place with that? How quickly can you lock down and get to containment? And then talk about eradication and recovery.

So looking at this one, the impact of this particular attack, some of these were direct quotes from customers of Allscripts in this case. One of the first ones here, there were three victims really during this SamSam ransomware attack. There was the company itself. Allscripts definitely had a very rough time, you know, through this incident. There were their direct customers, which as you can see here, 1,500 medical practices were impacted by this. And then there were the patients of those customers that were being served. Roughly an eight-day outage for many of these 1,500 practitioners, there was a credit of 33% that was offered back to these 1,500 medical practices, which again, down to one of the medical practices that was impacted, they lost a lot more being down and out for 8 days and that 33% credit that they were given. So the impacts, in this case, were at many levels. The patients were, you know, one of the quotes was from an OB-GYN and their quote was, "How many days can you, you know, wait during a pregnancy to let your doctor get access back to your medical records?" So things like that are, you know, very difficult in a situation like this.

The second incident that we're gonna talk a little bit about here is LabCorp systems, which started out with a brute force RDP exploit. So they were able to break in through RDP access from the public facing. The attack, in this case, was detected and the first system was encrypted as the first system was encrypted by ransomware. They reacted very quickly and within 15 minutes, they had it contained. But in that 15-minute window before containment, you know, prevented any further ransomware encryptions from happening, 7,000 systems and 1,900 servers were impacted. Now, LabCorp, large, you know, test lab environment, they had a lot of labs systems, a lot of test systems and everything as well. So only 350 of those servers were production servers, but that was nearly 9,000 systems that were encrypted in as little as 50 minutes.

This is how the SamSam approach becomes so catastrophically impactful very quickly. They wait until they reach a critical mass before starting any encryption so that they kinda maximize the impact to the environment they're in. By the point where they started encrypting, that 50-minute window allowed 9,000 systems to get hit. If LabCorp had responded in each any slower, the impact could have been significantly higher. And again, this was... The initial source of entry, in this case, was an RDP instance that was brute force attack in that case.

All right. So let's talk about some different security controls that could have helped defend in this particular...in these types of cases. Like I said, again, there's no one security measure here that's going to save the day. There's no magical security tool on the market that's going to come in and you know, solve all these with quick detection and response. It really is a multilayered approach. You have to be able to discover your environment, understand what's all there, and also have good detection in place to be able to detect malicious activity. In this case, it goes beyond a simple A/B, seeing behavioral attacks, you know, the behaviors behind there, being able to identify bad behavior and trigger responses based on that rather than just A/B detection is required. Reducing that attack surface, you know, making sure that there's less and less ways that these guys could have spread themselves around, taking actions to solve problems.

So when you start to lock down systems in your environment, what tools do you have in place? How can you respond to and start to lock things down? And then analyzing that data for insights into issues, making sure that you can see a true incident from all of the noise that you typically start to see with all the different detection tools you might have. Now, at the same time, you know, providing those defense-in-depth capabilities also comes with balancing that security with the needs of the user. One of the biggest challenges we have is how do you manage updates? How do you manage app control? How do you manage privileges in an environment without crippling your ability to execute business or raising your support costs to a level where it's a challenge in another way? So making sure that you've got the right balance between that defense-in-depth approach and making sure the user and the business are still gonna be effective.

So one of the first things to be done is you do need to make sure that you've got good training practices within your environment. Security awareness is critical. Making sure that people are aware of, you know, in this case, one of those examples we talked about the fact that they were able to brute force through the RDP service. Well, somebody, you know, a credential somewhere or some account was compromised, a weak credential was attacked and allowed them to get access from the outside. So, making sure that people have good strong security practices, good password strength that they understand the need for doing software updates, the need for running application control, making sure that the users are educated. In this case, phishing and user-targeted vulnerabilities did not get used in this particular example, but making sure that you can spot a phishing scam and that most of your users are trained up on that is also very important.

There are a lot of ransomware attacks that still use those types of methods. So one thing about the phishing side, you know, education programs in organizations are definitely helping. Our ability to spot phishing scams is improving. From the Verizon data breach investigation report that came out earlier this year, 78% of us did not click on a phishing scam all year last year. So obviously our, you know, training programs awareness around this is improving things. The problem is they're still, you know, 22% of users at one point or another clicked on a campaign and 4% of, you know, those users are typically those repeat type users. One thing that your training program can help you figure out is, you know, one thing that we actually do here at Ivanti is we use our education program to identify users like this. We have people who are caught in phishing scams. We've identified users who are more susceptible to those types of attacks and we can choose to put them into more restrictive groups. If we see somebody caught in one or more phishing scams internally, we can actually put them into a tighter, privileged management or app control policy to ensure that they've got a higher level of security preventing that from becoming a way that somebody is gonna get in. So use that education program, not only just to educate people and reduce the chances, but also to identify those weaknesses, those users who are more susceptible.

Another key piece is the discovery, you know, making sure that you can see what's in your environment. So if you can't see it, if you don't know about it, you can't secure it. Really, the first and most important part of any security program is having a good asset management program. Making sure that you've identified all your hardware, that you've identified all your software, that you know the breadth of the threat and that you're continuously able to identify new things as they come onto the environment, identify old systems and old software that need to be retired. All of those things are very important.

Patching is probably the biggest reducer in attack surface out there. If you're looking at any vulnerability assessments, you're gonna see that the majority of vulnerabilities do come through the software layer. So making sure to patch the OS and the applications and you do need to extend past just the base applications. You got to make sure you're getting those third-party apps as well. Comprehensive patch management will reduce the majority of the attack surface. Now, patching is only good if there's an actual update to apply. There are zero-days, there are vulnerabilities that can be exploited before anybody knows about them. In fact, in this last month's patch cycle, Microsoft plugged a zero-day vulnerability, an ALPC vulnerability that allowed elevation of privilege so that the attacker could execute as in the context of local system, which pretty much let them own the box. That was disclosed and two days later used in a real-world attack and the patch was not available for about a week after that. So the challenge here is identifying what vulnerabilities need to be addressed first and making sure that you can address them quickly. So your vulnerability management solution and your patch management solution need to work well together to be able to plug those gaps.

Admin rights. This is obviously a challenge as well. We expanded out and gave more and more admin rights to more and more users throughout our environments and now we've got a rather large problem. How do we take that back? How do we reign in that problem without catastrophically impacting our ability to execute and our users' flexibility to, you know, self-serve themselves? So facilitating removal of admin rights across the enterprise is ideal. We've got two methods for doing this. We call the first one just enough administration. So if you're a local admin on the system, how much administration is enough? Can we take away certain key tools that an attacker like SamSam group would be using? So one of the things that they do once they get on a system is they'll use tools like Mimikatz, which will compromise additional credentials. And from there, they'll use a valid credential in that environment and they'll use existing tools from that environment as well. Things like PsExec and WMIC and other tools like that to be able to jump from system to system all with what looks like a valid credential. Well, in that case, if we could have taken the ability away from that local admin account to use certain tools like that and lock that down further, some of those things would have been taken out of that attacker's toolkits and it would have slowed them down.

Getting the other method here, just-in-time elevation, so getting somebody down to just a user. Making sure that we can elevate the things they're gonna need. I'll give you the ability to install printers, but I'm not gonna let you have access to run a command prompt. I'll give you the ability to change the date and time, but I don't want you to have PowerShell rights. Those are all things that you can elevate just the things that they need at the time that they need them. So that's what we call just-in-time elevation. Allowing users to access the tools they need without excessive rights. So we're gonna show you some demonstrations of that, some of the admin...our AC capabilities, privileged management capabilities.

The other thing that we need to do is make sure that we've got good application control in place. So I mentioned a tool called Mimikatz. This is definitely a tool that's used to do malicious activities. It's never, in any case, good to have in your environment and it is untrusted. So if you've got a good application control product in place, the attacker, even if they found a way to get on the system, once they try to in some fireless method, if they tried to launch a payload like Mimikatz, application control would have kicked in, said, "No, I'm sorry, you're not a trusted application. You're denied." So even you know, in those types of cases, you can take a large portion of their toolkit away from them to slow them down and make it harder for them to be able to move around your environment.

One of the key pieces that makes the SamSam group so very successful is they get around to a huge portion of your environment before starting the encryption portion of that ransom. By slowing that movement, you're giving more time for your detect and response capabilities to kick in, identify that there's bad behavior going on and be able to thwart that attack before it reaches a critical mass that's very hard to stop.

Trusted ownership. This is one trust model that we'll be talking a little bit about, but this is a good example of different trust models that we have within our application control product. One of the challenges that many of you probably know, you know, if you've been in the industry for very long, if you've tried to implement and maintain a traditional application, whitelisting solution, there's a heavy cost to implement and there's a heavy cost for maintaining all throughout. Well, different trust models like this can apply a high level of security with a very low operational workload involved with that. And we're gonna show you a little bit about this particular trust model and we do have several others, trusted vendor, being able to validate things that are signed by a vendor that you do trust, if Adobe or Microsoft or you want to encourage your users to be able to self-serve, you wanna give them access to certain applications. Those types of trust models can enable them to do that by using established trust models that exist within the world.

While tools like Adobe Reader might be installed, well, because they're properly signed by a valid and trusted code signing cert, something like Mimikatz would be denied because it doesn't have any proper trust model applied to it.

And the last one here, insights, making sure that you've got good visibility, that you can see what's going on in your environment, that the right people are getting the right information. To be able to react and respond to security incidents is also another critical part of securing your environment against this type of threat. So to summarize a few things here before we get into the demonstration, you know, training awareness, still very critical. You know, it can also be used to identify users who need more security, more restrictive policies around them if they are prone to those types of user-targeted attacks. Again, the particular SamSam case that we're talking here doesn't apply...or they don't use phishing tactics typically, but in many cases, phishing is still a huge part of how initial entry into the environment happens. So we wanted to include that in here because it is a critical part of your security program.

Detection, discovery, insight, making sure you understand your environment before a security incident happens. How many systems are in your environment? What types of applications are around them? What types of vulnerabilities are there within that environment? You know, even getting into identity management and understanding this user has access here, here and here. Make sure that you've got all those things kinda coming together and you can see the scope of the risk to your environments. Patching the OS and applications, again, this is your biggest reducer in attack surface. If I've got a lock on my front door, that's all fine and good, but if I've got just a screen on my window right next to the front door that has, you know, no full window pane next to it, no ability to lock it, anything else, well, how much have I really secured myself? I need to reduce as much of that attack surface as possible and make sure that I've got, you know, good locks on all doors, all windows, and so on. Well, patching is that method of ensuring that more and more of those potential vulnerable spots in your network are plugged as frequently as possible.

Privilege management. This is where you're going to reduce that lateral movement, reduce their effectiveness, their ability to move around your environment. Again, one of the key things that makes the SamSam group so effective is they get to a lot of systems before launching the end game portion of the attack, the actual ransom itself. If you can slow them down at that point, if you can limit the number of systems they can get to, you get more time to detect what's going on and be able to respond to it effectively, you reduce the number of systems that they can possibly reach. And again, there's no 100% in security, but doing things like this will help you reduce the impact if something were to happen to your environment.

And then application control again, taking the teeth out of an attack. This will help with zero-day threats. This will help with removing tools from that threat actor's toolkit, tools like Mimikatz, other backdoor tools, and things like that that are very effective in many cyber threats. These things working together, if you look at studies from the SANS Institute, Australian Signals Directorate, many other security bodies around the globe, doing these things well will help you mitigate or eliminate 85% of cyber threats today. So that's a huge amount of the noise, eliminated so that you can focus on detecting and responding to the threats that do get through. All right. So, John, we're gonna switch over to doing a bit of a demo here. For those of you watching, give me one second here to give John presenter rights and he'll share out his screen and we'll take you guys through a couple of quick demonstrations and then take any questions as well.

John: Perfect. Thanks, Chris. Let me just kinda clean up my desktop here. Again, I'm gonna kinda start in the end, and that is understanding what's out there. As Chris is saying, it's important to have the insight of what's going on in your environment. This is one of our products called Extraction, which is a dashboarding tool, and it allows us to view into our patching environment in this particular case, the machines that are out there, the patches that are on those machines, the criticality of that, and even the ability to drill down and take a look at that. So if I wanted to see what critical updates I have out there, I can actually drill down and view the records behind that and see the specific things, be able to export that, hand that off to the security team or the IT administrators and be able to deal with that. Very easy to use. It just ties directly into the patch environment.

And again, we have a number of already created dashboards and reports to kinda give you an idea of what's going on. How we gather this information...let me just kinda change screens here. How we gather this information is we have, again, as he was saying, we have a program called patch for windows, and what this allows us to do is it allows us to create scans, either agent-based or agentless and that's kind of a key differentiator. We can actually scan your environment without having to put an agent on any machine. It'll come back and tell us the status of those machines. I can see all my machines here, I've got a number of critical updates that are needed in my environment. If I drill down into a specific update, I can see the information about that update, things like the CV information. It's always interesting. One single patch can satisfy a number of CVEs. And again, most organizations today have two different organizations that are working in this. They have a security group that's working with some type of a vulnerability scanner that's going to generate CVE information and then the patching group and they deal with individual patches, usually based on a Microsoft or a third-party bulletin ID. And it's very difficult to get those two organizations to be talking the same language. And we have the ability to import that CVE information and be able to scan against the information that's coming from the security group.

The way that we create this environment, the way that we manage machines is we generally do it by what they call machine groups. So an example, I've got a group of machines here, I've got some Windows 7 machines, Windows 16 servers, and some windows 10 servers, and then I have a number of what we call patch scans that I can scan this information in. And again, in an agentless way, I can set up a recurring task, I can have an automatic process happen, but generally speaking, what we do is we just scan. So as this begins the scan process, we're logging onto each machine, we're pulling in the information about that machine, again, agentlessly, and determining what's on. So I'm going to just jump here ahead, so the results come back looking like this. So I can see that I'm missing 4 patches, 2 patches, 24 patches, and so forth. And again, that allows me to drill down into that data. And then if I do wanna know specifically about an individual machine or if I wanna go ahead and patch something, let's say on this Windows 7 machine, I can see that it's missing the number of criticals, I might just select a couple of those criticals and be able to go ahead and deploy those patches.

In the deployment phase, we're handling all the information about when to reboot, type of reboot, a message is displayed on the screen. Do I wanna execute pre or post process scripts? Do I wanna generate emails that go out to individual owners or information? And even in the case of VMs, do I wanna take a snapshot of that VM before we patch it? This is something that, again, is very powerful when an organization has systems that are mission critical that just simply cannot be coming back up at the end of the patching cycle. So imagine if you will, I've got a server out there that, you know, is running some of my healthcare environment and if something goes wrong with that server at the end of the patch cycle, if I can't get it done, people are dead in the water. And so what we wanna do is we want to be able to say, take a snapshot of that, patch it. If everything works great, no problem, we'll just delete that snapshot for you automatically or then you can revert back to that snapshot.

So these are just some of the things that we can do. And then in the deployment phase, I'm just gonna do this now. We actually go out to the manufacturer, download the specific update. Generally speaking, we make sure we find the one that doesn't have the Google toolbar or the Bing search engine in it. We then create a deployment package. The package is sit down to the machine or machines and those machines are then deployed. Very simple, very easy, and again, in such a way that we're doing this all agentlessly. Now we do support agents. So let's say, for example, you've got machines that are outside the firewall, we can put an agent on those machines and those machines talk to a cloud component that we have, so I can even manage machines that are off network all the time. Machines that never ever, ever touch the network, I can manage those as if they're on the network because again, I have the same patching capability, the same reporting information, the ability to schedule those things to happen specifically when I want.

So that's kind of a quick view, but again, the idea here is the ability to scan, review, deploy, and report against the patches that are out there. And again, it's both for not only Microsoft but third-party applications as well because when I'm creating these scan templates, I can actually choose. I can be very specific about what I want to scan for. In this case, I'm looking for security patches, all criticality for all products, but I can also be as specific as I wanna be. Maybe I'm only interested in Adobe Reader and I wanna make sure I only touch the versions that are important to me, so I go down and check the specific boxes. I can do the same thing with Microsoft applications. I can go here to the Microsoft Tab and I can choose things like .NET and choose the specific version. Same thing with Java. I can choose exactly what it is I want to scan for and make sure that I'm deploying those patches. So again, a very, very powerful environment for doing that capability.

So that's the patching piece of it. And what Chris was saying is really important to understand. Patching will take care of a lot of vulnerabilities. In other words, if a bad piece of software gets into your environment, if a patch has already been applied, that vulnerability probably won't be able to do anything bad. The WannaCry that happened last year. A patch had been available for three months, but organizations had not patched their machines. That's how that specific ransomware got into place. Even though a patch was available, organizations did not have the tools in place to understand or recognize that that patch needed to be applied. And that's really where a tool like ours comes in and allows you to make that happen.

So now I'm gonna switch gears on here a little bit and talk a little bit about application control. And I thought the best way to start that out...let me just minimize this for a second, is just a little bit of a tutorial on ownership. Chris mentioned the term trusted ownership. And again, the idea behind this process is every file on your computer is owned by something, someone. In this case, I've got no pad up here. If I highlight Notepad and go down into its properties and I take a look under the security tab under advanced, I can see that this particular one is owned by what's called TrustedInstaller. Now here's the interesting thing about how these things work. If I were to just take the standard copy command, right mouse click, tell it to copy, move this onto my desktop and paste, in that process, that file is no longer owned by TrustedInstaller. It is now owned by me.

So what I'm saying here is that since every file has an ownership, then we should have the ability to be able to stop unknown things from executing even though your antivirus tool hasn't picked it up. An example of that, so I'm gonna log into this desktop. I have three different logins. I'm gonna log in first as, you know, Joe Admin, that's who I am today. When I'm Joe and I log into the system, I can basically do anything I want to do. I can log into the system, I can access the files, I can execute the things that I want to. I can run Notepad, all the kinds of things that you would normally expect me to do. So there's that same Notepad, I run it, my life is just fine, nothing different there. Let me log out as Joe and let me come back in and I'm gonna use my wife's name here. I'm gonna log in as Jill. Now Jill is part of a different group. She could be, for example, part of the...a group of people that have access to specific information. In this case, I'm just gonna log in as Jill.

Now, when I log in as Jill, if I typed it right, when I log in as Jill, I get a slightly different look. In this case, I've got a red background, so I know what it is. Here's Notepad. I'm gonna go ahead and try to run Notepad, but this time I get a box. The box says, "Application control is in place and you're not allowed to run this without authorization," and then I've turned on for Jill the ability to self-elevate, meaning that as you can see, I can remember this decision forever or just do it permanently and I can go ahead and execute. I can also, using application control, I can block things like Firefox or maybe in your environment, the only tool, only browser people can use is Edge, the only tool they can use is Chrome, the only tool they can use is Firefox. I can put that out.

And one other piece is I can provide to Jill a request dialogue or a form that comes up and says, "I would like to get access to a specific application. I can browse for the file name that I want. I can even access this through an email or I could do it through a phone. So if I change this to a phone number, then I actually get the information. I could call my help desk, they could give me a number and they would authorize its use. So this is what we call the self-elevation capability. Now, let me go one more time. I'm gonna log out as Jill and this time I'm gonna log in as me. I'm just lonely J Rush. And so when I log in, same machine, just a different access right if you will, so I come in and now I try to run Notepad just like everybody else did. Now remember, with Joe Admin, I had unrestricted rights, with Jill, I had self-elevation and as me, I am simply blocked from executing it. I can't do anything about it.

So that shows the three levels of functionality. So let me go back and say how we kinda put that in place. So through the application control capability that we have, I'm just gonna go ahead and launch my application control tool that allows me to set these policies. Think of this as a rules generator. We're gonna generate some rules. Let me go full screen here. We're gonna generate some rules. I'm gonna go ahead and open up a policy that I've got under management, this is how I get this out to everybody's machine and I'm just going to pull that into this environment, pull the latest build of that. And again, so here's what we have. For the administrators, I've got them in an audit-only mode, meaning that as they access administrative right types of things, applications, functionality, system controls components, I'm gonna audit that, put that into a log file so I can see what people are doing.

And then very much like when we were talking about that trusted ownership, trusted ownership represents these types of things. So the system file, that's a trusted owner. So when you install, for example, when you install the Windows operating system originally, it's gonna be owned by one of two things. It's either gonna be owned by system or it's gonna be owned by TrustedInstaller. I've also said, again, for the purpose of this example, the built-in administrators and computer name administrators also have the rights to do things. So those are what we call the trusted owners. I can do what's called, you know, the traditional whitelisting and blacklisting. So if, for example, I've identified a few folders that it's okay to run in, I haven't denied anything specifically and I don't need to do any elevated privileges here because I've given them already all the rights that they need for the functionality that they have.

Now for the general everyone, I've put them in a restricted mode. Again, in the restricted mode, only things that were installed by, again, trusted owners, so again, the original install of that machine applications you've identified and installed using the trusted owner or systems, those things will run okay, but if they try to go out and download something from a download site like CNET or some other environment and they download files and they try to install them, they're gonna get blocked. Or the best example of this is Java, for example, is an application that is trusted by most organizations though it probably shouldn't be. And also the subprocesses for Java are trusted. But what if one of those subprocess goes out to a nefarious website and downloads an exe behind the scenes and then tries to execute that exe? That exe will not have trusted ownership. It will not be a TrustedInstaller. It won't be administrator, it won't be the system, therefore, that file will be blocked automatically. You don't have to know about it, and that's really what Chris was talking about earlier.

The speed in which variants are being created is outpacing the ability for antivirus to keep up. In other words, do you wanna be the very first person to get hit with a new ransomware that has a new signature? And again, if you don't understand how that works, if I'm the bad person, all I gotta do is take my original code, make a change in the original code and recompile and it now has a new signature and will get by your antivirus tool. So what this trusted ownership does is it's a proactive way to stop things.

Now, I've also gone in and here's Jill. So again, I did this for a specific user, but it could also be based on, you know, all sorts of things, what group they belong to and so forth. I've put Jill into a self-authorizing mode, so that's what you saw, and the self-authorizing could be an email, a telephone, it shows up the dialogue boxes. I've also gone in and specifically denied certain things. Now the way that I did this is I simply went right mouse click, I can deny a specific file. Now that's okay, Notepad, but what if, you know, let's use Candy Crush as the example. I can say that I wanna block Candy Crush.exe. Well, the problem is that person just changes Candy Crush to another name and it'll run. So the next thing I can do is I go out and find the signature of that item. So I can go out and find a file and again, I'll just grab what's over here, it's just 7-Zip.

Every file has a unique hash. So I can say based on this hash, this is the only thing that's gonna execute. I can also go down and do a specific drive. I can go out to the store and say, you know, individual publishers and I can go out and find the publisher that I'm looking for and be able to block them very quickly and very easily. Now the other thing that I can do is, again, I can add trusted vendors, so maybe a specific internal application that you had and maybe wanna set that up. And then under the user privileges, and again, this is kind of an important one I always like to talk about. So again, I can authorize Jill in this case, the ability to run a specific file even though it's blocked by everyone, I can elevate Jill to execute that. But I can also elevate things like components, and I love this example. So, for example, in order to change the time on your computer, you have to be administrator. Well, what if I went in and said, I'd like to add a component and I go down here and find where it says time, where it might be.

Anyway, these are all of the options we have available to us. So I can go in and say, I'd like to be able to set that time. Maybe I wanna allow them to run the task scheduler. Maybe I want her to be able to run power options. Maybe I want her to be able to run internet options. As you can see, I can create a list of those things that they can do, and again, the self-elevation. And then in my particular case under the J Rush, I've denied everything, I've restricted and basically, I've denied Notepad, but again, I'm also denying all those other things.

So again, the idea here is that we have identified, from application control capabilities, the ability to block applications and then under the privilege management capability, the ability to allow you to identify, in other words, bring everybody back down to an everyone level and then only elevate for the things that they need to execute. It could be as simple as or as specific as maybe in your role, you are required to manage the IIS servers in your environment, your browsers, I mean, your web servers. I can give you rights to the web servers and to the SQL database, web server database, but not be able to see any other database in that environment. I have that kind of level of granularity. So again, based on my role, based on my job, again, if I create this, if I wanna create a new user here, I would simply go in based on a user rule and say it's a count, it's by whatever it might be, it can be that kinda stuff.

And so it really allows you to be very specific in creating up these rules that you want to put in place. And then, like I said, just simply say this information, that information gets passed off to the different systems in my environment. I can see what's going on, I can see the agents that are installed out there, I can see any errors that are going on, I can manage this entire environment and it allows us to have complete control over that environment. So I'm gonna kinda end up there and say, again, it's patch the operating systems, patch the third-party applications. That's paramount. Everybody should be doing that and doing it in a timely matter. Then add the application control capability so I can stop the unknown applications from running that aren't supposed to run and then remove the administrative privileges from everybody so that I can get control of our environment so that if a system is compromised, it has limited rights to do other bad things. And that's really what it's all about. Let's isolate those machines by themselves, reduce the administrative privileges so you can't do those administrative things that the bad software is doing. Chris, I'll hand it back to you.

Chris: Thanks, John. Great demonstrations. So that does wrap up our presentation for today. We would like to answer any questions you guys might have at this time. If you do have any questions, please go over to the Q&A section and post those in there and we'll be more than happy to answer any questions you have.

So as we're waiting here to make sure that there's no questions, one of the things that...there are a lot of challenges with defending against modern cyber threats in general. You know, one of the biggest challenges is there's no 100% defense and that that's a constant struggle and a little bit of a misconception for some as well. So we hope that, you know, we've shown you guys some of the ways that you can maximize your effectiveness. You know, the controls that we spoke about today that Ivanti specifically addresses are helping to mitigate, again, that 85% of, you know, the risk of cyber threats out there today. There's always gonna be, you know, more that are out there. There is a need for additional capabilities, you know, if you wanna get into the larger conversation of, you know, building a comprehensive security strategy, one place that we recommend going to for guidance is a framework like the Center for Internet Security's critical security controls. Yeah, thank you, John, for pulling that up.

So this framework really does a great job of pulling together more than just the security controls themselves. It talks about asset management, it talks about service management being part of the process. It talks about the communication, setting up a red team and other things. So this is a good framework and when you look at that, the top five in that framework is really kinda where we zoomed in on today. We do look like we have one question here. Looking for a system for 16-star point to point healthcare systems, small-sized nonprofit. Not sure I fully understand the question there. So, John, you might have to elaborate on that. Again, it might just be my unfamiliarity with purchasing process or something there, but oh, HIPAA compliance, got It.

So this is covering portions of HIPAA's requirements as well. So, having a good patch management process, that's part of HIPAA. There's parts of HIPAA that talk about, you know, the security controls that we're talking about here. You know, getting the broader mapping to HIPAA, we're gonna be able to do part of that but not every part of HIPAA from a security perspective.

John: Let me add to that too, Chris, is one of the biggest problems that organizations are having today, especially those that are like HIPAA is, let's say that someone changes roles inside of an organization. Let's say that the role that they were currently in had access to privileged patient information and then that person gets, let's say, promoted to a management position where they no longer have that. One of the security controls or the controls they talk about is how do you remove somebody from those privileges that they had. And that's one of the things we can do because based on a user's role, so if I go into my active directory and I'm a nurse practitioner or a nurse and I have access to patient data, when my role changes, the next time I log onto that machine, the application control and privilege management is gonna kick in and say, "Oh, well, you're not part of the nurse practitioner or the nurses group. You're now a manager," so now I don't have access to that data. That's without actually physically moving them from groups other than you moved them from one active directory group to another. So that's one of the ways we can do it.

Ivanti also has additional solutions, things like identity manager and other pieces that could actually automate that process. We acquired a company called RES that had this automation tool where we can actually help you move people from all of those different roles. So if somebody moves from one thing to another, that triggers an event that says remove, remove, remove, remove, add, add, add, add, and gets them into that other position.

Chris: Yeah. And thank you, John. To also, John's question here, one of the things we can do is we can have that broader HIPAA conversation, more one on one where we can talk about outside of the security control themselves, there are a lot of people and process things as well. Identity director is a product level, a way of applying some of the HIPAA requirements there. There's also a lot of the service management pieces that are outside of the context of this particular conversation but are very important to becoming HIPAA compliant. So for that one, I would recommend, you know, getting into a deeper conversation with your rep and bringing the right SE involved to have the broader conversation. Ivanti does a lot more than just security. Many of you know that because I think it looks like a lot of you are Ivanti customers or are familiar with us.

The next question was from Chris. The interface that we were demonstrating here, how is that different than the app control within Endpoint Manager? So, yes, Chris, that was a different interface than Endpoint Manager. The demonstration we were showing you today is a...legacy brand wise, was the absence app control product. So that is different than the app control capability is directly integrated into EPM today. EPM does have some whitelisting and the app control capabilities. It doesn't have the privilege management capabilities that we're talking about and the trust models are a little bit different, so it is a different feature set. On that regard, Chris, if you reach out to your rep, we could set up a roadmap conversation and talk a little bit more about for an employment manager user, how are things coming together and how can that become accessible to you guys? So that's a conversation that we can absolutely have.

Question from Joel. Does the system offer any detection patching for VMware and network devices or Linux machines? So to answer that, John is switching now over to the solution again, and he is gonna show a little bit of the virtual side. But while he's getting set up for that, this product is going to have a release here in Q4, which is going to add Red Hat support and through 2019, we're gonna be releasing one or more flavors every quarter that will add multi-platform support and they're prioritizing the most common first. So Red Hat in Q4, CentOs app in Q1, Mac and Ubuntu in Q2, and then some additional flavors past that. So this product that he showed his...what is currently called patch for windows, this will be rebranded as Ivanti's security controls in that Q4 release, but we are expanding out past that.

We don't do network devices like switches, hubs, that sort of thing, network hardware like that, so that's one area that we don't do today. Now, John, I'll let John explain here what he's up to.

John: So what I'm doing right now is...yes, we do have a very tight integration with VMware. In fact, at one point, we were actually a VMware company and so what we have is inside of...we can actually see the hypervisor, we can see the machines that are on there. And also, when I create my machine group, I have the ability to include that under this hosted virtual tab and be able to add these offline machine's templates and online machines. So we can actually patch online virtual machines from VMware. We can patch offline VMs that are sitting in the data store as well as templates. And in each of those cases, we handle them slightly different. In the case of a template, for example, when we do a scan, we actually talk to vCenters, they give us access to the data store, we go right down to the flat file, and we can read that template file in place. When we patch it, and again, a little bit different, we talk to vCenter and say, "Hey, vCenter, please convert that template back to a VM, turn the networking off, bring it up in a protected mode, patch it as if it's a running machine," because it is, "Shut it back down, turn the networking back on and convert it back to a template for you."

In the case of online virtual machines, this is how we identify machines that are gonna be able to be...have a snapshot taken of them. So yes, we have a very, very tight integration and we do even have the ability to patch the ESX host, though most people still use the VMware update manager or VUM as part of vCenter. We do have that capability built into our products, so if we need to, I can actually go out, do a scan of my virtual machine, find the missing bulletins on that machine and be able to tell you what's available. And then during the patching cycle, what's kind of interesting is if you have VMotion in place, we will even be able to VMotion those machines, those virtual machines onto their designated VMotion locations to be able to patch that offline machine or we will just simply, for a moment, we will suspend those machines while we patch in the maintenance mode. So yeah, we have a very tight integration with VMware.

Chris: Thanks, John. So a quick follow-up for John, one of our first set of questions about the HIPAA topic, I took a couple notes here and I've asked Erica, who's our hostess for maintaining the call here to capture your information for kind of a broader HIPAA conversation because it sounds like that would be a good next step for you. Gerald had a question around, can this also integrate with XenServer Citrix Hypervisor as well like we do with VMware? Today, we patch the Citrix XenApp presentation server, Zendesk. We can patch the application layers of all those, we can patch the live VMs of all of those, the offline VM and templates type integration that we showed here for VMware, those ones...that's a legacy from our time under actually being owned by VMware, the Shavlik team.

So we don't have a direct integration with Citrix today, but it is something where Citrix does have an extensive API layer available. And with this product, we do have an API available as well. This can be automated. If you've got a chef puppet, you know, some type of platform like that, we can absolutely script out a similar integration for Citrix. So if that's of interest, it is something that could definitely be done through, you know, we do have our own automation product as well. So if you don't have a tool like that in-house, it's something that we can provide to the end-to-end services to help you set up that type of a runbook in the automation layer. So while it's not a first-class feature like we showed you with the VMware integration, it is doable.

All right. Well, thank you, everybody, for sticking with us for a few extra minutes for some Q&A. We are at the top of the hour. I appreciate everybody joining us. John, thank you as always for your technical demonstration and well, hope to see you guys again here soon. Thank you.