Better Security in Minutes with Lightning-Fast Patch Management
February 28, 2019
Chris Goettl | Director, Product Management, Security | Ivanti
How long does it take you to go from receiving the CVE to patching? Don’t spend hours or even days researching manually. Be ready to patch in MINUTES. Join our webinar for a LIVE demo as we demonstrate in real-time how Ivanti security solutions sort through a CVE in seconds, giving you enhanced visibility, and allowing you to act fast to ensure your environment is protected.
Hello everyone, and welcome to this webinar. Today we wanted to talk to you about some very interesting things that we're doing in the space of patch management.
You know, this is one of those things that no matter what you do, the industry is still challenged with getting vulnerabilities plugged as quickly as possible. And today, we're gonna talk about one specific use case about that. But we'll talk about some other things as well as we go throughout.
My name is Chris Goettl. I'm the Director of Product Management for Ivanti Security Solutions, you know. And what you guys are gonna see here is something that we are releasing across several different products. And I'll talk a little bit about those offerings.
Some of them, you know, depending on how much you guys have been immersed in our patch with solutions today, we've got different solutions for different people's needs.
What we're showing today is one of those products, but the same experience will be available in all of those. And I'll talk about that towards the end and where each of those products kinda fit into the grander scheme of things based on your needs.
And if you have any questions or anything throughout, please feel free to post those in the Q&A section, and I will be happy to respond to any questions you have given the time that we've got here today. All right, getting started here.
So, we actually did a survey of 100 CIOs and CSOs. And in that survey, we got some interesting feedback. A lot of what we were talking about here is challenges with IT organizations and security being able to bridge the gap between, you know, the operations and security teams, to be able to move faster and to plug vulnerabilities more quickly.
This was an interesting quote that came out of that survey. And it really kind of hits home on some of the challenges that occur. So you've got ITs who want things to work smoothly while security needs to secure the environment. So that's two very different mandates.
And when we get down to the endpoint, those two teams have to work together to maintain both. Well, that presents a challenge, especially when, you know, a lot of times, bridging that gap can feel kind of like this.
If any of you are in organizations where you've got a security team or maybe you are on the security team, you know, if you're doing regular vulnerability assessments, it doesn't matter with what vendor, Koalas, [SP] Rapid7, Tenable, whoever the vulnerability management vendor is, you need to take that vulnerability data, prioritize it, and hand it off to the operations team and say, "Okay. Here's what we need to get done."
Well, a lot of organizations, you know, run into a lot of frustration in this handoff. You know, whether it's 1 vulnerability, 100, 100,000, no matter how many of those are, a lot of times now the operations team has to go and translate those vulnerability IDs, those CVEs, into what actually needs to be done in the environment, whether it's a software update or a configuration change or whatever.
Now, the majority of those vulnerabilities need, the majority of attack surface, is in software. So, a lot of what we deal with is prioritizing and identifying what software titles we have to update to plug that vulnerability.
Now, you know, again, one vulnerability might not be too much of a challenge. But when you've got tens of thousands or even hundreds of thousands of detects in CVEs, that suddenly becomes a very daunting process.
And a lot of our customers when we talked to them, they were telling us that this can burn anywhere between five to eight or more hours every time they do this process.
And the majority of that is, "I need to go through and take the report. I need to de-duplicate and figure out what's the total number of unique CVEs that I'm actually working with instead of one CVE times 5,000 systems in my environment."
So, you wanna get from those hundreds of thousands of CVEs down to the unique number of CVEs as quickly as possible. And then from there, you still have to go and figure out, depending on how good of information you've been given, what exactly you need to do to resolve each of those vulnerabilities.
So, you could probably relate to this and figure out, you know, where are you in that time frame. Is it half a day? Is it a full day of time every time your team does a venerability scan? Is it more?
You know, from there then you then have to go over to your patch management solution or you have to manually package depending on what you're doing today to figure out what you're going to deliver to the environment.
So, we've taken this and we've streamlined this to make it a lot easier, and that's what we wanna show you guys today, is this CVE import. We wanna be able to import, it doesn't matter what vendor. What I'm gonna show you guys today is vendor agnostic.
It doesn't matter what format that report's in, if it's a CSV file, if it's an XML file ,if it's a text file. The thing that matters out of that is that we get CVE IDs that we can scrape and pull in. And then we can map those to software updates within our catalog.
So, let me show you guys how this works here. So, this is Ivanti Security Controls. This is one of the three solutions that I'll talk to you about here today. But this is the one we're gonna demonstrate.
So, Ivanti Security Controls, the release that's out right now is bringing together our patch management technology along with our application control technology in the same solution.
You can see here on my dashboard, I've got a few different actions I can do. I can go in and, you know, modify AC configurations or I can view machines that I'm managing throughout my environment from a patch perspective, AC events that are coming in. I can even perform agentless operations against Windows systems.
Some pretty cool things that I can all do all straight from here. But we've got a new one here called import CVEs into a patch group. Basically, this is gonna go straight from the vulnerability assessment, that report that I was given from the security team, straight into what's approved for the next round of patching in my environment all in a very quick step.
So, I'm gonna go and I'm gonna browse to... I've got this Rapid7 vulnerability report. In here I've got a few...actually, you could see a few different reports. This Rapid7 one, I also have the same thing in an XML format.
Now, check out the size of this thing. The XML format is 360 MEG. That's a pretty big report. But it's actually probably not that much bigger than reports that you guys are seeing in your own environment. The CSV file of that same report, these are both the same scan just two different outputs, 65 MEG, and we're gonna open that one up.
So, actually, I'm gonna do this as well. Let's go ahead and edit this file. You can see...actually, that's not a good way to edit that. Let's see if we can... No, it's just gonna do it in... I'll open that in Excel in a second while we import this. But basically, you've got this Rapid7 report. It's got over 450,000 line items in it.
Now, again going back to that five to eight hours of time to sift through this and figure out what you need to do, a lot of it is just sifting down to what unique items you really have to be worried about. All right. So we're going to grab this file and while that's...we're going to start extracting those CVEs.
I'm gonna go over to my other side here and I'm going to grab a file. And it will actually beat me to the punch line here because me navigating through my system to find that folder I've got the file in is very different than what it did.
So, it already came back with a result. It knows exactly what files or what updates we can already provide here. I do wanna show you guys, just to give you an idea of what that file looks like, I wanna open that CSV file and let you guys take a look at that.
The question is, where did it go? Here it is. All right. So the file we just imported it takes a second to open again to 65 MEG CSV file. This is that file. So you can see here, let's go cruising on down towards the bottom and the 300,000 range, 400,000. Oh, I'm sorry, just shy of 450,000, 447,709 items.
Now the majority of these are repeats of the same vulnerabilities. But really, the only thing we care about in this entire file, I could have just grabbed this one column, thrown it in a text file, and I could have gotten the same result.
So, we've got this data imported, ready to go. And now, we're gonna create what we refer to as this product as a patch group. This is what's approved for my environment. So, we're gonna go ahead and create that patch group. There you go. It's already done.
And now I can go over here and view that patch group that I just created. And down below you see I've got all of the different updates that were approved for this. Now, this was deliberately to make the file much larger. I had, you know, our team scan our test environment.
So, this is missing things that are quite old. But with some of your environments, thousands of systems can easily generate this size of file. So, you've got all these different updates. You've got the full details about them. Did it not select just one? There you go. That shouldn't be taking that long.
So, my system's running low on resources because this VM is quite large, but you'll get full details about that. You can see all the different patches that you've got in there. You can see things like the CVSS score for that...the highest vulnerability that's resolved in that and you can see all of the CVEs resolved by that update.
And this is all ready to go. So, I could actually take this group that I've created, this Rapid7 import, I can go straight over to and I can assess any of my systems based on that patch group.
So, if I wanted to, I could now create this...you would have already created this and had one of these ready to go but I'll create a new one real quick, a what we call a patch skin template. And I'm gonna select that Rapid7 patch group that I just created.
Now, once this template is created every month, I can just import that new list of CVEs, add it to the existing patch group. The next job that I run for that particular group, it's just gonna use that updated list.
So, I don't have to mess with templates from here on out, just do the import month over month. So, I'm gonna scan my local machine here using that patch group that we've now created. So, it's gonna go through and assess only based on the things that I just approved.
So, it's prioritized already by the security team. I can take that straight into my test group for my next monthly patch cycle. So, we'll let this...this is actually an agentless scan that's going on right now.
While that's running, I'm gonna go ahead and answer the first question I got here. So, we did have a question from James. He missed the first part of the webinar here. Is this for EPM or a new solution?
It's actually not for EPM, but it's also not for a new solution. It's for what was previously referred to as Patch for Windows. In our latest release, this is now referred to as Ivanti Security Controls.
So, the experience you're seeing here is specific to that security controls product, James. But, in the EPM 2019.1 release that's coming out here in about a month and a half, two months here, that release is going to include a very similar experience where you can import vulnerabilities and get them straight into, you know, approval in EPM so you could start to roll them out through your rollout projects or whatever process you used to do rollouts within your EPM solution.
So, this is the...we've got a similar experience for those of you who are on an SCCM platform. We actually have a plugin for Microsoft System Center that gets you all of our third-party catalogs.
So, if we look at the... I'll go back into my patch view here. You can see all these different vendors over here. And underneath many of these vendors, there's a lot of products. Like, Adobe's a good one here. There's over a dozen products under Adobe alone.
Our third party catalog for SCCM includes all those third-party applications as well, and we have a similar CVE import feature for our patch for SCCM plug-in. So, let's talk a little bit about those solutions real quick.
You know, if you are an SCCM environment and you want to extend what SCCM can do to include those third-party updates, our plugin has the ability to provide that catalog and has this CVE import feature.
So, I could import that vulnerability report, get the list of third-party packages, and just say, "Yeah, those are the ones I want. Publish." And it starts me down that path of publishing into SCCM.
From that point forward all my software update groups, the way I manage Microsoft patches, those third-party applications will follow that same experience from that point on.
It's a very simple experience and extends your SCCM coverage in a very short period of time. You can literally be up and running and publishing apps into SCCM in 15 minutes.
For those of you who are looking for maybe you're, you know, looking for a broader endpoint management solution that can also manage your security needs. That's where James' this question came in. He was asking about our endpoint manager solution.
So, this is a product that's been around for a long time. It's got a lot of great capabilities in it. The ability to inventory and manage your environment from a systems management perspective, provision, deploy software, but it also has the ability to patch your systems.
And that in its next release will have the same type of CVE import. And then the third option, the one that I'm showing you here today, this is, you know, it's a solution that's been around for many years as well. But in its new incarnation here it's changing names.
It used to be called Patch for Windows. It is now called Ivanti Security Controls. And the reason for that name change is we're expanding beyond just Windows coverage. So, it's providing Linux coverage as well now, and it'll be adding Mac and other platform coverage over time.
It also has the ability to bring in our other security technologies, the first of which, if you remember from that opening dashboard, was our application control and privilege management engine as well.
So, those are the three haves that our customers follow depending on their needs. And we even have many customers who mix and match some of those solutions. We have customers that are either on SCCM or our EPM solution and patching the endpoints with those but they actually use this product within the data center.
And one of the reasons for that is this agentless operation. What you saw before, that scan did not require an agent. And the reason for that is we have agentless technology that allows us to remotely scan Window systems.
My scan result from that agentless scan, I can see all the updates that we're missing for that particular system. This one I ran earlier today. I did an agentless assessment of three sub-nets within our test environment.
And I got back, you know, a whole bunch of tests systems. You can see here the patch breakdown on some of those. It looks pretty terrible but it's again, it's a test environment so take that, you know.
We deliberately leave it exposed so that we have all sorts of things to test. But that was all done agentlessly and I would actually be able to select or deploy all missing patches based on that selection.
And all of that assessment was done using that CVE import that we just did. I could create a template that only includes the things that I've approved for my environment to test out or to deploy in production.
But that gives you a general idea of, you know, what we're doing there. But this CVE import concept we'll be expanding across all of those.
So, we got another question here from Matt. When importing the CVE ID list, does the product identify the CVE IDs that are not resolvable via patch? Is there any indicator of when a CVE ID is important that is not...that has no corresponding patch?
Actually, very good question. And, let me go back to that import and show you exactly what you're looking for there. So, I'm gonna import these again. And you'll notice that there were two columns in there before. Extract those CVEs.
So, right now, it's going through and finding direct matches. Now, that environment that I did the scan for, it had, you know, Windows, all manner of Linux flavors, Mac systems, and other things. Well, right now this product, you know, manages Windows and Red Hat. But as we add more flavors more of these patches are gonna move across.
Well, this list on the other side there, Matt, this is all the CVEs that were either invalid. Maybe somebody manually typed them in and they were wrong, or, you know, they're unmapped to anything in our current catalog.
So, I could actually extract those at this time and be able to take them and go, you know, "Now, this is my list of things to research."
Now, again, this is a whole lot of CVEs over a long period of time. In your environment, what this will most likely come out with is a number of configuration level vulnerabilities that were discovered.
So, if you had systems that were...had local or, like, self-signed certificates, or we're still running some older TLS or SSL protocols or cipher suites that were flagged as vulnerable, those CVEs would show up here. And as you go, you know, research those you'll find, you know, the subset of things that you need to do there.
Now, again, going back to where are most of the vulnerabilities, you're looking at about, you know, 80% of vulnerabilities that are discovered are typically in software, you know. So, the majority of those CVEs are gonna be things that, yes, you'll get a match for.
Configuration changes aren't often identified as a vulnerability. When they are, you go out, you roll out the change to your environment, and then that one's pretty much behind you. But there's not typically a steady stream of configuration level changes that you constantly respond to.
So, the majority of the vulnerabilities that you're going to get from the security team are gonna be software-related. All right. Let me see what other questions we've got here. Scott had a question.
New to Ivanti. Is Ivanti Security Controls an add-in for patch management or a separate system? So, it is a separate product. So, going back to those three product offerings that I was talking about, let me see if I can pull this up real quick.
So, this is... I went to the documentation page for, you know, our product set altogether. Just to give you guys an idea, here's the three products I was talking about. So, endpoint manager. This is our endpoint manager platform. It's our, you know, systems management.
Again, it can, you know, asset, you know, configurations, provisioning, software distribution, license, you know, a whole bunch of different technologies altogether. This is the systems management half of that platform.
And then we've got this endpoint security for endpoint manager. And there's also a patch-only module for it, which they have that separated out. No, they don't. So, it's all under this endpoint security for endpoint manager. This has our patching capabilities, application control, device control, other things all wrapped into the endpoint security module for that product.
Then there is the patch for SCCM. This is our plugin for Microsoft System Center, for those of you in SCCM environment, to extend SCCM to include all those third-party applications that I showed you earlier.
And then there's Patch for Windows is the product that we were looking at just now, which is now evolving, literally early access is wrapping up. And we're launching the product probably Monday next week with 2019.1 version of the security controls product, which is now launching our Red Hat support for patching and our application control module.
So, that's the difference between those, Scott. Hopefully, that helps answer your question there. So, a question from Aaron was, "Will this be released in an update to EMSS?"
So, for those of you who... You know, we have done a lot of acquisitions over the years. This is one of our technologies we acquired almost two years ago now. So, that is merging with the security controls platform.
So, Aaron, you know, one thing we may wanna do there is, we can actually...we can go into a roadmap conversation and talk to you more about that, and talk about, you know, there's gonna be about 300 EMSS customers who are going to be receiving an invitation to, you know, start their migration if they choose to, you know, over to security controls.
So, that's something where EMSS customers are gonna be given equal entitlements, zero dollars to move, and you'll be able to move when you choose to do so. But we are trying to consolidate our technologies down to a couple of go-forward technologies. It's just difficult to manage too many solutions at once.
So, Aaron, I would actually suggest, reach out to your rep or me directly, Chris Goettl. So, I'll actually say it, [email protected] And I'm more than happy to get you lined up with a discussion around roadmap and everything for the product line that you're on, as well.
One thing that I wanted to talk about further. So, you know, I had a conversation with a Forrester analyst about this last year. Actually, you know, to be very honest, this is something that we've been doing for over a year, this CVE import. We've been able to do this for a long time.
And the challenge was, we did this at an API level. So, we kind of jumped the gun and went straight to, you know, the future model of how, you know, the world is gonna be working. And that is a heavy drive towards automation and DevOps.
So, I had a conversation with a Forrester analyst, and Josh gave me some really great feedback on this type of experience. And that was that, you know, it needs to build straight to your DevOps workflow. It needs to be able to plug into the ISM platform. It needs to be able to do all these things. And I'm like, "Oh, absolutely."
The challenge that we found is we created... Let me go to it here. We created this API framework that literally, you know, gives you the ability to... And many of our products have different levels of API functionality today. But we have the ability to let you interact with our patch solution at an API level.
And the purpose of this was to allow companies to use automation frameworks to be able to script and create run books to handle more complex workflows. So, in server environments, probably more so... They're closer to the curve than the workstation environments. But the workstation side needs to get there as well.
Well, this would give you the ability to do that CVE import already over a year ago. The problem is, you know, at the level of sophistication within each organization. To be able to do this, you've got to know the API of your vulnerability vendor. And then you got to know the API of, you know, our API stack to be able to do that integration.
If you wanted to plug ISM into that, as well, you need that API, as well, knowledge of that, and then you need an automation platform that you're familiar with, to be able to build the connections between each of those pieces.
So, we took a step back after we, you know, saw customers floundering to be able to take that API level integration and go straight to the Lamborghini and really create this elaborate, intricate, integration between multiple solutions. And we created the simpler import option to allow every customer to raise that bar, at least a little bit for now, until they can start to script into and build out that more complicated runbook.
So, for those of you who do have an automation platform, Chef, Puppet, you know, whatever the case may be or if you want to use, or Ivanti has an automation platform as well, we absolutely have the ability to script into and help you build that more complex workflow that can interact between each of those API's.
It's just a matter of, you know, is your organization at the level where you're ready to do that, you know, the level where you can trust that you wanna do that without human intervention?
Maybe you're not ready to take, you know, the report straight from security and, you know, push it straight into your patch group and, you know, not do any additional human interaction with that. You know, there's different reasons why companies may have been blocked by going straight to that more elaborate integration.
So, you know, that's kind of a...there's multiple levels to this. And you can choose the level of sophistication you wanna get to. But I wanted to point that out as well, that, you know, there's some additional capabilities in our API stack that can allow you to integrate further.
What I want to leave you guys with last... And feel free to keep shooting questions my way as well. I think I've answered all the ones that are in there right now. But let me shift gears here a little bit and talk about some other challenges in the patch space.
This is just one of those. You know, patching in general, yeah, multi-platform coverage, the ability to do both the, you know, like, Microsoft, end third-party apps, that those are all challenges that, you know, many of you have experienced. You're either using one of our technologies today or you are evaluating us right now for that reason.
Maybe you're trying to get that level of coverage. This is one of the other challenges, bridging that gap between security and operations, getting that day on average, if not more, every month that you're burning, trying to do the research to figure out what is it that security is asking me to do in my environment?
Well, there's some other challenges as well. And I wanna talk about a couple of those and also give you a little bit of a teaser for what's coming next from Ivanti. So, there's...think about when you go into your test cycle. How many tests systems are you able to field within your organization?
Well, the answer to that is none or never enough. It's always the law of small numbers. So, that law of small numbers puts a challenge on you and your team and your ability to roll out patches quickly.
So, I've created kind of a model around this but I don't have it readily available in a slide right now but maybe I do. Sorry, this webinar's coming out more as a dialogue or a conversation than I normally would do, but it's definitely something that I'm very passionate about.
So, take a look at this. You've got a lot of different challenges within your organization. And the biggest element here...you have...there's the, you know, app control, privilege management. Those compliment patching very well because before a patch is available versus after, this is the order of priority, where these controls are going to give you more security.
The most important part of this slide for what I wanna talk about though is down here. You've got vulnerabilities coming in. You've got to be able to triage, identify and prioritize those as quickly as possible.
And then you've got Day Zero, the day that are... so, day zero hits. Your vulnerability vendor is turning out new content. Your security team goes and does that assessment. The clock is already ticking.
How many days does it take before security gives you the report? How many days do you burn figuring out from that report, what do I need to actually plug in my environment? And then, how many days does it take you to test, to roll out to, you know, QA or, other, you know, early adopter groups, and then to finally, get out to all your production systems?
You know, so, if you look at... This is kind of a rising risk model. From Day Zero, obviously, we've got a lot of risk back here. But patching can't cover you there. That's where we need these other security controls. Day Zero hits. Now, we've got this rising risk.
There's a vulnerability. It's now, you know, either already being exploited, been disclosed, or threat actors at least know about it because, you know, the vendor put out a new update and they can go back and do a dip between that and the last, you know, build of code there.
And they can start to piece together what exactly that vendor fixed. And from there, they can start to put together an attack. How can I exploit what they've fixed? And what they're counting on is they're counting on finding something lucrative here that they can beat you in the race against time.
So, after you get to about the two-week mark here, that two to four week-stand, 50% of the exploits that are going to occur have already occurred. So, that means that, you know, if 1,000 CVEs got resolved in, you know, this span of time, and 20 of those are going to be exploited by a threat actor, we'll just read into the future and say 20 out of 1,000 are gonna be exploited.
Well, by the time two to four weeks comes around from releasing them from the vendor, half of those were already exploited. So, this is that critical window. You've got to start rolling out patches and beat them to the point where they've got those exploits in hand and they're able to target your environment.
If you get out to 40 to 60 days, 90% of those that we talked about... So, in the case of my example of 20, 18 out of 20 that going to be exploited at some point have already been exploited and they're using them against you. So, how do we bring this back in?
Well, there's certain challenges. That CVEs import helps with one of them. I can cut a day of research time, time lost between identification of a vulnerability and prioritization, to identifying it as the actual remediation step we wanna take, which is deploying software.
The next stage is testing. I've only got so many tests systems. So, most of you, let me see if this story hits too close to home. But you've got your test systems. You've got the articles that come out. You're watching Reddit posts. Maybe you're watching some hashtags. Maybe you're a member of patch management.org.
Whatever sources you go to and monitor, that's how you're trying to assess, you know, what's blowing up in the world. You know, how reliable is this update? So, the next challenge that we wanna tackle is we want to crowdsource as much of this data as possible and give you a bigger sample set.
So, if you've got 5 test systems and the next company has 10, and 15, 5 again, 20, 50, whatever the numbers are, if we can bring together our 10,000 plus customer base worldwide using Ivanti patching technologies, if we can bring that into one place and we can show you how much of that pure data, you know, is coming together, what if you can suddenly see within 48 hours of Microsoft releasing updates, you can see 5,000 Windows 10 branch 1809 systems that deployed the February update and that they had a less than 1% failure rate?
Okay. Now, I've got a sample size that means something, 5,000 systems with less than a 1% failure rate. Okay. This patch passes the initial sniff test. It's not gonna blow up in my face. No blue screens, no, you know, errors being thrown and patches failing. What's the next step?
All right. So, this is where you get down to that rollback. Downstream, what happens? Does it break something else in the environment? What are the known issues and other things that can tell me what might break in my environment so that I can understand that reliability to a deeper degree?
We want to be able to crowdsource again, be able to scrape from, you know, the vendor websites and say, "Okay, this Adobe Reader patch..." By the way, this happened last month. "This Adobe Reader patch could fail with this error. If it does, here's the link on exactly how to fix it."
If Microsoft has a known issue. "Oh, by the way, when you push this update, it could break your virtual network adapter." By the way, that happened several months in 2018.
For those of you who remember that patch and until they actually fixed it, the Windows Updates, OS updates, we're messing with certain virtual adapters for several months.
So, we can start to bring that type of data into one place so you don't have to hunt for it. More importantly, we can also show...and this is gonna be where, you know, as we evolve, this will get deeper and deeper into this and show you better and better reliability.
But maybe, to begin with, we'll show you known issues, and then, you know, customer or community-supplied issues that people ran into. Maybe we...you know, what we're gonna be able to do initially is make it so that you can each, if you run into an issue, submit feedback to say, "I had to roll back 50 systems because it broke my proprietary application. The printing driver in there was broken after this update was applied."
Okay. Well, that tells other people who might be from the same vertical that that can be a challenge for them. What if the next group says, "Yeah, I had to roll it back across 500 systems because it broke my Cisco VPN app. I had 500 remote users that could no longer get access because that patch conflicted with that software."
"Oh, wait, I run that software. I need to hold off on this patch until that fix comes out." This starts to give you the feedback that right now you're manually going to and getting from all sorts of different sources.
So, starting to bring these data points together, I'm gonna show you guys something. Now, this is,...there's a level of this that's in production in our cloud environment today, Ivanti Cloud.
This is something that we're launching here in the next quarter. But our live environment has a first rendition of this. I'm gonna show you guys the mockup of, you know, what's coming together, what, you know, we're building out towards a more in-depth experience here.
So, this is patch intelligence. What we're trying to do here is take you closer to that Nirvana of being able to understand the reliability of updates, the threat level of updates, get access to all the information that you need to see what CVEs are there.
If there's known issues supplied for them, being able to see the comments or feedback from other people in the broader community so that you can understand, make decisions more intelligently and more quickly.
Now, you'll notice that some of these things don't line up. This is all mocked data right now. This is just to share the experience of what we're trying to go toward. But our goal with this is to get into the point where you can see... No. All right. Why are you not clicking?
All right. It's gonna be difficult. I'm wondering if... so, I'm on the latest mockup but they might have broken some things here. This is the danger of doing this without telling the guy that handled this mockup that I'm doing it. All right. I wanted to go in and show a couple of more things but it's not letting me drill in like I wanted to.
So, what this would have done next is it would have gone into a patch level detail. And in that patch level detail, you would have gotten down into tabs where you could see all of the CVEs specifically.
You could even go here and you could do a search for a specific CVE. So, like, in our products doing that CVE import, this has the same intelligence to go and find any of those updates that correlate to that CVE. So, you could literally give your security guys access to this as well and they can see that level of detail.
So, this starts to bring together that reliability score. And you can drill in and see what made up that reliability score. Oh, we saw it deploy out to 5,000 systems with a less than 1% failure rate. That gave it, you know, a good reliability rating.
We've seen less than, you know, three customers roll back and report that they had issues with it. Those two things together, as we get deeper and deeper and get more refined in this gathering, we can give you more refined reliability scores, threat scores. We can see the CVE. We can see the CVSS test scores.
We can connect the data that tells it...it tells us if they're being exploited in the wild or publicly disclosed, threat indicators that we use to give guidance to our customers. So, these are the types of things that are the next evolution of patching technology.
That ability to get closer to that Nirvana of being able to get into it. For those of you who are embracing the DevOps, you know, trend, getting into a continuous delivery model for all of your applications so that vulnerabilities as they come out can be quickly triaged.
You can understand the threat of a vulnerability. The reliability as that comes together can tell you how confident you might be in rolling it out quickly. And you can start to prioritize where and how you do your testing and what things just need to be deployed.
So, you know, something with a really high threat score and a really good reliability rating, you might just say, "Get it out there now because it's something that could be exploited in our own environment." If you come down here to, yeah, this guy here has a really low threat rating and a terrible reliability score. Yeah, hold off on that one for a little while.
But this starts to give you that intelligence to make decisions quicker. All right, so, we talked about a lot of things there. I did see another question. Oh, Mayash [SP]. How you doing? Good to see you again. Mayash is one of our regulars on our Patch Tuesday webinars as well. He joins us for quite a few of these types of events.
I'm actually not prepared to do a Red Hat demo for you today. But, if you are at RSA next week, we will have Red Hat up and running, demonstrations of that in the booth. So come see us next week at RSA if you're there.
Otherwise, reach out to me. And we can definitely get you a demo of that and also application neutral. So both of those for security controls will be demoed next week at the show.
All right. I apologize, everyone. There were a couple of growing pains here with getting the demo out. And then I did jump around a little bit. But this is a pretty exciting topic for us and one that, you know, we really wanted to share with you the things that we're bringing together here, the ways that you can do this faster and more efficiently so that patching doesn't have to be that painful thing that you all dread.
If there's no other questions, I think I've got them all answered here. I think we'll wrap there for the day then.
Thank you for joining us. Again, if you guys do have any additional questions, you will get a follow-up after this. You know, please reach out and we'll be happy to go into more in-depth conversation with you about any of these technologies.
You know, again, this CVE import that we talked about today will be available, is already available, on our patch for SCCM and our Ivanti Security Controls releases and is coming in our endpoint manager patch release in the 2019.1 release very soon. Thank you for joining us today. Bye.