How to Cut Through the “Fog of More” to Achieve a Solid Security Foundation

September 26, 2019

David Murray | Product Manager for Endpoint Security | Ivanti

Sara Otremba | Product Manager | Ivanti

Jason Everson | Senior Product Manager | Ivanti

Why do security programs fail? How does a company that passed a recent audit suffer a breach? Is there a silver bullet for securing my environment? It seems there are more questions than answers in cybersecurity today. In this session we'll provide guidance and talk about ways to focus your security strategy to reduce the volume of incidents so you can focus on business initiatives instead.

Transcript:

David:                 This term, The Fog of More, that was coined by the Center of Internet Security a few years ago, to describe what they outlined as the overload of defensive support. More options, more tools, more knowledge, more advice, and more requirements, but not always more security.

David:                 The Counsel on Cybersecurity, as it was known at the time, referenced the fact that the rapid rate at which the IT security industry evolves ensures that security and compliance professionals are constantly battling to keep their head above water in a sea of tools, data, advise, and reports. Meanwhile, the criminals just focus on attacks. They go on to describe that as technologies grow more sophisticated and interconnected, developing an organizational approach to cybersecurity seems more complicated than ever.

David:                 Security tools typical provide endless amounts of complex data, and they often hide valuable security information, among a sea of white noise and false positives. These tools, they require advanced IT knowledge to install, to configure and maintain. It really means that more time is spent fighting with the tools than actually investigating security issues.

David:                 When it comes to phishing attacks, ransomware, data leaks, IT security breaches in general, how can organizations protect themselves in this perpetually advancing threat landscape? Well, many organizations start out with a cybersecurity audit to help them understand their current security posture. Sometimes these audits are required for regulatory reasons.

David:                 However, companies that are conducting a cybersecurity audit... compliance, protect intellectual property, or maybe to safeguard clients or employee information, they often run into this fog of more. This fog surrounds the range of problems and solutions facing business when it comes to cybersecurity, and it really obscures the task ahead and makes it a difficult situation.

David:                 The reality, however, is that most cyber attacks are not particularly sophisticated. In fact, attacks often rely on simply mis-configured or outdated systems. The result of the fog of more is confusion, misunderstanding, and ultimately mistakes. What tools should I purchase? What security issues are really priorities? What does all this data provided by my tools mean? Does management even understand our security posture? How can I prove regulatory compliance?

David:                 Security and compliance professionals end up being so overwhelmed that they don't have the time to investigate security events, or to followup on insecure end-user processes, or even report up to upper management. One missed issue amidst all of this noise, one configuration that's accidentally reset, or one misunderstood security event, and all of an organizations investment in security could be in vain.

David:                 These are the kind of issues that give birth to, and continue to drive the Center for Internet Security and their CIS controls. The CIS controls focus on what cyber criminals are doing right now. In order to ask, "Out of all that I could do, what are the core foundational steps that I can take to get the most out of my security value and stop these attacks?"

David:                 Now, we've already got a lot of frameworks that guide us in terms of what we need to do. It might be PCI compliance, or it could be GDPR. You've got standards like ISO, or maybe FIPS, to make sure you've got good cryptography, or HIPPA, to insure that we're protecting people's personal data.

David:                 Many of the customers that we work with are bound by some of these requirements. They provide a lot of guidance in terms of how to secure your environment and be compliant. If you cross-reference what they are all recommending, you come back to many of the basic security controls that we've had for years.

David:                 What makes these frameworks so important? If these security controls have been around for years, why haven't they been effective? Why do we still see breaches occurring in organizations that are expected to comply with these frameworks?

David:                 Well, in most cases, these frameworks are just focused on certain parts of the organization. I've got to consider, first I secure the whole of my organization, then the rest of my environment.

David:                 More importantly, if I'm looking at how to make my environment PCI compliant, for example, what's the most effective way to go about it? PCI and these other standards, frameworks, they don't come with a set of steps to say, "Do this first, do this second." It just says, "Here's all the things that you got to do."

David:                 That's where the Center for Internet Security comes in. They've applied the Pareto principle to cybersecurity. The Pareto principle being that concept that for many activities, roughly 80% of the effects come from 20% of the causes.

David:                 It's about focusing your efforts on the 20% that will make a difference, instead of wasting time, resources, and efforts on the 80% that probably doesn't matter that much. By applying the Pareto principle, the Center for Internet Security developed these CIS controls. A set of 20 prioritized actions intended to help any organization improve it's cyber defenses.

David:                 The CIS controls are developed by a community of cybersecurity experts around the globe. What they've done is they brought their knowledge and experience with a range of different technologies to the table. The controls have been developed based on their experience with actual attacks, and as a result they ensure that the CIS controls are not just another list of good things to do.

David:                 They're a prioritized, focus set of actions driven by a community network to make them implementable, and also to make them compliant with all of industry and government regulations. The controls span across all of these different regulator frameworks, and by following the CIS controls, you can become PCI compliant, but you can also get some additional coverage as well.

David:                 CIS controls, it's a prioritized list containing 20 controls. The idea is that you start at the top and you work your way down. With each step along the way, you're maximizing the impact on securing your environment. I could jump down to number 20 on that list. I might solve a particular problem, but it's not going to be the most effective way to start out.

David:                 It's guiding you each step of the way. You're maximizing your investment in securing your environment, and that really helps you focus your investment. The great thing about having a focused security strategy, is that you avoid the problem that instead of getting defense-in-depth, you end up getting expense in-breadth.

David:                 The security industry is growing. It's an industry that's growing pretty significantly, actually. By 2020, it's going to be well over $100 billion in size. Right now, it's growing at about 8 or 9% a year.

David:                 It's also an area where companies are opening up IT budgets, so there's budgets here where it's not available in other areas of IT. The problem, of course, is it's not an infinite budget.

David:                 It's still a finite budget. I've got to decide where I'm going to outsource to an MSSP, what solutions I'm going to buy to help the security team, what I'm going to need to buy to help the operations side of the house. To hep them effectively protect my environment, as well. That budget is finite, and there's a lot of tools out there.

David:                 If you go along to security shows like RSA or InfoSec, you'll find many new companies every year. A lot of the products that they've got are focused almost entirely on a single issue. Building a strategy on these single-feature, silver bullet technologies, it can get costly very quick. However, if you use a framework like the CIS framework and find solutions that can address many of the requirements, and then fill in with point solutions where you see the greatest threats, that's going to help you reduce costs, while getting the defense-in-depth strategy that you really need.

David:                 As I've already said, the CIS framework as 20 sections. Now much of what you do in cybersecurity is an 80/20 effort, that Pareto principle. You can get 80% of what you need by doing 20% of the work. As you try to nail down the remaining 20% of risk and exposure, you begin spending a lot more time, effort.

David:                 The CIS framework is built much the same way. The top five, or what's been called the fast five, or the critical security controls, they deliver layers of defense that, when implemented effectively, can mitigate or eliminate more than 80% of cyber threats.

David:                 Let's take a look at these first five controls in the CIS framework. The first two here ar associated with discovery. If I can't see it, if I don't know about it, I can't secure it. The first one, inventory and control of hardware assets. I need to find these devices to see what's in my network, what has access to my systems.

David:                 Next on the list is inventory and control of software assets. I need to make sure there's only authorized softwares installed and can execute. And that unauthorized and unmanaged software is found and.. from installation or execution. This is where technologies like application control or application white-listing play a key role.

David:                 Third on the list is continuous vulnerability management. Now that I know what software is installed, how do I make sure that these applications don't have vulnerabilities? I need to continuously scan for vulnerabilities and apply patches to remediate those vulnerabilities and minimize the window of opportunity for attackers.

David:                 Next up is the controlled use of administrative privileges or privileged management. If an attacker does get access to your network, and if they can do this with admin level credentials, they can do a whole lot more damage than if they just have a standard-level access. I think we all know that a least-privileged approach is a security best practice.

David:                 Then the fifth control is security configuration. So implement and actively manage the security configuration of laptops, servers, and workstations, in order to prevent attackers from exploiting vulnerable services and settings.

David:                 The message from the CIS is if you do these five things well, what they refer to as cyber hygiene, you significantly reduce the number of security threats you're going to face. What I haven't covered on this slide, more recently the CIS have included the sixth control in the basic controls. That six control is called maintenance monitoring and analysis of all the logs to help detect, understand, and recover from attack.

David:                 Okay, so the top five controls have been proved effective against the most common cyber attacks. In studies, that equates to about 85% of attack techniques. That's a pretty decent number, but you want to drive that number higher. That's where you start to look at some of the other controls and where technologies like network defenses and EDR, endpoint detection and response, start to come into focus.

David:                 The key point is that once you've created this solid security foundation, you've got a much smaller attack surface and fewer incidents to deal with. It's a much more manageable problem, and you can start to think more strategically about where to spend that additional IT budget to best address some more specific issues in your environment.

David:                 Okay, so we've talked a lot so far about the Center for Internet Security and their critical security controls. There are other national frameworks around the globe, as well. Jason, why don't you talk us through a couple of these.

Jason:                 Yep, no problem, David. The first here is the Australian Signals Directorate. They're a government agency responsible for cyber warfare information security in Australia, obviously. In 2011, they formulated a prioritized list of over 30 mitigation strategies.

Jason:                 Now, that's quite overwhelming for any organization, so they redefined that, and focused on the top four. The top four are the ones you can see in this slide. We have application whitelisting, patching applications, patching operating systems, and restricting admin privileges. Now this marries up pretty much with the CIS controls that David referred to earlier.

Jason:                 One other point to note as well, is recently they've revised this top four to the essential eight. The top four are still part of that essential eight now, and they're a valid starting point.

David:                 Great. You can see at the bottom of the slide here, as well, there's this quote which is from the Australian Signals Directorate. "No single mitigation strategy is guaranteed to prevent cybersecurity incidents." I think we all know that. There is no single silver bullet out there.

David:                 What they say is, "Properly implementing application whitelisting, patching applications, patching the operating systems, and restricting administrative," referred to as the top four, "continues to mitigate over 85% of adversary techniques used in target cyber infusions which the ASD has visibility of." That's where the 85% number tends to come from, it's those techniques that are used in cyber intrusions.

David:                 The point you made, Jason, I think is a valid one. It matches up pretty well with the Center for Internet Security. We talked about the inventory and control of software assets, which is application whitelisting is very much aligned with that.

David:                 Number three on the list in the Center for Internet Security was that continuous vulnerability management, so patching your applications, patching your operating systems. Number four on the CIS list was controlled use of admin privileges. Here again, we see restrict admin privileges. Probably not that surprising, seeing a lot of commonality in those.

David:                 Just an interesting thing I came across on LinkedIn early this week, just happened to notice a post there from the former Australian Signals Directorate Director, General Mike Burgess. What he said was that, "Every cyber incident that we look at, there's a known problem with a known fix that actually should have been fixed in 99.999% of the cases we look at. The best way to deal with this problem is to go back to the boring, unsexy stuff of actually the discipline and hygiene about securing things properly."

David:                 That was his quote. That if you deal with these boring, unsexy stuff, you can address 99.999%. The inverse of that is you can get some cool new technology out there that might catch that 0.001% of issues that occur. But just do the basic things well, 85% to higher is what you're going to get.

David:                 Okay, so moving on. That was the Australian Signals Directorate. What else have we got, Jason?

Jason:                 Yep, the other way is the Nation Cyber Security Center. That's a government organization in the UK. They offer advise and support on avoiding computer security threats. They've created Cyber Essentials, which is an industry-supported scheme which helps organization to protect themselves from attack.

Jason:                 As you can see, the language here is different to the others, but it's still very, very similar in how they've mapped one from the other. For example, you can see keep your devices and software up-to-date, that's in patching.

Jason:                 Protect you from viruses and other malware, that's kind of application whitelisting. Control access to your data and services, privilege management. Securing your service and software, that's probably a little bit to do with application whitelisting again. And obviously, here's another one about securing your internet connection, as well.

Jason:                 Pretty much, these marry up with the others. As you can see, all the different frameworks have a very, very similar set of the top items that you need to be implementing first.

David:                 Absolutely. What you see here as well are those three keep reappearing, your vulnerability management, your whitelisting, your privilege management keep appearing. Here we see secure configuration, which was number five as well in the CIS controls.

David:                 Okay, so let's move on a little bit to talk about our approach here at Ivanti. Over the past few years, Ivanti has brought a number of best-in-breed security technologies into its portfolio. Many of you will be familiar with some of those older names of the organizations that came together to form Ivanti, included technologies like Patch Management from Shavlick, Application Control and Privilege Management from AppSense, device control from Heat Software. Same additional capabilities from Landesk.

David:                 What we've been doing over the past couple of years is looking through these different security products and taking the best-in-breed technologies from each of them and bringing them together. Part of our focus in doing that is to provide defense-in-depth, really trying to align with the CIS Top Five, the ASD Top Four, and UK Cyber Essentials, to ensure that customers get that solid security foundation.

David:                 Providing defense-in-depth is just one part of it. Another part of our strategy has been around the user and ensuring that we achieve that balance between security needs and user needs. And I guess also, organization or business needs. I think we all know this, there is no quicker way to get a security technology removed from the environment than if it starts to impact from end-user or business productivity. We've been very conscious of that as we brought our portfolio together, to ensure we get that balance right.

David:                 I guess just look at that a little bit more, on the left-hand side, you can see what IT would like the world to be, the laptop in chains, very secure but not every usable. On the flip side of that, users want to be free and not impeded. They want to be productive and they don't want security getting in the way.

David:                 Really, one of the largest risks to security initiatives is users. Users who can't get their work done, their going to call the help desk more. They'll even try and go around IT with shadow IT workarounds, introducing risk into the environment.

David:                 As you introduce your security framework, that security foundation, make sure you learn about users and their needs. Focus on silently providing security through updates and risk evasion, and trying to not impact on productivity, trying to increase productivity with the right tools.

David:                 Interesting, I was speaking to an IT security administrator at a customer a couple of months back. I was asking him about his role in the organization. What he told me was that his job was to be invisible. It was actually a legal firm. His message was any impact to productivity is very costly and very measurable. His job was to ensure that the systems were secure, but to try and ensure that nobody knew that he even existed.

David:                 This leads us on to talk about Ivanti security controls. This is the platform which brings together the best-in-breed technology from across the Ivanti portfolio into a single platform. The name Ivanti Security Controls was selected fairly deliberately, to align with those critical security controls we discussed earlier.

David:                 Building on decades of market experience across these different technologies, what Ivanti Security Controls delivers, read three things. First of all is that layered, modular defense-in-depth security suite to provide a solid baseline protecting against security threats.

David:                 The second item is simplified workflow with automation. I've used the terms best-in-breed a couple of times. As we looked at the different technologies from the companies that came together to form Ivanti, when we were defining what best-in-breed actually meant, some of that was about the security technology itself. A lot of it, as well, was about the usability of the technology.

David:                 It's great if you have a security technology, but if nobody can actually figure out how to use it, what ends up happening is it doesn't get used. We very much focused on security technologies that had a simple workflow.

David:                 The other part of this, as well, is we focused on technologies that allowed for and lended themselves toward automation. We all know, everybody's trying to do more with less. Everybody's trying to automate as much as possible. That's really what that second bullet talks to, simplified workflow with automated security process that reduce the burden on system administrators, while also providing response time for security issues.

David:                 Then the last point, which as well I've talked on the previous slide, trying to achieve that balance between balancing security with user needs. So providing security without adversely impacting on user or business productivity.

David:                 As you can see from the graphic in the bottom right, our focus has been going back to those different controls that you saw appearing across each of the frameworks. So patch management, or vulnerability management, application control, and privileged management.

David:                 Let's talk a little big about each of those. The first of these, Patch Management, for much from out Shavlick heritage, some of you will be familiar with, some of you may be customers of Patch for Windows or Shavlick Protect, as it was known back in it's Shavlick days. Some of the key features in that product... Actually as we'll mention later on in this webinar we have follow-on webinars which will go through each of these in a bit more details.

David:                 Some of the key features of our patching technology is that it provides both agentless and agent support. Agentless support, very useful in environments where, particular your server environment, where you're pretty sure that the systems are always going to be connected to the network and you can always reach those systems. In those cases, customers are often happy just to have an agentless implementation so they're not adding yet another agent to add security in those environments.

David:                 For other systems that might not always be connected to the network, or that do require an agent, just based on the nature of the technology involved, we have an agent implementation as well. So agentless support today for Windows. We also have agent support for Windows, but agents being required, also, for Linux.

David:                 We have vSphere integration. This is part of Shavlick's heritage, as one time they were actually owned by VMware, and that allowed them to develop this very tight integration with VMware into vSpheve, enabling capabilities, like the ability to patch offline Windows VMs and templates. Also doing things like snapshotting pre-deployment so that if something goes wrong on the patching cycle, you can just roll them back.

David:                 Cross platform support, so I mentioned earlier that the product was at one time called Patch for Windows. Part of the reason we've had to change the name of the product, of course, is because it's no longer Patch for Windows. We do support Windows, but we're also now providing cross platform support, initially in the form of Red Hat and CentOS, and continuing to develop additional platforms as well.

David:                 One of our strengths is that we do prove an extensive, one of the most extensive, third-party catalog of patches out there. That enables our customers to patch both the operating systems and applications. Not just the Microsoft applications, but also third-party applications. That's where more of the vulnerabilities now lie, which is why you need to have that extensive catalog.

David:                 Some more of the key features, our patching technology is cloud enabled. What that means is that if you have systems that are off network, they're not connected to the corporate network, they're not connected via VPN, we will have the ability to still deliver policies to them and deliver changes to them to ensure that they are constantly kept up-to-date and that they're constantly patched.

David:                 A couple of additional features that we've introduced more recently. One of these is CVE import. What that allows you to do is to import vulnerability scan results and quickly match CVEs with patches. Most of our customers would have a vulnerability vendor, a Qualys, Tenable, or Rapid7.

David:                 Generally what happens is, that tool will sit with the security team. The security team will run scans of their entire network. They'll come back with this big, long vulnerability report, hundreds of thousands of pages, or hundreds of thousands of entries in there. They'll land that over the wall to operations team, to the patching guys and say, "We've got a lot of vulnerabilities. Go fix them."

David:                 Generally what happens is the patching guys, the IT team, can spend hours or days each month just trying to match up the vulnerabilities with patches. With the CVE import feature, we can now do this in a very short timeframe, with literally a couple of buttons. A couple of minutes later, you have that match done.

David:                 Finally, REST API is last but not least. Really facilitating that integration and automation as well. Customers trying to automate, we've got REST APIs right now.

David:                 I see a question coming in there, actually. Will there ever be agentless support for Linux, like Red Hat? Right now, just based on the nature of the technology, we do need an agent. We do need to deploy an agent for Linux. We are looking at whether we can implement an agentless version of that. At some point in the future, it may be also available. For now, it definitely requires an agent.

David:                 Just moving on then, to talk a little bit more about automation. We do have, within the Ivanti marketplace, I'll have included a link down below towards the bottom of the slide, just showing where you can get the Ivanti automation connector. That's available on the marketplace. You can see from the text here on the screen some of the types of things you can do through that connector and through those REST APIs. Things like credentials; creating, deleting machine groups; adding endpoints to machine groups; deploying patches; conducting scans; creating patch templates, and so on.

David:                 Also, I've involved the very bottom link on this slide. You can see there's a link to a blog showing how to use the new Ivanti Security Controls Connector for automation. On there, actually if you go onto that blog, you'll see a video just showing how the automation actually works.

David:                 One other thing I do want to talk about is Patch Intelligence. What is Patch Intelligence? Patch Intelligence is part of the Ivanti cloud platform. If you've been joining any of Ivanti's webinars or just watching what Ivanti has been doing over the past year, you'll have heard a lot about Ivanti cloud.

David:                 Patch Intelligence is just another part of the Ivanti cloud platform. It's designed to help customers make informed decision about patching their environment. This is live right now, and it provides access to the entire Ivanti Security bulletin or patch database. You can go in there and you can get detailed information on the bulletin. You can see what patches are included. You can see the associated CVEs or vulnerabilities.

David:                 It's trying to speak the language, whether you're in the security side of the house and you speak vulnerabilities, if you're in the operations side of the house and you speak patches. We're trying to bring this all together in one place.

David:                 One of the really interesting features in here is this known issues field. The Ivanti team will post any issues they're aware of as they populate the database, as new content becomes available. The idea here is that as customers do their testing, if they identify any issues, they can add them in here as well. You get that community feedback from other customers to help you make decisions about the overall reliability of patches.

David:                 Where we're taking this, really, is we're effectively crowd-sourcing the testing and the issue-gathering for patches. You've still got to do your own testing in your own environment, but we're trying to reduce that overall time to patch. We see Path Intelligence as really facilitating that.

David:                 You can see on here, as well, we've already got threat scores on there, which start to help with prioritization. One of the places we're trying to take this next is to match up your environment, whether it's endpoint manager, whether it's patch for SECCM, or whatever security controls. Seeing all of the patch data within Ivanti cloud, that's great. I can do research on any given patch.

David:                 What I really want to know is what about my environment? What about the vulnerabilities I've got in my environment? Can you show me for all of my systems, what vulnerabilities I've got? More importantly, what are the threat scores associated with those vulnerabilities? How reliable are the patches that are associated with those?

David:                 This is just mock-up data, it's not real data here at the moment. If get something that has a high threat score, and it also has a pretty solid reliability score, I can feel a lot more confident about patching. It helps me prioritize the patching in my environment.

David:                 So patching is great. I'm sorry, I see a couple of questions coming in. We will come back to those a little bit later on towards the end.

David:                 We talked about patching, and absolutely you should patch everything. That's a really great start, but it's not going to give you everything you need. That's why we need additional layers, additional defensive layers like application control.

David:                 Very often when you hear of a breach that's occurred, you'll often hear it's traced back to this vulnerability wasn't patched, but there's a few scenarios where patching isn't going to help you. For example, while you can patch known vulnerabilities, you can also have unknown or undisclosed vulnerabilities. So called zero-day vulnerabilities, for which there isn't a patch available. If there isn't a patch available, you can't patch; you still have a vulnerability that can be exploited.

David:                 Even ignoring zero-days, there's always going to be some gap between a vulnerability being disclosed, let's call that day zero, and an organizations ability to deploy the associated patches. The risk of an exploit increases over time. At around 14 days, the risk of exploit starts to increase significantly.

David:                 Last year, according to Verizon, in that window between two and four weeks, 50% of the vulnerabilities that will eventually be exploited will already have been exploited. However, also last year, the average time to patch, from another report, was 34 days. That's the average time to patch. You've got a gap there from starting to see a lot of these vulnerabilities being exploited at 14 days, up to 34 days the average time to patch. That creates an opportunity for an exploit to occur.

David:                 You can also have situations where patches can't be applied because they conflict with some business-critical applications. You have to mitigate that risk. You also have some legitimate applications, like PowerShell, that could be used in a nefarious manner to infect vulnerable systems, the so-called file-less malware.

David:                 These are just some of the main reasons why the Center for Internet Security and others have application control right up at the top of their list of priorities for an effective layered security solution. Jason, why don't you tell us about application control?

Jason:                 No problem, David. Yes, this is Application Control. It's composed of three key features. So executable control, privilege management, and browser control. The first one, executable control, if we think back, is actually linked to the application whitelisting, which we discussed earlier in the frameworks. It's just under a different name within the Ivanti Security Controls Product.

Jason:                 What this does is it blocks untrusted applications and scripts from running. What we mean here by untrusted is any kind of ransomware or malware, and any kind of applications that the organization doesn't want to be executed within it's environment.

Jason:                 This also includes, as David mentioned previously about zero-day threat protection. So where you have a security vulnerability and that's being exploited but there isn't any patch available at that particular time.

Jason:                 Executable control has that functionality. It's probably one of the top things within the ASD. That's a really, really good one to focus on if you're starting out your journey.

Jason:                 Also, as well, within Application Control, we have Privilege Management. This really controls admin privileges. What this allows you to do is it allows you to elevate or restrict on a granular level applications and access to the operating system, so you don't need to create so many administrator accounts.

Jason:                 This benefit, really, is if you consider a machine that was infected by malware, and an admin account was running, then what would happen is the attack surface of what that malware could do on your machine would be significantly increased, compared to what a standard account would allow. Obviously through this, that reduces the attack surface, if you use Privilege Management controls to reduce your admins.

Jason:                 On the flip side of this, as well, considering that infected machine, again, it's going to make it a lot more difficult if you're a standard user, to be able to propagate that malware onto another machine, because of the lock-down nature of standard users. This impedes the spread of malware throughout a network. Privileged management for those key features is also a necessity, and this was highlighted as one of the top four in the ASD.

Jason:                 Lastly, we have browser control. This wasn't mentioned in the ASD, but this enhances productivity by limiting website access. We'll go through each of these three in a bit more detail, now.

Jason:                 So moving on to executable control, first. A key feature, really of executable control, is trusted ownership. Now trusted ownership really stems from the fact that every file on an NTFS system has an owner. What we do is we generate a list of what we call trusted owners. If that file has a owner that's in that list, then we say that file is allowed, and it's allowed to run. That's how the trusted ownership mechanism works.

Jason:                 Why should we actually implement trusted ownership? Compared to traditional whitelisting approaches, which require you to generate an entry in a massive list for every single file on the system, we use trusted ownership because it minimizes the configuration need for clients. For example, if you employ trusted ownership, then there'll be only a very few exceptions to trusted ownership that you have to manage.

Jason:                 Most things that are in that owner store, for example, or the operating system files, all third-parties installed by your IT department, they will all work with trusted ownership. It's only going to be those kind of applications that you think users want to install themselves, you allow users to install themselves, that need to be managed additionally. It cuts down on the management effort.

Jason:                 Moving on to privileged management. Privileged management can function in two different ways, really. The first way is really, is just enough elevation for local admins. This one comes back to the fact that you've got a number of admins on your estate. What's the quickest way that you can reduce their capabilities that you don't need? Application Control privileged management allows you to do this by removing these capabilities on a quite granular level.

Jason:                 The best practice approach, however, which is a slightly more time consuming approach, that is to transfer those administrator accounts to standard users and then use elevation of privileges. This is the kind of best practices approach of least privilege.

Jason:                 One other thing to just consider here is the main use case for this is those kind of users which have access to admin accounts, but which don't really have that much experience in IT. Therefore, they're more at-risk of causing their own machine to crash, potentially, if they change settings. If potentially they get onto other machines, they could do exactly the same thing and affect those machines as well. This is the user group that has the most benefit of protecting against.

Jason:                 Finally, we move on to browser control. Here really, I mentioned before, is enhancing productivity for end-users, around controlling access to internet. The example here, really, is in social media. For example, if your employees, your end-users, have access to social media, then they may be doing this all the time through work hours. One quick approach here, what you can do, is you can lock down social media accounts so they're not able to access those accounts. Therefore, they're more focused on their work.

David:                 Okay. Thanks Jason.

Jason:                 Yep.

David:                 Okay, so we're coming toward the end here. Just a couple of additional points to make. One is if you'd like to get a demo, there is a link there. Maybe, [Melanie 00:45:54], you can push that to the audience, as well.

David:                 If you want to actually request a demo, you can register there and you can get a detailed demo with one of our sales engineers giving you an opportunity to go through and ask questions as you go. We'll actually be covering this as part of our webinar series over the coming weeks, as well, but maybe not at the same level of depth.

David:                 Also, if you're interested in trying the product out, so if you're not a customer currently, there is a trial page there, to go and request a license key. If you are already an existing Patch customer, and you'd like to have a look at the Application Control and Privilege Management feature set, you can get a license key for that. Those options are available to you.

David:                 Just to summarize, for Ivanti Security Controls, particularly if you are already using either Patch for Windows or Security Controls to patch your Windows systems, go and expand beyond Windows to include Linux patching, right now, if you've got CentOS or Red Hat systems to patch.

David:                 On the patching front, those newer capabilities of CVE to patch and REST APIs, those are two features that have been something of a conversation stopper with customers, as we have presented the roadmap over the past year. Particularly when we get to that CVE to patch, there's real benefit, real time saving there. A lot of customers, obviously interested in automation. Do check those out if you're already using the Patch feature set.

David:                 Also, have a look at Application Control and Privilege Management to really build that Security foundation, the CIS, the ASD, and the National Cybersecurity Center in the UK. A link on our website to download the software, as well. Melanie can probably push that one out also, rather than just trying to screen grab it and take it from there.

David:                 On my last slide, just to learn some more, there are some more upcoming security bootcamp webinars. This day next week, we're going to enter Privilege Management with a lot more detail. Privilege Management for an unpredictable world.

David:                 The following week then, we have a session Application Control: Maintenance Headache or Manageable Solution. Hopefully we'll convince you it's the latter.

David:                 Then finishing up on October the 17th, Plugging your Patching Holes with Ivanti Security Controls. So we're going to just an understanding of how our patching solution works. Going into some more detail on Linux patching, in particular, and some of those newer capabilities, CVE to patch and the APIs.

David:                 Some additional resources, many of you may already be signed up to our Patch Tuesday webinar. My manager, [Chris Gettle 00:49:12] and [Todd Shell 00:49:14], they come on every Patch Tuesday, or the day after Patch Tuesday, and provide a webinar outlining all of the great things that happened on Patch Tuesday, and things to watch out for.

David:                 More recently, we've added something called Threat Thursday. There's a blog which will be going on, I think it's every... I can't remember Melanie, I think it's every second Thursday of the month or fourth Thursday of the month, I can't remember.

Jared:                  It's the last Thursday of every month.

David:                 Last Thursday of the month. There's a webinar, actually on September 26th coming up for that.

David:                 We also have a cyber security virtual event, which is going to take place on October the 23rd. I think that's part of cyber month, which is October cybersecurity month. That takes place, as well.

David:                 With that, I'm going to pause there for any questions. Jared, maybe you can just run through the questions and just see if there's anything we haven't covered. I'll take a look here myself as well, just to see.

Jared:                  Yeah, there were a couple, and we've been answer a lot of them in chate. I know, let me see if we can dig one up. A lot of them we've already applied too.

Jared:                  This is a question from [Russel 00:50:31] on Patch Intelligence. Any plans for that to be included in the ISC product?

David:                 Yeah, the question there, wanting that to be included in the product. Not a costly add-on. First things first, we're very close to actually having the integration. On all of our products, we're developing connectors from the products to Ivanti cloud, so you can get to that view I showed you earlier. That's actually really close, probably around the end of next month we're going to be seeing that. So that's going to be available at that stage.

David:                 As part of that, there will be packaging that will include Ivanti Security Controls and Patch Intelligence together. There may be some cost for that. I'm not certain of the details of that as yet. The idea is not to make it a costly add-on. The idea is we want customers to be able to use Patch Intelligence. We want them to be able to connect to the cloud and get that benefit from it.

David:                 There will be some bundling, some packing of that, together with Security Controls and DPM and Patch for CCM around that.

Jared:                  David, one more question. Patch Management, any plan for support beyond Windows, Red Hat, and CentOS?

David:                 Yes, there are plans. Right now we're working on macOS as our next priority. I'd be interested if anybody wants to put into the chat what they would see as their priorities. I'm very happy if people could just say, "Well, what I want is Ubuntu or SUSE," or whatever it is, just to give us that sense of it.

David:                 Where we're currently working to, our roadmap and strategy for next year, I don't want to commit to anything beyond macOS at this point in time, but we are actually looking at other operating systems. It really is going to be driven by our customers and what they see as their needs.

Jared:                  Perhaps our final question before we end this webinar. The CVE import, which vendors can we import, David, do you know?

David:                 It's not tied to a specific vendor. It's not an integration we've developed with Qualys or Rapid7 or Tenable specifically. What it does is it takes that output report, which will typically be a text file or an XML file. Generally they will allow that outport to be one of those, so a CSV, text, or XML I think is what we support.

David:                 What it does, essentially, is it goes through and it scrapes through those reports looking for those CVEs. It brings them into the product. It matches them against our patch database. It then allows you to, so you can see the list of the patches that are required. You can review those list of patches. It shows you what it didn't pick up. Sometimes those will be because they're superseded, or operating systems that we don't support, or they might be configuration items rather than patches.

David:                 You can see both of those, and you can export the ones we don't pick up. You can export them off to a list to do a bit more research on them. For those that are matched, you can add those to a patch group and start to do your patching.

Jared:                  Great David, thank you so much. Jason, thank you as well. To all of you still on the line, we will send out a recording with the slides and this presentation after the conclusion of the webinar. Thank you so much for joining, and we'll see you on the next one.