Everything You Need To Know About BlueKeep

May 22, 2019

Chris Goettl | Director, Product Management, Security | Ivanti

Todd Schell | Product Manager for Patch | Ivanti

Brian Secrist | Ivanti

Microsoft has announced the BlueKeep vulnerability, a wormable Remote Desktop vulnerability that has a high potential of being exploited in legacy operating systems. 

Be warned, this vulnerability can be exploited remotely with no authentication required. Protect yourself from what people are calling the next WannaCry. 

In this special edition webinar, the Patch Tuesday Team is back to give you insights into:

  • Breaking news about the exploit
  • What you need to know about BlueKeep
  • Steps to protect your systems 
  • How to avoid issues like this in the future
  • How Ivanti’s free 60 day trial of Ivanti Security Controls can help


Chris: We're gonna get started here. So my name is Chris Goettl. I'm the Director of Product Management here at Ivanti managing our security product lines. And with me today is Brian Secrist one of our Content Engineer who creates a lot of our patch content. Hey, Brian, how are you doing today?

Brian: Doing well, it's been a busy week.

Chris: Oh, yes. So thank you for everybody. I see there's a lot of people from a lot of different parts of the world. I've seen Jamaica, Morocco. Brian and I happen to be up here in rainy little bit chilly Minnesota. So yeah, we wish we were there with you rather than up here in Minnesota this week.

Brian: Thanks for reminding us that you're right next to a beach.

Chris: Yeah, All right, so we're gonna go through and talk a little bit about this new vulnerability that's been talked about here called BlueKeep. So throughout the webinar, if you guys do have any questions, please put those into Q&A section. We've got a number of people on the call with us here today that are gonna be helping to answer questions as we go. And towards the end, we will come back around and answer as many questions live as possible while we're on the call today.

Agenda for today, we're gonna talk about BlueKeep what we know so far. The details about the vulnerability and the progression that we've seen so far, in, you know, white hats and black hats out there trying to exploit this vulnerability. We're gonna go into some details about the vulnerability itself CVE-2019-0708. It's good reason why they call things like this BlueKeep or you know, some other names. But yeah, I think I already have that CVE memorized, and I'll probably be able to retain it for a few years here.

We're gonna get into talking about remediation versus mitigation of this vulnerability. And then we're going to also get into a little bit of a discussion around how quickly vulnerabilities are exploited. And talk about driving towards a 14 day kind of patch or SLA around security vulnerabilities. Last we're gonna talk about, especially for those of you who have some legacy systems, XP 2003, supportability of those platforms is a little bit difficult. So one of the things we wanna talk about is we do have a special trial offer available for those of you who need some additional assistance in managing systems you might not be able to manage today.

So you know, I know many of you... I've been seeing the trial notifications coming across, there's a lot of people grabbing the install of our security controls product. We're actually gonna do a live demonstration of that here towards the end. And we're gonna talk about an extended trial offer, that's going to give you a lot more seats to be able to tackle a larger portion of your environment than the trial alone will give you.

So without further ado, we're gonna go in and get started here. So this all started on May 14th, 2019, on Patch Tuesday. Microsoft released a notification from the MSRC by Simon Pope. This was Microsoft warning of a critical vulnerability that is wormable. So this vulnerability has the ability to spread rapidly if exploited and has drastic impact potential. Along with that warning there was an article from Brian Krebs, if you guys are familiar with the security writer and researcher. He related this vulnerability back to the 2017 WannaCry event.

And you've seen this probably talked about many times already. This vulnerability does, in fact, have the potential to reach WannaCry level impact at a global scale. And we're gonna talk about what that impact would look like a little bit here as well. And there's also the vulnerability page itself CVE-2019-0708, that goes in and talks a little bit about the vulnerability.

I think the biggest thing is, if you look at Simon's article, he talks a little bit about the vulnerability and the potential impact it could have. But the biggest thing to you know, keep in mind here is that Microsoft is concerned about this enough that they have released an update for XP and 2003 to respond to this vulnerability. So that's kind of the key thing to zero in on with this update from Simon. This is bad enough that Microsoft is releasing updates for systems that have been out of support for years. So that's the biggest call I wanted to kind of drive attention to there.

Brian: So what makes this like WannaCry is that it is wormable, what makes a wormable is that it's vulnerable to pre-authentication and requires no interaction. So you can hit that system doesn't require any problem you can get in. This vulnerability exists in the Remote Desktop Services. So ultimately external services. So the other big thing about that is Remote Desktop is exposed on so many systems. Previously for WannaCry that was in SMBV1. So you still had other ways to access file shares, etc, over SMBV2, etc.

Remote desktop is one of those key operational services. And it's such a key operational service that it's everywhere. I mean, it is exposed to the internet, it's exposed throughout your network. So with the fact that you could get in without requiring any credentials, and no one has to click on anything through phishing, etc it can just spread. And that's what happened with WannaCry. And that's why this is just as severe. What else do you wanna add, Chris?

Chris: So, again, if somebody were to exploit this, they would gain full access to that target system. They can, you know, add view, change, delete data, create new accounts with full user rights, they really do own access to that system if they're able to compromise. So, in looking at how big of an impact this could be, we pulled some statistics from the Windows version market share worldwide, these stats were up to date as of April 2019. And you could see here that we've got about 33.38% of the reported world, you know, Windows versions are running on Windows 7. And another almost 1.6% running on Windows XP.

So that's nearly 35% of the global Windows workstation market are on versions of the operating systems that are vulnerable to this exploit. This stat was taken from Rapid7, they did a scan globally of systems that were listening on port 3389 or 3388. This is the two ports that RDP services would be listening on. So of those 16 million public-facing systems that are listening on these ports, there's a good chance that there are a number of Windows Server 2008, 2008 R2, and server 2003 operating systems that are part of that 16 million.

So when you start to see the number of systems that are being talked about there being potentially vulnerable to this. This is the image that was...the heat map that was kind of created around the WannaCry event back in 2017. So think about this same overlay globally. And little over one-third of total Windows workstations in the world being potentially vulnerable to this many servers as well. 16 million systems across the globe listening on public ports over those RDP protocols.

So WannaCry in the first 24 or so hours, had reached over 100,000 systems, over the course of four days, it impacted over 300,000 systems worldwide. So again, the ability for this to grow rapidly and spread very rapidly is extremely real. And that's the reason why this discussion is so important. The total economic impact of the WannaCry event was $4 billion estimated. So that's the severity of what we're talking about here.

So we sat around earlier today, Brian and I, and we talked a little bit about what could the next WannaCry look like. If somebody were to exploit this today how would they go about it? You've got... You know, in WannaCry the original event back in 2017 the initial ransoms that were paid out in that four day time period only reached about $72,000 total. And that was across 300,000 systems. For a WannaCry or for a ransomware campaign, that's actually a pretty low revenue that was taken in for the size of the event.

Brian: Absolutely.

Chris: By August 2017, so about five months later, the attackers cashed out those Bitcoin purses for the total sum of $140,000. So probably the biggest cybersecurity event we've seen reaching over 300,000 systems worldwide, and they only had a net gain of $140,000 U.S.

Brian: Yeah, you disrupted about $4 billion worth of worth of business but you only got $140,000 [inaudible 00:09:55] that's small.

Chris: Yeah. So what if the next WannaCry were to mine Bitcoin instead?

Brian: We've seen over the last year or two that ransomware has decreased, I think it's due to the fact that people really aren't paying into it. It's causing more damage and it's not really profiting the end users. But cryptocurrency malware is growing very, very quickly.

Chris: So we actually did a little bit of number crunching here this morning to give kind of a hypothetical. If an average GPU could generate around $40 per month in Bitcoin, what would an event the scope and size of WannaCry generate in Bitcoin? And the answer to that is if 200,000 systems were impacted for the duration of four or five months, that could net... actually, did I get that number wrong? Was it supposed to be $80 million?

Brian: No, it's...

Chris: $40 million. Yep, $40 million mined.

Brian: No, that's $80 million.

Chris: It is $80 million, isn't it?

Brian: It is $80 million.

Chris: That's right. So we had to do a little bit of reverse engineering of the algorithm that was used on the site we were on, because they took into account energy costs and hardware costs...

Brian: Yeah, you're not [crosstalk 00:11:07].

Chris: ...and they factored it out to $20 a month. Well, the attacker, in this case, isn't gonna pay any of that. So they'll actually be getting $80 million.

Brian: You're [crosstalk 00:11:15] hardware and the power.

Chris: Absolutely. So that was one example that we kind of sat through and talked out as to if somebody were to exploit this right now, what is the shape that this attack would take on? So crypto mining is very easy to go unnoticed, it's hard to detect. They've got no cost in it. And they've also got... it's very hard to track that back to a source. So this would be a very interesting application of a vulnerability like this.

Brian: This would be a good example where there already might be an exploit out there, but honestly, because the IOC, you just can't see the signs of compromise that could already be happening right now.

Chris: Right. You know, actually, there's kind of another angle that, as I was reading, the accreditation for... this the Microsoft bulletin page or the vulnerability page. If you look at the acknowledgment for this vulnerability, it was the UK's National Cyber Security Center. So you had a nation-state that uncovered this vulnerability. If you remember back to the internal SMB vulnerability family, those were all created by the NSA. So the fact that a nation-state entity is the one who discovered this, it's pretty likely that a weaponized version of this may be a lot more real than some people might think. But you know, nobody has detected one of these in the wild yet.

Hypothetically, what if, you know, exploit of this were to be able to release to the world? And what if they were using something like Imohtep [SP]. So a more sophisticated malware platform, we don't have a slide kind of building this out. But think about the fact that you could have a piece of malware that when it gets onto a system, it can make decisions, intelligent decisions about what it should do next. It can automate those steps, and it can adapt to its environment.

What if it finds its way onto somebody's phone computer? Well, in that case, it's probably gonna just sit back and grab any email exchanges that are going on, scrape some email addresses and try to spam itself out to spread itself further. If it got into a hospital, maybe it could switch into ransomware mode. If it got into a financial institution, maybe it can go into command and control mode, and it can start scraping credentials, and just stay dormant for the most part for a long period of time.

So the possibilities for a wormable exploit like this would be very interesting if you think about different ways that they could be capitalized on. I don't know if we're gonna see the same type of event that we did with WannaCry. But rest assured that something will be exploited in the wild, and somebody's going to take advantage of this. It's just too big of an opportunity to pass up.

Brian: Absolutely.

Chris: All right. So let's talk a little bit about the kind of the progressing news that we've been seeing. On May 15th, the day after Patch Tuesday, social media and GitHub activities started beginning in earnest. You can actually click here, you know, on this BlueKeep tracker, somebody wrote this tracker that basically is watching different sources and keeping tabs on when updates or new POC contributions are made to places like GitHub. And there's been a lot of activity if you look at that keep tracker, you can see a lot of updates that have happened, a lot of updates to read these different scanning tools and other things that have been created.

So there's a lot of activity out there around this. And that's the ones that are making it public. By May 17th, there was a POC available on GitHub, and there were multiple fake POCs being shopped around. So if you go to the "AskWoody Article," you know, they're talking about the fact that... Oh, one link ahead. There we go.

So there's a freely available proof of concept that was made available out there, at this time, it was not capable of inflicting damage" They verified it could remotely you know, exploit the vulnerability. But at that time, they were not able to do anything more with it. Since then, they've actually gotten to the next step here as well. By Monday, this week, multiple independent researchers have achieved blue screen of death circumstances by exploiting this vulnerability.

So this @GossiTheDog, if you follow him on Twitter, he's been keeping really close tabs on this as well. He connected this researcher from Kaspersky, they were able to get a blue screen with BlueKeep and be able to show that live. So this next slide here shows the kind of before and after the Windows 7 desktop and with the Windows 7 system when it gets blue screened. So it's very real, there's multiple people who have at least progressed to this state. There have been multiple other posts if you follow Gossi's Twitter thread on this.

There's been multiple other people that have come forth saying that they have exploited further. The good news is, is they've not shared those POCs. That's another area that we were talking about this morning around the ethical perspective of this, Brian.

Brian: Yes, with all of the POCs the proof of concept, the code that's been shared has, in every case for security researchers, at least, has been incomplete. For this reason, because... I mean, this is not your run of the mill vulnerability here.

Chris: If somebody is to distribute a fully working weaponized version of a POC, publicly where anybody can get at it, it will be a very bad moment for us all. So, fortunately, the researchers who are involved with this have not done a more public blast of anything past the point where they're showing just very rudimentary proofs of what can be done.

All right. So we're gonna switch gears a little bit here. We wanna talk a little bit about how do we prevent another WannaCry incident. So we're gonna get into talking about remediation versus mitigation. Remediation, we're talking about plugging the vulnerability 100% plugging it, making sure that it is completely gone. And I'm not talking about technologies that do virtual patching or other technologies like that, approaches like that. I'm talking about actually applying the patch, that's the only way to 100% plug this vulnerability.

Brian: And McAfee actually, just yesterday really ran the gamut against the patch and they have found it. It is a full remediation to give some peace of mind.

Chris: Yeah. So patching the vulnerability is your best option, we cannot stress that enough. Now, if there's a time delay for you to get the patches rolled out, or if there are limitations in where you can patch, maybe you can't get to all systems because of some limitation. There's a number of mitigation options here that we've pulled together from different sources, including Microsoft's Defender team and other people sharing mitigation recommendations from patchmanagement.org and other places.

The first one here if updating immediately is not an option, you can consider turning off Remote Desktop Services. I mean, that would make it so that now you can't support those systems remotely. So there's a tradeoff there. Where Remote Desktop Services are required, you can consider turning on Network Level Authentication, NLA for RDP.

This would mitigate the vulnerability and remove some vectors for exploitation. But with that enabled, an authenticated user can still exploit this and elevate privileges. So that again is mitigating the wormable portion of this vulnerability, the unauthenticated version of this vulnerability but it can still be exploited, even if you have that on.

Brian: As long as that attacker had some even user-level authentication, and that user-level authentication is perhaps enforced through GPO, it's just as wormable.

Chris: Yep. So turning on NLA, think of it this way, you may avoid the WannaCry level scale. But if you turn on NLA, and you don't do anything about the patch, and five months later, there's an advanced persistent threat within your environment, a threat actor in your environment, they will have credentials, they will be able to take advantage of this, and they will have it in their arsenal. So again, I can't stress enough this mitigates does not eliminate the vulnerability. So this next one, reduce the risk of internet-exposed machines with RDP enabled by placing them behind an authenticated gateway or firewall.

Brian: Yeah, I mean, that will just kind of hide it from the internet. But once they're on the other side of that firewall via phishing attack, any way they get into that perimeter, it's still just as wormable. And that's kind of the fear there is, you're just putting up walls, once they break right through it.

Chris: Absolutely. So in this case, remember that stat about 16 million machines listening on those RDP ports? This makes it so that trying to get through there can't be done unauthenticated. If they have a way to authenticate, yes, they can still exploit that. If they get around your perimeter firewall, which again, we're talking statistical challenge, not real difficulty phishing, getting in through... So if you remember back to WannaCry, six months after the WannaCry incident occurred, there were a couple of major car manufacturers that actually had their full facilities brought down by WannaCry.

And the reason for that is, the malware was introduced via removable drive or USB, into their air-gapped environments that were completely unpatched. So that is, you know, a very real possibility. You know, if you're an air-gapped environment, you're still not safe, you do need to worry about things like this. At some point, your own staff can inadvertently introduce this type of malware into your environment. And it has been done and made headlines.

Brian: And two years later, I mean, WannaCry is still being exploited. And they're still reports of it happening. I mean, heck, watching the Bitcoin wallet, link to WannaCry April 22nd, just a month ago, $300 was put into that wallet. Which is around the amount that they're asking.

Chris: Absolutely. So there's still activity going on out there, there's still a possibility that even the WannaCry SMB vulnerabilities are being exploited. These things, once they're created will hang around for a long period of time.

All right, so we've got a couple of other mitigation options here that we wanna talk through. In instances where NLA would break applications or workflows, the Windows Defender Firewall can be used to enforce authentication via Kerberos prior to accessing the port. So by turning on Kerberos, you know, and using the Windows Defender Firewall, you can actually provide a layer of defense there as well. So that's another option that would be available to you if you can't turn on NLA. And again, going back to patching being number one, if you've patched, this wouldn't be an issue at all.

Next one, physical network segmentation or NLA options are not options for preventing authenticated access to RDP. You can use the remote desktop gateway to secure RDP access.

Brian: Sorry, just one second.

Chris: So customers evaluating the risk posed by this vulnerability should account for potential attacks within the perimeter of their network. So this is what we talked about before, there have been multiple examples of, you know, malware being able to get past, you know, network perimeters. If you look back to Stuxnet, this was a piece of malware that was designed for the sole purpose of getting into an air-gapped environment.

So again, you know, don't ever trust that an air-gapped environment or a partially disconnected environment makes you safe. You do have to be concerned about how to get around this. And they are calling out... This guidance was actually from the Windows Defender team.

Brian: And looking at the POCs you see there are a blue screen some endpoints through the proof of concept. So attackers might utilize this vulnerability just to cause disruption by crashing the system. Looking for term dd.cis that's in the blue screen logs may be one way to figure that out. Figure out, "Hey, there, we have a couple indicators of compromise."

Chris: Yeah, so if you've got some threat hunting tools, if you've got some log management tools, you can look for this particular CIS file and look for any unusual crashes with that to be an early indicator of if you might have been affected by somebody exploiting this vulnerability.

All right, so let's talk a little bit about... you know, we talked about the speed at which this is moving right now, we're only a week out from the initial vulnerability being identified. You've got a number of threat actors and you know, white hat researchers are all actively looking at this. So the challenge is, how do we get ahead of these things? And this is a story that I wanna share that, I think it really sends a good message that trying to get to quicker remediation is achievable.

So this actually came out just recently, back in April, the Department of Homeland Security here in the U.S. updated their mandate around resolving critical security flaws. So they have now gone to giving DHS agencies a 15-day deadline to resolve security flaws, and there's a reason for that. But I wanted to talk a little bit about kind of this progression. This article goes into talking about what the overall progression has been. But back in 2015...these things don't happen overnight.

But back in 2015, this first mandate came out 15-01, released in 2015, required DHS agencies to resolve security vulnerabilities within 30 days. They came back just this year saying that they were at an average of 149 days time to patch. And now they've gotten the average DHS agency can resolve security vulnerabilities within 20 days. This new directive 19-02 drives that mandate from 30 days now down to 15 days for critical security vulnerabilities, and 30 days for high severity vulnerabilities.

So they're driving towards a very short window of being exposed by vulnerabilities.

So a lot of people ask, you know, why is 15 days? Why is 14 days? Why is that two-week point, a critical target to try to achieve? And the reason for that... this threat model kind of looks at that. You've got a number of things that are happening before an update releases. If you've heard of the term zero-day, obviously most of you have if not all. A zero-day is a vulnerability that comes out before a patch is made available. So that's why, you know, it's being exploited, you know, before an update has been made available.

There could be public disclosures, these public disclosures give a threat actor a headstart on trying to create this type of content. Then there's all sorts of unknown vulnerabilities. I actually had a question from somebody yesterday, saying, you know, "Was this vulnerability introduced by an update that Microsoft did? How long has this been out there?" Well, the answer to this is they could probably go back, look at the code changes and figure out when exactly was this vulnerability introduced. The answer to that is most likely, it's been there for years.

And somebody could have been exploiting it for a long period of time, and we might not have known. So the point here, though is, you've got all this risk out here. And as an update release, this is the point where the world now knows there was an update that resolved a vulnerability. The world knows that BlueKeep exists. So now, threat actors can go and research and do it differential. They can look at the code changes between what was there before and what's there, now, and they can go and start to reverse engineer that code.

So this is what all those researchers are doing right now. And with a little bit of trial and error, and figuring out how to poke at things, break things, these people are good at what they do. In a week's time, they have gone from just knowing a vulnerability exists to multiple researchers achieving a level of blue screen exploiting that vulnerability. Chances are, there's already a version of an exploit that could actually get system access. And either somebody is talking about it and has not disclosed it, or, you know, they haven't even mentioned it yet.

So if you look at this, when you get into this two to four week time period, these stats were taken from the "Verizon Data Breach Investigations Report." But historically, by two to four weeks, 50% of exploits that are going to occur, have already happened. So chances are, by the time we hit this two to four week period, there will be exploit code available for this vulnerability, especially with the amount of attention it's getting.

By the time we get to 40 to 60 days, 90% of exploits that are gonna be created will have already been created. And at that point, these threat actors start over. It's pretty rare that somebody goes and finds a vulnerability that had a patch available to it for 10 years, and just create a brand new exploit for it now. We do have examples of patches that have gone undeployed that people are still exploiting years later. That's pretty common, but most of those exploits happened within this time frame.

So how do we shorten that time to patch? You know, I know there's a number of customers on, actually, I even recognize a few names those of you who might have joined us at our event down in Nashville, where I did a patch best practices session. We talked a lot in that session about how do you shorten that time to patch? Well, you're gonna identify and automate bottlenecks in your process. You've gotta figure out how to shorten your test cycles. A lot of companies they can only field so many tests machines. If you're not engaging with more users, if you're not bringing users into your piloting of patch rollouts, it's gonna be very difficult to achieve a 14 day SLA. But it can be done.

We've got many customers that are doing this with Ivanti products today. One of them that joined us for our keynote when we did our event in Madrid, they're patching 66,000 systems globally. And they're doing it on a weekly basis. That means their SLA, their time to patch is seven days. And we've got other customers just as big and some bigger that are achieving a 14 day SLA. Microsoft themselves has a 14 day SLA for resolving security vulnerabilities within their organization. And they're over hundreds of thousands of systems globally. So this can be done.

Now let's talk a little bit about you know, going beyond patch if you can't patch this, what are the other things we doing? We talked about some mitigation for this particular vulnerability. But what are other security controls, you should be layering on top of this to make sure and protect your environment. After an update is available, the number one way to resolve vulnerabilities is to reduce that attack surface, to patch systems. That's the majority of vulnerabilities in your environment. Patching is the number one way to plug the majority of your attack surface.

App control, this is gonna help you block malware and untrusted payloads. AV has been proven to be only 50% effective at best. And the reason for that is most malware... 70% or better of malware is created for the sole purpose of the attack it's gonna be used for and then they're done with it and they move on. So by the time most vendors find that it can adapt to it and start to defend against it, the attackers already moved on to the next attack. So anti-virus is maybe 50% effective at best.

Privileged management. If you look at any major breach, if you break down and analyze, you know advanced persistent threats, privileged management is where they start to gain the access, they need to move laterally. They're going to get onto a system typically by exploiting a vulnerability in software, phishing a user, drive-by downloads however they get on to that first system. Then they're going to get privileged access and they're gonna embed themselves, they're gonna try to run untrusted payloads. Tools that are gonna be able to give them a backdoor gather credentials, do other things like that.

The next step they're gonna do is they're gonna take those credentials, and they're going to expand beyond that first system by means that you normally use. If I've got a credential that has administrative access to an environment, I can now jump around using PsExec, using WMI, using RDP services, PowerShell. From there, once they have privileged access, and they've compromised credentials in your environment, that lateral movement becomes very hard to detect.

That's why these are the top rated security controls you can do at the endpoint. Reduce that attack surface, block the ways they're getting in. Remove their tools, block malware, block those untrusted payloads. And then take away those privileges. Make sure that those attackers can't move laterally throughout an environment. So that's after a patch is released. Before a patch becomes available, app control becomes your number one, privileged management, your number two. These are the most effective ways that you're gonna be able to protect yourself against the majority of cyber threats out there.

All right. I'm not sure what that window is that's out there, some reason got this window hanging on. There we go. That was weird. All right. So how can we help prevent the next WannaCry? Well, this is where we're gonna get into... Oh, my link updated there, I'm giving away the secret at the end. We wanna switch over and show you guy's a demonstration of Ivanti Security Controls. This is one of Ivanti's patching technologies. It also comes with our privilege management and app control capabilities.

Again, like I said, many of you have already filled out our default trial, that's for 50 seats for 60 days. We're gonna give you a larger license for a 90 day period here at the end. So hold on for that for one second. But I'm gonna have Brian here, show us how quickly this can go into your environment, find this vulnerability and be able to plug it. And the reason that we're doing this is server 2003, and Windows XP have been end of life for some time. Many platforms that are out there have dropped support for it. If you're struggling to find all those systems into ensure they're being patched, this can help you.

Aside from that, depending on what you're using for patching today. There's a lot of products out there that you kind of set things in motion, but the final state validating that it's actually definitely patched is a little bit indeterminate. If the system hasn't rebooted, if any of the files are still, you know, left in that insecure state, this could still be exploited. So our technology will scan a system and even if you push the update through Windows Update, but it required a reboot, you haven't done that reboot yet, our scan engine will determine that it is still vulnerable, and it will let you know that.

So control over that reboot, valid assessment to make sure that it's plugged, that total experience here is what we're making available to you. Our goal here is to try to prevent a WannaCry scale event from happening here again. So we're sharing this technology. And Brian, why don't you drive here for a second and show us what that looks like?

Brian: Perfect. Do you mind navigating to the machine I have? All right, so just address it. I know there have been a lot of questions around which KBs etc. I will loop back around to those shortly after I get it kicked off. So the first thing I'm gonna do is just answer the question, "Hey, I have this CVE, what the heck patches do I need to fix it?" So right here, I'm gonna do Import CVs. It will take in any plain text file. I know it says CSV, TXT or XML. But it really can be anything, it can be a vulnerability scan, whatever you like.

So hit Browse, I have this CVE.txt file. At the moment, all this has is just a string with the CVE that we're trying to patch the RDP CVE. So I extract the CVEs, it says, "Hey, I have matched to 0708." And I'm gonna save it to patch group called BlueKeep. I've already created that before and I'll explain what's in there after I kick everything off.

Chris: Now the nice thing about this import is this gives you the ability to import from any vulnerability management source. We don't care if it's Qualys, Rapid7, Tenable, Kenna Security. If they've got CVEs within their reports, you can take an export from there, you can import it in here, and you can get quickly to the software updates that need to be applied.

Brian: Yep, absolutely. Any CVEs that we have to find within our data that link to a patch we'll return those and get them added to that patch group. So all I did was take that patch group and add it to a patch template that will show in a moment. But just to get everything kicked off, I have a machine group called My Collateral. So I have my air-gapped testing environment. So a lot of stuff's out of date there.

It's just an IP range. So the nice part about this is you don't need to know every single endpoint that you're connected to, as long as remote registry and [inaudible 00:38:39] file browsing is enabled, remote file browsing is enabled should be good to go. I'm using just some basic non-domain credentials. But if you just use your domain credential, that should work fine. So I'm just gonna run the operation.

Chris: What this is gonna do right now is it's gonna kick off an agentless assessment of this environment. It's gonna go do a discovery scan of that range of IPs that Brian is... You can go ahead and click Scan Now. While this kicks off we're just gonna kind of talk through the steps. So right now it's updating and making sure we add our latest definitions. It's now resolving all of those IPs to determine if there are systems that we can assess. And that it's gonna connect to those, and it's gonna do that patch assessment. We don't have agents rolled out to this environment. In fact, this environment gets blown away probably dozens of times a day. Doesn't it Brian?

Brian: Absolutely, all the time, gets reverted get's... All these environments are all completely different. All these environments in this range are not the same. They're XP, they're 2003, they're Windows 7, they're SharePoint, they're Exchange, you name it anything.

Chris: So as it starts to feed data back in here, we see that we've just got a whole bunch of systems back now. There are some of these have already been scanned. Others, there might be some dead IPs in there, there might be systems that he didn't have access to. With those statuses that came back, those error codes, we've got quick information to help you to resolve those agentless scan codes to be able to determine how to reach the rest of the machines in your environment. But you could quickly see here that we've got a number of Windows 7, server 2008, XP a variety of different systems.

Brian: XP embedded.

Chris: Yep, there's an XP embedded system there. All of these were able to be assessed agentlessly. So well, that continues let's go and look at the results here, Brian.

Brian: All right. So looking at these results. Sorry just dealing with DPI for a second. All right. So here, we have all the different machines, if I just select all of them... Oh, would you mind hitting Ctrl+A there? Thank you, you have all the different patches on here. So some are 2002 enterprise, Windows 7, 2003, XP, some are missing. If I go over and see missing some are three, two, one patches, others are already installed. I have fully patched inventory on here, etc. These are all ready to go, all ready to take action on. I can go to one of these I can deploy that patch and get it going. And that'll just kick off right now. It'll download that patch and get it deployed.

Chris: And again, this is all happening agentless.

Brian: Yep.

Chris: Download that patch, it is now deployed it out to the system and it will schedule that execution.

Brian: Yep, it'll schedule it right now and kick back to me whenever that's completed. So just while that's going and while the scan is going, I just want to take the opportunity to show what's in that patch group. There were a lot of questions about what patches fix the CVE, remediate the CVE. So when I took in that CVE to patch logic, this is what came out. So these are all the different KBs that are applicable with it.

So for XP in 2003, it's KB-4500331. And then for 2008 and Windows 7, there's two different patches. And there were questions about kind of what's the difference between these two KBs. So the first one you will have will be the security only patch. So security only patch will be an aggregation of all the fixes for that month in that month only. And it's just security fixes, they're not security or stability fixes or anything like that. So it's great for when you're trying to do the smallest amount possible, especially for server environment.

The others will have an MR prefix in our bullets and title, those will be the monthly rollouts. So those contain all the security and non-security fixes, since about 2016, when they start doing this. But they've also looped in older patches too. So specifically what they cover is a little bit nebulous, but that will cover a lot more if you're looking to...especially for your workstations we're trying to get those stability fixes out.

Now, within our product testing to make a little bit more sense, we've classified the security only as the security patch. So if you're going to say, "Hey, give me the least amount of patches possible," go with security patch. If you're looking for this additional non-security fix, we called it a non-security patch, however, they're still associated with that CVE. Just to give you an idea. Just to go back and kind of show you the speed that we're talking, we had 49 machines scanned, the last time I checked, I can quickly refresh and now I've evaluated 266 live machines. 682 weren't scanned, in most cases, these were just dead IPs, and there were a couple that...some of these are domain machines have their own domain controller, etc. So they weren't scanned at the moment but at least you know, those are live machines, we give that insight.

Chris: All right, so let's go back to our scans, we're getting pretty close to done, there.

Brian: Yeah, we are.

Chris: The machines that we've got.

Brian: The deployment, it's already executing on those endpoints. So this will be the security only patch that's going. So because it will require a reboot, that will take a little bit of time. But we're already patching that it should come back within... Oh, there you go it already turned 3010, so it's gonna be scheduling that reboot right now.

Chris: So let's go back to our QA collateral scan back into the... let me click for a second.

Brian: Absolutely.

Chris: See. Here we go. So here we've got the scan is still running, we've got 376 of 1,000 machines completed. So quite a few machines that have come back already. And you can again, see how many missing patches are missing products are on each of those different platforms. Again, this is a QA environment. So you're seeing things like... we actually patch vSphere as well.

So actually, there was a question in there about showing us some tools that we have that look like they're outdated. It's because this is a test infrastructure. And we actually test against old versions of the vSphere and old versions of OS's. You know so things like that are in our test environments, not in production. But you can see here, the scan is continuing to run. And from that, we'll be able to deploy those updates to as many systems as we need.

Brian: We have a ton of questions.

Chris: Yeah, let's let me go back to our presentation. All right. So let me talk about the trial here, it's gonna be a 90 day trial for up to 1,000 systems that you'll be able to deploy to if you get this. And again, no strings attached, we're doing this because we wanna help reduce the impact globally here. Once you're installed and running, you can get to that first assessment that we showed you here. Many customers get to it within 30 minutes or less. When you install the product, it can do the prerequisites that you would need to be able to get up and running with that and you know, be able to get everything functioning.

If you want to request this 90 days trial license, you can go to this link right here and fill out that form, and that's going to bring you to this page here. And you can see again, the details around this. This is again, beyond our default trial size, it's gonna give you access to the full product. So you'll actually be able to use our app control and privileged management capabilities as well. When you complete that trial, you'll be able to download the product. And you will see... when you get to this point, you're gonna see that someone will be reaching out to you within the next 24 hours.

We do need to get basically a contact created within our system to generate and send you that larger license key. When you access your trial, that free default trial is one that you get to use with the in-product activation. So that one you can activate very quickly and easily. But for that full trial, the 90 day 1,000 seat, we have to actually generate you a specific key for that. So that's why there's a little bit more process behind that one.

If you need more than the default trial, go to this link and fill out this form, and that's gonna kick off the process. If you're good with just the regular trial, then you're ready to go. If you go to our default trial landing page, download the product, install it, that'll give you that 60-day 50 seat free trial license as well. All right, so let's get into some questions.

Brian: So yeah, if you wouldn't mind bringing up my testing environment, my general environment? There were a few questions on how to do certain things so I'll get to those. But let me answer a few things right now. "Are systems protected just by installing the monthly rollouts or must the restart be completed? The customer had run Rapid7 against test servers, they patched, but they weren't rebooted, but Rapid7 said installed." That's a really great question. The So Rapid7 or a lot of vulnerability scanners do tend to look specifically at the suspect file, Just the suspect file, the one that can be exploited. And if it is up to date.

Yeah, you might not be vulnerable, but you really can't be sure of that until the reboot is done. A lot of times certain files that are a part of our running service...RDP will be a great example of that's running won't be put into place until...or it won't be loaded until it's rebooted. So yeah, that file might be up to date, but I don't know if the RDP service is fully consuming that.

Chris: Right. What's in use right now may be different than what's on disk at that time. So if you do the scan with our products, and it also shows it's installed, you should be good to go. Again, each vulnerability assessment vendor is a little bit different in their detection logic. So I would trust that they're probably correct on that, and that a reboot wasn't required. But you know, most security updates need to reboot the system.

Brian: Yeah. I think the gray area and I...especially with the severity of this, I would not consider it patched until the reboot is completed.

Chris: Yeah. Microsoft, if you look at most of the reboot requirements say that an update may require a reboot. And that's because a lot of times you don't know the system state is gonna determine if a reboot is required or not. And even in the case of a test environment, the two patches that we pushed, both required a reboot.

Brian: Absolutely.

Chris: So yeah, it's recommended to do the reboot to make sure it's final. That's the safe answer.

Brian: The next question was deploying those patches via Ivanti's Security Controls, does it override Windows Update configurations on the target endpoint? No, absolutely not. We are very much independent of Windows Updates, the only related to Windows update that we have is when we're executing the patch on the endpoint, because that's, by default, it needs Windows Updates to fully install. I.e. it requires servers running. But otherwise, we do not touch that in any way, we actually don't even leverage the Windows Update servers, like their detection logic, ours is completely independent.

Chris: Yeah. So the biggest thing there is the Microsoft patch hasn't manifested it, that needs to be interpreted by the local Windows Update service running on that box. So we don't actually affect any of the configuration or WSUS or anything at all, you can run us independent of that. And in fact, we do have customers who have gone in and done assessments, using our product to make sure that everything is clean.

So if you do find a case where WSUS is what you're using, you go and scan and deploy, and you come by with our product in this case, and do that assessment again and find some missing patches. You can absolutely feel free to deploy those, make sure the system gets rebooted, and that they get finalized. And you will not affect the next cycle where WSUS would be running.

Brian: Yeah use those great auditing tool for some of those customers that use Windows Update. The next question was, "Hey, I saw the CVE demo, can you show me kind of how you turned that into a patch template?" So I'll just walk through it real quick because it's real fast. Just to kind of give you an idea of what a CVE looks like. CVE.txt looks super simple right now it just has CVE-2019-0708, it'll definitely read any plain text, it doesn't have to be this simple.

But if I added some additional stuff to this, etc, it would still detect it all the same. And this would be a good example like your vulnerability scanner that references a CVE. So I just did this for the simple demo. So as I mentioned, I went to View, sorry, Import CVEs, imported them into BlueKeep and I made a patch group called BlueKeep with this list. When I wanna take action on it turn to a patch template, all I did is just go down here created a new patch scan template. In this case, I called it BlueKeep. Here you can choose a lot of different things whether you wanna security only, non-security only, certain vendors, etc.

But in this case, I went over here and just said I want BlueKeep as my baseline. As in any patches in here, those are the ones I wanna scan for. And then once I did that, you can scan with that specific scan template. So there you go. So the next question was, what's the difference between a patch for endpoint manager and security controls, Chris?

Chris: Yeah, patch for endpoint management versus security controls. So patch for endpoint manager is our security capabilities combined with our systems management platform. So EPM is able to manage everything across your environment, you know, multi-platform support for asset management, for configuration management, for provisioning, for environment management. If you activate that module, security capabilities, like patch, app control, you know, a variety of different capabilities are all built into that endpoint manager platform.

Security controls is a kind of purpose-built security-focused product. So this is gonna do patch, application control, privilege management, all from a single agent there. It doesn't have the broader capabilities of the EPM platform. So it's a matter of what are your needs. If you trial this product, the same engine that's being used in here is also being used in our endpoint management platform, just a matter of the user experience is a little bit different.

So we also... for those of you who are running on Microsoft System Center, we do have a third party plugin for the system center platform as well, that can bring our catalog of third-party updates, if you look at...go back over here to view. So you see all these different vendor filters on the left here, we've got a pretty extensive catalog of third-party updates. Microsoft is only one vendor in this list. And many of these vendors like I'll just expand Adobe here, you see, there's many products for some of these vendors as well.

This same catalog can be made available to Microsoft System Center customers, that give you a very extensive experience there, has some of those same kind of CVE import capabilities has, you know, other things like the ability to edit a package and do pre and post scripting and things like that. So we have different flavors of our patch technology for different purposes. The reason that we're doing the security controls trial, in this case, is it is our fastest to be able to get up and running in the average environments, and can give you a taste of what we can do.

As you engage with our team if you're interested in any of those other options, our team is able to answer any questions you might have on them. Okay, so there was a question about embedded systems and if those should be patched. So this one... so Ted, we'll go back to our scan result here which we actually had a...see here where is it?

Brian: There it is, Windows XP embedded.

Chris: Yeah. So XP embedded, absolutely has this vulnerability. Think about if an attacker gets into that environment, and that is exposed, they will run rampant. How many times have you read the headlines of a company that passed their most recent PCI audit, their POS audit passed an audit. It was meeting the standards So if you're not... How does an attacker get in there?

Well, they can cross boundaries through a lot of different ways. If they find a way to introduce this into your POS environment, and you have not patched that entire environment is gonna be taken down in a very short period of time. So the threat is very real, we would highly recommend your embedded systems need these updates as well.

Oh, there was a question from Shane. "How does this product differ from Patch for Windows?" Actually, Shane, it's the same product. This is...our legacy name on this was Patch for Windows that has recently been renamed to Ivanti Security Controls. It's the same product just with some new additional security modules available for additional purchase. The app control and privileged management engine is the first of those. We've also added Red Hat support for patching. CentOS is the next flavor that's coming for patch, followed by MAC and Susie. [SP] And then there's additional security modules like device control coming later this year as well.

Brian: If you have Patch for Windows right now, you can update to Ivanti Security Controls, which is a direct update, to be honest. And that will give you that CVE to patch feature that I did demo for you.

Chris: Yeah, so Lena had a question. "If I'm on Patch for Windows, do I need this security controls before I can patch this?" No, actually, you can do everything we showed here today in the patch for Windows version that was already released. The only difference is Red Hat support and a few other features those all come in the security controls release. So that's where you wanna get up to that latest release to get those additional capabilities.

There was a question from Andy regarding our patch and remediation product. So there is a migration path over to security controls, we've sent out invites to many of our customers on the legacy heat product already. If you have not received an invite yet, it's either because you're using some of the capabilities that aren't available in ISC yet or that your invite with the license key to be able to let you get up and running on this, you know, might have been captured by a spam filter or clutter.

So reach out to us, Andy, and we can check and see if you're already on the list of over 500 companies we've sent migration invites to. You can absolutely get in there. If you've already got it we'll get you that license key. If you haven't got one yet, we could talk about your situation. If you wanna move sooner, we can talk about what that would look like. All right, I think we've answered many of the questions here. Brian, what else do we have that people haven't gotten answered on yet?

Brian: A couple quick questions. Can you find by CVE if you're using Patch for Windows? Those that CVE data has been more exposed and Ivanti Security Controls. Just to reiterate, it's just a basic upgrade you should be seeing on your Patch for Windows console offering you that ability to upgrade it. It's no different from licensing if you're a Patch for Windows user.

Chris: Did we repost the...

Brian: I'm not sure we did let me do that real quick.

Chris: Go ahead and drop that back in again, just so people can have that. A special trial link, we're gonna drop that back into the chat again, for those of you who wanna take advantage of that 1,000 seat trial. And again, we're trying to make it so that people can go and reach these systems as quickly as possible. The clock is ticking, and patching is the most effective way to make sure that you're getting these resolved.

All right, let me switch back over here for a second. to kind of wrap things up. That's my web browser. Here we go. So again, most important, make sure and patch this vulnerability as quickly as possible. We've kind of gone through the questions already. If there are some additional questions here we haven't seen, please let us know if we missed something. Most importantly, get out there and start patching, make sure this gets resolved as quickly as possible. If you can't patch, get into the mitigation options for this again, we can't stress that enough. Patching is the most effective, but there's a lot of mitigation options if you cannot patch.

The presentation and the webinar playback will be available later today from our webinars page. So the same place you came to sign up. You can go to ivanti.com/resources/webinars, the playback will be available out there along with the presentation later this afternoon. For those of you filling out that special trial form, after you submit that, you know, our team is all hands on deck. They're literally working through launch and they're catering in launch for them to start calling and making sure that people get that extended trial license as quickly as possible.

So we will do our best to get that out to you as quickly as we can, just be watching for that call. And help our team get the right information they need to cut you that trial license key, that larger trial license key. All right, everyone, thank you for your time today. And we do appreciate you taking some time out to work with us and talk through this.

Brian: Just to give you a heads up, guys. For those that have not updated to Ivanti Security Control and do have Patch for Windows, I'm just putting that link to give you that easy download. So if you want...

Chris: So for you guys, all you do download the new version, run it, it's literally a next, next, next it's gonna upgrade and you're ready to go. The patch module is the same you've always been using, it will have the addition of being able to support Red Hat as well. For the app control and privileged management, that's an additional module that you can look into. But that's not included with the default patch module that you've already purchased.

Brian: Perfect.

Chris: All right. Thanks, everyone, and have a great day.