Plug Your Patching Holes with Ivanti Security Controls

October 17, 2019

Sara Otremba | Product Manager | Ivanti

Helen Brown | Ivanti

David Murray | Product Manager for Endpoint Security | Ivanti

Is your patching full of holes? Does your IT team spend days trying to match CVEs in vulnerability reports to patches, leaving your organization exposed? We know patching can be a burden. We want to take that burden off your hands. Join us to learn about the patching capabilities of Ivanti Security Controls. From its initial debut with Windows patching, we’ve expanded into the Linux realm. See how you can patch not only Windows, but Redhat Linux and CentOS from a single interface. We'll also share the latest details on our CVE-to-Patch import capability, helping IT and security work together to reduce the time to patch.


David Murray:                 Welcome to our webinar: Plugging Your Patching Holes with Ivanti Security Controls. This is actually the last in a series of four webinars that we're conducting for October and Cybersecurity month. We've already had webinars on building a solid security foundation, on privilege management and on application control. But today it's all about patch management. Here we go.

David Murray:                 As we've done with each of the previous webinars, we've looked at some of the national security frameworks from around the globe and we're going to start here with the Center for Internet Security in the US and the CIS controls or critical security controls as they're called. These top five controls provide you with that cyber hygiene, that foundation level of security. As you can see, number three on the list is continuous vulnerability management. What the Center for Internet Security say about continuous vulnerability management is as follows.

David Murray:                 Understanding and managing vulnerabilities has become a continuous activity requiring significant time, attention and resources. Attackers have access to the same information. When researchers report new vulnerabilities, a race starts among all parties, including attackers, vendors, and defenders. Organizations that do not scan for vulnerabilities and proactively address discovered flaws, face a significant likelihood of having their computer systems compromised. Defenders face particular challenges in scaling remediation across an entire enterprise and prioritizing actions with conflicting priorities and sometimes uncertain side effects.

David Murray:                 That's what the Center for Internet Security has to say about continuous vulnerability management. If we switch over to Australia, they have the ASD Top 4. More recently they've expanded this to the Essential Eight, but just focusing on the Top 4 provides mitigation against at least 85% of the techniques used in cyber attacks. In the Top 4, you see that patch covers two of the Top 4, patching your OS and patching applications.

David Murray:                 Over in the UK, there is the National Cyber Security Center and the framework there is called Cyber Essentials. Now, the terminology here is a little different to the other frameworks. They've simplified the language and avoided using jargon. So instead of patch management or vulnerability management, they seem to recommend that you keep your devices and software up to date. When you look for more detail on their website, they state that this is also known as patching. They say that applying updates, a process known as patching is one of the most important things you can do to improve security.

David Murray:                 If you look at each of these national frameworks from around the globe side by side, you see that while there might be some differences in the overall messaging, the language, and the relative priorities between them, patch management or vulnerability management still appears in the top four or five for each of these frameworks. Let's start to look at why that's the case. One of the reasons is the fact that the number of vulnerabilities keeps on increasing. In more recent years, it almost looks like it's accelerating, but I actually think this is probably more a case of we're getting better at finding vulnerabilities through bug bounty programs and things like that.

David Murray:                 Some data from the Forrester Wave Vulnerability Risk Management from last year. According to Forrester, we're standing on a precipice where 58% of enterprise organizations suffered a breach at least once in the past year. Over 41% of those external breaches exploited some manner of software vulnerability. Over half of the organizations suffered a breach. I just wonder half, basically we're on the quarter of the total, a software vulnerability was the key factor. I think if I remember right here from the reports, insiders and so malicious or accidental loss of data from insiders was one of the next biggest items on the list.

David Murray:                 Also, a lot of people get excited about zero day vulnerabilities for which of course, there's no patch available. They do exist but according to Gartner, just 0.4% of vulnerabilities discovered in the last decade were zero day and 99% of vulnerabilities exploited their forecast. 99% of vulnerabilities exploited in 2020 will be those known to the administrator at the time of the exploit. When breaches occur, it's almost certainly going to be with a known vulnerability.

David Murray:                 This one here is a fairly simple message from a couple of years ago from a guy called Mitja Kolsek. He's a pen tester and CEO of ACROS security. As it says on the slide, I've been hacking into our customer's networks for 16 years and I have a dirty little secret to share it with you. To break into an enterprise network today, you can still follow the exact same process as you did in 1999. He outlines four simple steps, first of which is to find a public exploit for a vulnerability that is less than four months old.

David Murray:                 Next, you tailor the exploits to work with your remote administration tool. Mutate the exploit until the Virus Total doesn't recognize this. Phish users in the enterprise until you're in. I think we all know that phishing is a numbers game, sooner or later somebody's going to click. So why did he go with a vulnerability that's less than four months old? The reason he does that is because there's a reasonable chance that the associated patch will not have been applied.

David Murray:                 Now that was a couple of years back. The situation has improved a bit since then. But back probably 2016, 2017, if you picked a vulnerability that's less than four months old, you have at least a good chance of getting an exploit based on that or breach based on that. One of the reasons that patching is difficult is the sheer number of applications. Everybody does a reasonable job of patching the operating system and Microsoft applications and even some of the more common applications.

David Murray:                 What about those obscure applications like this one here, ImageMagick, an open source application for editing images. Back in 2017, there was almost one vulnerability for every day of the year. A lot of vulnerabilities for just one application. Is that application even on your radar from a patching perspective? Software alternatives are vulnerable. So maybe you're doing a good job of patching Adobe, but what if your users are actually using alternative applications, like maybe Foxit Reader. You can look at the number there. It has almost as many vulnerabilities as Adobe reader last year. But of course if you look at both of them, they're both big numbers. The bottom line is that all software is inherently vulnerable.

David Murray:                 It's also important to remember that a single system is all it takes to gain a foothold. I'm sure some of you are familiar with this story where a casino got hacked and the entry point was a fish tank. This fish tank had sensors connected to a PC that regulated the temperature, the food and cleanliness of the tank. Nobody thought too much about this PC, but it was connected to the network and that enabled them once they had gained access to this PC to navigate around the network until they found something of value.

David Murray:                 Now, the details around exactly what happened here. I don't think were disclosed at the time or then the fact that there was 10 gigabytes of data were sent out to a system in Finland. We've seen unpatched vulnerabilities as the root cause of many of the high profile attacks over the past couple of years from Equifax to WannaCry to NotPetya. In all the cases, patches were available for a number of months prior to the breach actually occurring. The Center for Internet Security talked about this race against time. This model shows that the life of a vulnerability and the time to patch or resolve a vulnerability.

David Murray:                 Even before an update releases, there's a risk of zero day vulnerabilities that are exploited. You've also got public disclosures that expose a vulnerability to the public and also to attackers in advance of an update. Of course, you've also got some unknown vulnerabilities out there just waiting to be discovered either by vendors, by white hats or black hats.

David Murray:                 So day zero at the beginning of this cycle is the day an update is released. From that point forward, the risk of an exploit of vulnerability increases over time. At around 14 days, the risk of an exploit of a vulnerability starts to increase significantly. According to Verizon, within two to four weeks, 50% of vulnerabilities that will eventually be exploited have already been exploited. So basically the message is not all vulnerabilities get exploited, but of those that do within two to four weeks, half of those will already have been exploited.

David Murray:                 That rises to 90% from 40 to 60 days. So if we look at kind of the profile over years, in 2016, there were 6,447 CVEs reports. The average time to patch back then was a 100 to 120 days. That was according to the Verizon data breach report back in 2016. That meant if you look at that two to four weeks, it meant that transactors were actively exploiting vulnerabilities for two to three months before the vulnerabilities were remediated. So a significant gap there.

David Murray:                 May 17, there was a significant increase in the CVEs and this again was based around bug bounties being increased across the industry. 2018, continued to increase again, 16,555 CVEs. As you can see, the volume of security vulnerabilities continues to increase year over year and will likely continue to do so for some time. Many companies struggle to resolve vulnerabilities quickly. There was a report by a company called T-Cell and that found that patching critical CVEs in 2018 took an average of 34 days.

David Murray:                 So definitely an improvement from the 100 to 120 days back in 2016 but still in the high risk range. So really the target time to patch is 14 days. So looking at a couple of the numbers here, 34 days time to patch, it's an improvement over that average of a 100 to 120 days from back in 2016. But we're still in the red zone, in the high risk zone. 14 days is what we're trying to get to. I guess we're trending in the right direction, but there's still some work to be done to win that race against the exploits.

David Murray:                 So before I hand over to Sarah, I just want to finish up talking about some of the common challenges in the patch management process. What are those things that cause delays and prevent organizations from patching in under two weeks? First of all is identification and prioritization. The challenge here is often in the handoff between the security team and the IT operations team. I think Sarah is actually going to cover this in her demo. But just to cover this quickly, the security team, they're going to have tools to identify vulnerabilities and maybe even to prioritize them.

David Murray:                 But then the IT operations team has to take that report, research those CVEs, duplicate them and identify the associated patches that have to be applied. This is usually a hot topic in any conversations I've had with customers. They can spend hours if not days working through this every month or every couple of weeks. Testing of updates. So before rolling out patches, organizations will typically have test environments, where they do the testing of patches before rolling them out across their organization. So how many tests machines do you need to test the updates and be assured that you're not going to have issues rolling out patches in production?

David Murray:                 I'm guessing you probably never have enough, but bottom line is testing introduces some delays along the way. Reliability versus risk. So it can be difficult to find good data for how reliable a given patch is. Have other organizations had issues with this? The reality is that many organizations simply use delay or time to get a better sense of the overall reliability of a patch. "I'm not going to be the first guy to apply this. Let's just wait and see how others get on first."

David Murray:                 So again, that introduces delays. Of course, as we've seen the risk of exploit increases over time, so it's a dangerous game to play. Then finally, understanding known issues is not a time consuming research step for many patch admins.

David Murray:                 So all of these issues create challenges, introduce delays to the patching process for our already busy administrators. Helen is actually going to talk about some of these challenges later on, but for now I'm going to hand over to Sarah and who's going to provide us with a demo of the patch functionality in Ivanti Security Controls.

Sara Otremba:                 What I'm going to show you today is just some of the key functionality in Ivanti Security Controls that really go along with some of the highlights that David has already talked about when it comes to being able to identify, prioritize your vulnerabilities as well as the ease of identifying what machines are missing patches and how to go about executing and deploying those patches. One of the main things that I'll highlight here is Ivanti Security Controls now has the ability to not only patch windows machines, but also Red Hat Linux and CentOS at this time.

Sara Otremba:                 What you're seeing here is the ability to get a holistic view of your environment based on all of the machines that you have tested and scanned. I'm just kind of showing you how you can get that overall view as well as see a variety of machines in one centralized location. I'm showing you both Windows machine, a Red Hat, a CentOS and then a bunch of Windows machines that are in our demo environment. When we talk about being able to identify what patches are missing, how long those patches have been exposed or the longevity of that vulnerability, as well as what the criticality is of those patches, you can get that view from one specific screen. Be able to prioritize or at least see based on a variety of data, kind of what you want to do.

Sara Otremba:                 So from this view right here, what you're seeing is my machine, which what we'll do is we'll go ahead and kick off agent lists scan. So that's one of the benefits with Ivanti Security Controls is the ability to do agent list functions. So the one thing I'm going to do here is I'm going to select my machine and I'm just going to scan now. You can have a variety of different scan templates and I choose to scan for all security patches. You could do just a subset of patches if you had a specific patch group or wanted to exclude specific sets of patches based on certain applications that are of high risk in your environment when it comes to patching those.

Sara Otremba:                 So what you'll see here is based on the agent list technology, I'm scanning my machine right now for all security patches based on the content that we have. What it's going to do is it's going to return any information based on what it found for my single machine. Now, I purposely for this demo did not patch all my missing patches, but I made sure that I specifically looked at which patches I left remaining. So what you can see here is I have two missing patches. I'm going to go ahead and view my results.

Sara Otremba:                 What that's going to show me here is a list of those missing patches as well as any patches that were available in the content file that I had already previously installed. So what you'll see here at the very top is two patches that are missing. What you can see is there is not a CVSS score and those patches do not have a vendor severity of critical or important. So that was one of the characteristics that I was looking at when I decided, "Okay, I'm just going to leave it alone and not patch those for the purposes of this demo."

Sara Otremba:                 What I'm able to do at this point is I can select one of the records, multiple records, whatever I want as far as I want to select. At this point I can either choose to deploy just that selected patch for that one record I have highlighted. Or I can say, "You know what, any of the missing patches that have been detected on my machine, go ahead and deploy all those missing patches."

Sara Otremba:                 One of the other advantages here is I can also do a download step. Or I can say, "You know what, at this point, I am not ready deploy and reboot my machine." So maybe what I want to do is just say, "You know what, download the patch so that at a different time when I'm ready, I can go ahead and deploy that patch, but I don't have to wait for it to download." What you can see right here is it's going through the process of downloading that specific patch so that when I do decide I want to deploy it, it's all ready for me. So here you'll just see now I have that completed.

Sara Otremba:                 What I will show you next is I go back to my machine view. You can see here if I go ahead and refresh and look at my Windows deployment history tab, which is something new that we've added recently. What this allows somebody to do from an auditing kind of perspective is take a look at specific patches and see the history of actions that were done on that specific patch. For example, what you're seeing here on this Windows 10 specific vulnerability, you'll see that the last state based on this date range for that patch, it was installed but a reboot was required.

Sara Otremba:                 You can also see if you had any sort of failures. If I expand out this date range because I want to get more of a audit sort of history view, I can do that. Now what you'll see is it's looking through the track record of deployments on my machine and giving me that sort of audit history record. Another thing to point out is if I were to multi-select multiple machines here, I'm able to see based on the grid below what smattering of machines and patches I've actually scanned against and deployed.

Sara Otremba:                 So what you'll see here is I have one Windows machine with results and I have two Linux machines. You'll see that with the two there and you'll see any of the associated information based on the distributions or the OSs of those particular machines that I have selected. The same type of information is available regarding the CVSS score as well as that patch severity and any of the current patch status. You can see here on my CentOS box, I've executed the deployment of the patches, but I'm pending a reboot and a rescan to let me know that that is complete.

Sara Otremba:                 One of the other things now that I'm going to show is something that you all may not be aware that exists. If I go to view this charts tab here, one of the things that David mentioned was that 14 day SLA and how important kind of making sure that you're patching within a certain timeframe from when those patches have been released. What you'll see here in this chart, missing patches by age group. If you look at missing patches that are between the 0 and 14 days old, you'll see in my environment, I don't have any.

Sara Otremba:                 But you will see that I have quite a few and this is on purpose in the demo environment that are greater than 60 days old. What that means is those patches were released over 60 days ago and those are still found to be missing on some scenes in the environment that I've scanned. The idea behind this particular graph is to kind of give you that visibility into your entire environment and where your risk is when it comes to that SLA related to your patches. Another thing that David also mentioned was being able to identify and prioritize patches, as well as bridging the gap between security and operations.

Sara Otremba:                 One of the other things that I value in the environment here is the ability to import a vulnerability file from any vulnerability vendor, as long as you have an output file. I can go ahead and browse to a file that you've outputed from let's say a Tenable or a Rapid7 or a Qualys and that has vulnerabilities in it.

Sara Otremba:                 Now if I go ahead and select a vulnerability file, let's just go ahead and grab this latest CVE. I'll select that. What it's going to do now is it's going to map all of the CVEs in that file to any applicable patch it can find in our content. What I specifically did with this file was made sure that there was a smattering vulnerabilities that were associated with, not just Windows but Windows and Linux so that you could see the capabilities here. So what you'll see is I have values on both the Windows patch as well as the Linux patch tab.

Sara Otremba:                 What I can do is I can toggle between the two and the information that it will provide here, is it'll show me the notification, the CVSS for, if one is available, any of the CVEs that are associated with that particular patch and some additional information. You can deselect any of these that you do not want to add into a patch group or you can have them select all of them. What that's going to do is that's going to allow you to have a patch group that you can use in your scan template to scan and deploy specific to this output that was from your vulnerability vendor.

Sara Otremba:                 Any CVE that we could not map, will show in that far right hand corner that you can then export to notepad. I went through a number of the CVEs in this file to be able to explain why some of this might happen. A bunch of these CVEs are for Ubuntu and SUSE which we currently do not have in our content for patching. But what it will allow you to do is reduce the noise of all the information kind of being pulled into your environment and have that available to actually take action from.

Sara Otremba:                 I think that's kind of a high level overview of what's available within the product and there are a lot of documentation as well as videos as well if you want to get any additional information on the value, that the product can actually offer. With that, I'll go ahead and turn it over to you, Helen.

Helen Brown:                   Thanks Sarah.

Jared R:                             Real quick as we transition over to Helen and we do have a question from Robert wondering if Security Controls is part of EPM?

Sara Otremba:                 Security Controls is not part of EPM, but that CVE to patch example that I just showed, that same functionality and feature set is available within the patching product in EPM. That helps?

Jared R:                             Excellent. Thank you. Helen.

Helen Brown:                   Yes. Hello everyone. Hope everyone can see my screen. My name is Helen Brown. I am the product manager for Patch Intelligence tool and Ivanti Cloud. I'm just really here today with my colleague Sarah and David to kind of let you know how Patch Intelligence can help address some of the common challenges with patch management process that David's already alluded to. The enemy that is time. In the worlds of continuous vulnerability management, time really isn't your friend.

Helen Brown:                   As David has explained around 14 days, the risk of vulnerability exploit starts to increase significantly. So really, how do we get the critical updates pushed out within the optimal 14 day timeframe? Customer problems that we hear constantly. We hear from our customers that they don't have enough resource. There's too much data to look at and wade through and they need to complete lots of time consuming research really to identify and prioritize what they need to roll out first.

Helen Brown:                   How can Patch Intelligence help you mitigate vulnerabilities in your environment within the optimal time frame? So just a quick overview. What is Patch Intelligence? There's a wealth of information all in one place. It is a cloud based analytical tool that combines the patch dates from Ivanti's extensive multi-platform and third party vendor patch catalog. There's immediate time to value. If you've got access to the cloud, and you go into Patch Intelligence, you can use the analytical tools straight away.

Helen Brown:                   Kind of just going back to David's comments about the challenges around patch management. One of them obviously is identifying what patches and bulletins and vulnerabilities that you need to look at. In Patch Intelligence, we have security bulletins, we have associated CVEs, the products affected and we march patches to mitigate these identified vulnerabilities all in one place. You can view, sort and filter based on a set of parameters. When it comes to research and that's another time consuming activity that most of our patch admins have to do.

Helen Brown:                   Then we also have known issues related to any patches. We've also got some threat score metrics and we've got some external links. You can do some external research direct from our site. So I'm now going to do is do a quick demonstration. So hopefully I will get the right screen. Just bear with me a second. So I'm just going to quickly change over. Hopefully you can obviously see live version of Patch Intelligence in Ivanti Cloud. Here you can see the information that we currently have in this analytical tool.

Helen Brown:                   We've got charts to help you navigate the latest top vendors, bulletins. We've also got a chart around Patch Tuesday. We've got a threat score. You can see any known issues. We've also got the vendor severity and the vendor itself. So if we kind of imagined that we are a member of the security team and we're kind of thinking, "What's the biggest risk to my environment based on what came out this week on Patch Tuesday?" You can go to the Patch Tuesday chart, you can click on security critical and you can start to have a look at some of the threats that have been identified from Microsoft this Patch Tuesday.

Helen Brown:                   So if we just have a quick look and I think, well actually there's quite a few here that are quite high threat score. This is a CVSS score that we actually bring in. You can have a look at it, open it up and you can see the bulletin information itself. You can see products affected, you can also see the threat scores related to the patches and along with CVEs you can see all the CVEs that are related to that bulletin. So if I was just kind of looking to do some additional research, I can click on the vendor summary. That will also take me to Microsoft where you can have a look in more detail at the KB itself.

Helen Brown:                   We've also got when you go into the CVEs first you click on this one, it'll take you through to the next website and you can do some additional research directly from Patch Intelligence. So that's the view from a security analyst. If you're kind of saying, if they've identified a few vulnerabilities and they can see there's some risks, what they might want to do then is send it over to the guys in IT ops to actually complete the patching. So just go back to my presentation. Bear with me a second.

Helen Brown:                   Now we've had a quick look at it. The next steps for Patch Intelligence really is to bring some additional development in basically giving the ability for, and I said customer to set up, connect to Ivanti Cloud. This is going to be pretty easy to do from Patch Intelligence itself. Because time constraints don't allow me to go through the whole process with you on this call, I'll just send a quick video so you can kind of see how it works. It's going to be easy to do, there's a handy setup guide. You'll have the option to set up ISeC connector.

Helen Brown:                   Once you've done that, you're going to get some additional insights into your environment. All the information that we're currently providing in Patch Intelligence, you are going to be able to match that off to your own environment. So as you can see here, you can add a connector. You can set it all up. Ivanti Security Controls would be one of the options that you can select and then you fill in the details. So it's pretty straight forward. Once you've done that, it'll start to pull data through from your on-premise system.

Helen Brown:                   It is on this video if you click there. Once you save it, it's all sets up. Then you can start to see how it looks when you've pulled everything into your environment. I'll just go to the next slide. This is really kind of like a MacBook that we've got. Just really if you put some dummy data in, just to show you proof of concept of what it will look like. Just going back to David's comments before about the common challenges. The two additional challenges that we've not mentioned yet around Patch Intelligence, some of the reliability and threat scores and also the time consuming testing and roll out patches.

Helen Brown:                   So you can see here that once you've got environment all set up, the reliability score will be that, threat score will be that if there is one. You'll have the bulletins, you'll have any comments, any known issues that you'll be able to look at. Also most importantly, you'll be able to see how this relates to your environment. So thinking about what do I push out to my environment first? You'd be able to sort by the greatest threat. You'll be able to look at something that's a high threat and maybe a high reliability and think, "You know what, I need to push that out and it's a good reliability. It's not going to need a huge amount of testing."

Helen Brown:                   You'll be able to see the devices. So if you've got a lot of devices that need patches to mitigate the vulnerabilities, then for sure this is going to help you big time. You can also, if you think about our data that we're going to be bringing in, so anonymized peer data from all over the customers, you're not just going to see how things have rolled out in your own environment, and whether there's been any problem, but you're also going to be able to see if there's been any problem or successes in another environment.

Helen Brown:                   Say for example, instead of just having the reliability from your own environment or doing any research, you're gonna see how it's worked in other customers environments, hundreds if not thousands of other customers. So you'll see where the patch gets to be rolled back. You'll be able to see whether there were any issues with roll out of the patch. What percentage of a given patch rolled out successfully across multiple environments. This is going to help you really as a patch admin prioritize what you test and roll out with confidence. The more reliable it is, the more confidence you'll have.

Helen Brown:                   You'll also be able to get any early warning. So it's going to be much more of a proactive tool. You'll get any warnings of potential issues such as the patches have to be rolled back or there's a problem, you will get these in this kind of reliability score. So any known issues or comments from customers themselves.

Helen Brown:                   Just for the sake of the demonstration today, we've just put something together around this. Let me just get the right screen. So we've just put something together to show you how it can work in practice. So this is all test data. If you say for example, you were a patch admin and one of your guys on your security team said to you, "Look, we've done a review vulnerability scan and we've identified that there's a risk here that kind of like seems to be outstanding." They send you the score. You can then have a look at it in Patch Intelligence.

Helen Brown:                   Here you can say, "There's a pretty high threat to this particular CVE." But that's from quite awhile ago, it's from February, March this year. However, as you can see, there's only really this particular one that's got any unpatched devices. Security important is the vendor severity. So we can have a quick look at this and this will show you the unpatched devices for that particular vulnerability. Now obviously this is just for test purposes, so you can get more information. You can still see the vendor's summary, all the products affected.

Helen Brown:                   But I think it's quite a few months old now, and it's still a high threat score. You're really going to want to push this out. So you can click in here, see the device name. That's going to bring you up some details around the device, so just basic details around the device itself. Then you could kind of decide quite quickly whether you push it out to test. If it's fairly reliable on the reliability score, whether you want to do a bit more testing and how you roll this out.

Helen Brown:                   Just going back to my presentation quickly. So what's next in Patch Intelligence coming soon? Along with the ISeC Connector, we've got some advanced filtering that's going to allow you to filter and save and see what's only applicable to your environment. So if there's certain products that you don't want to use, you can filter them out. We're going to have some SLA charts and what that's going to do is see how you fairing against configured SLA parameters for patching roll-outs. You're going to be able to export some of the data we've got in Patch Intelligence to colleagues or to [inaudible 00:41:48] report.

Helen Brown:                   We're also planning on integrating user automation fabric with other systems to help you take action and optimize your patching roll-out. Things like service desk tickets, that kind of thing. Well to know more about Ivanti Cloud, please visit our website. You can request a demo. You can request some feedback. If you want to actually give any feedback to us directly, please email me [email protected] There's lots in our website. That's pretty much it from me today.

David Murray:                 Hey, thanks Helen. If you can switch it back, presenter again, let me share my screen. Just a couple of slides to finish up and we'll get into some of the remaining Q&As. We've some questions coming in. You've talked a bit about Ivanti Security Controls, but probably didn't really outline at the beginning what Ivanti Security Controls is. We've been Ivanti for a couple of years and obviously Ivanti has evolved and been created as a result of a number of mergers and acquisitions.

David Murray:                 There's a bunch of different security technologies from a patching perspective. We've got heritage on the Dimension side, on Shavlik side, on LANDESK side. We've also got heritage around application controller coming from AppSense. Device control coming from Dimension/ E-Software. The goal with Ivanti Security Controls was really looking at all of these different technologies and bringing together the best in breed in a single platform. Very much focused on that critical security controls from the Center for Internet Security.

David Murray:                 So the name Ivanti Security Controls deliberately selected to align with that. As you can see in the bottom right hand corner, the technologies we've initially selected to be included within Ivanti Security Controls, are those top five, top four, top thereabout technologies that are mandated by each of these national frameworks. So application control, patch management and privilege management. So goal was really to provide that layered modular defense and depth security suites aligned with those national frameworks.

David Murray:                 In terms of selecting our best in breed, we also looked at workflow and ensured that the technologies that we are including are technologies that are easy to use. It's all very well having a good security technology, but if nobody can figure out how to use this, it's not going to be effective. Also, focused on technologies that could be automators. Everybody is trying to do more with less, everybody's trying to automate. So that form part of the decision making criteria in terms of bringing the technologies together.

David Murray:                 Also, just balancing security with user needs. I think we all know there is no quicker way to get a security technology removed from the environment than if it impacts on the end user or on business productivity. That's really what Ivanti Security Controls is all about. In terms of the patch management feature sets within the product, I've included a couple of slides just kind of summarizing some of the key features. I think Sarah touched on most of these. The agent list capability is one that resonates very well with customers, particularly in data centers.

David Murray:                 But we have both agent list and agent support. Agent support also being very useful for systems that are disconnected from the network. Right now agent list is Windows only. We have agent support for both Windows and Linux. Also, just based on the kind of Shavlik heritage where at one point Shavlik were owned by IBM, where we've got a very tight vSphere integration. That's something that really customers like and appreciate that idea that you can patch offline, Windows, VMs and templates and do things like snapshotting priority deployments.

David Murray:                 The product was one time called Patch for Windows. We've had to change the name to Security Controls, partly because it's no longer just Windows. So right now in addition to Windows, we support Red Hat and we support CentOS and they're looking to add additional operating systems over the coming ones and beyond. Just in terms of key features, we have a rich heritage in patching and have one of the most extensive third-party catalogs out there. So it's not just about Microsoft and Windows operating system, the third party applications is really where it's at in terms of protecting against vulnerabilities.

David Murray:                 Some more features. Just the ability to manage off-network systems. So there's a cloud connector there for that. The difference to the Ivanti cloud that Helen has just talked about something that's been in the product for quite some time. CVE imports which Sarah covered and also just the set of REST APIs for integration and automation. Just to talk about that, I've included some links here. If you go onto the Ivanti marketplace, you can see that if you're interested in automation, there is an Ivanti Security Controls connector.

David Murray:                 Again, if you're interested in automation, there's a link there to a blog for how to use the Ivanti Security Controls connector for automation. When I talked to customers, a lot of them are trying to automate more and more. There's a very good video included in that blog, doesn't have any audio on it, but shows you how that automation would work and the blog talks through that as well.

David Murray:                 If you want to learn more, if you want to get a demo, I saw one of the questions coming in, just asking, how much depth we were going to go into today? We didn't go into a lot of depth. We were giving you a relatively high level overview of our patching capability. But if you actually want to get more detail, one of the things that you can do is, you can go and request a demo. What'll happen is you'll get on a call with one of our sales engineers, they'll go through quite a detailed demo and you get an opportunity to ask them questions.

David Murray:                 These guys are pretty experienced and we'll be able to answer hopefully most if not all of your questions. If you want the trial, if you're not already using the products and you'd like to try it out, you can go and request a license key. I think you get something like 60 days to try it out. So go ahead and do that. It's very easy to set up. It can be set up in about 30 minutes.

David Murray:                 Just something else in terms of learning more, some additional resources. So Patch Tuesday if you're not already familiar with it, my manager, Chris Gatto and some other members of the team on the Wednesday after Patch Tuesday second Tuesday of every month, go through an hour just analyzing what happened on Patch Tuesday and give you some additional information, things to watch out for and so on. Something we've added more recently is something called Threat Thursday. So Patch Tuesday is the second Tuesday of every month, Threat Thursday is the fourth Thursday of every month.

David Murray:                 There is a blog and there's a webinar, so October the 24th, if you want to sign up for that webinar and find out what's going on from a threat perspective. Also, just highlighting that we do have in a week's time, a cybersecurity virtual event and a link there for that as well. If you want to talk some more, I mean, one of the questions from somebody asking how much depth we were going into today, that we're just starting out with the security controls. We love talking to customers. Particularly if you've started using the product, you're seeing some things that work well.

David Murray:                 Maybe you're seeing things that don't work so well for you or you'd like some additional things in the product. We're very open to talking to people. I love getting on calls, trying to get on calls every week with customers just talk to through experience. How's the product going for you? Can be just a simple conversation, so please email me if you'd like to have one of those conversations, and that way we can improve the product. So with that, I'm going to kind of stop there and maybe talk through some of the questions we've got coming in.

David Murray:                 I've seen some of them. Sarah, I don't know if you answered one that came in. You showed great chart there around missing patches by age group. There was a question, is that available as a report? Is that something we have?

Sara Otremba:                 Yeah, it's not a canned report within the product itself. What I did mention was that is something that extraction would be able to allow customers to have access to in a report as well as a drillable dashboard. Then for those that are not familiar with extraction, I did put the link to the product page. I'll just give a quick high level. Extraction is a product in the Ivanti portfolio. Anybody that has an Ivanti product is entitled to free analyst licenses of extraction.

Sara Otremba:                 What extraction is, is it's a browser based reporting tool that has connectors to a variety of applications. The majority of the Ivanti applications all have connectors, but I think there's a total of about 60 connectors in total to other products as well. For example, Active Directory, BMC, etc. What extraction does is because it's connected directly into the relational database, it's a real time reporting tool based on the data that's actually in the database. Allows you to drag and drop and create dashboards, reports, drillable features.

Sara Otremba:                 You can get more information on the webpage. Also, you can request a demo and there's also content on the community that will give more information on that. But the idea behind that is instead of having all these individual products spend a lot of resources on individual reporting within the products, the idea was having this central consolidated reporting tool to give more visibility across multiple products or that kind of one stop shop.

David Murray:                 Great. Something else I saw coming in was asking whether what we were showing today was parts of EPM. What we're showing today is Ivanti Security Controls. It's not part of EPM. Maybe just to expand a little bit on that. So, as I mentioned earlier, we've got a lot of different security technologies in Avanti, but what we're doing is essentially reducing to two suites of solutions. One of those is security controls, which as I said already has patch application control and privilege management.

David Murray:                 The other one is endpoint manager security. So kind of positioning of the two of these is if a customer or an organization already has endpoint manager and they want security added to that, it makes sense to have that tightly coupled experience where they just add security to endpoint managers. So that's endpoint manager security. Really then for everybody else there's Ivanti Security Controls. So our goal is really the two of these will broadly be the same. More recently into endpoint manager, we've started to bring in the AppSense application control and privilege management, which is what we've now got within Ivanti Security Controls.

David Murray:                 We've been bringing that into endpoint manager as well. We've been aligning the patch functionality as well, where it's the same engine and contents from the kind of Shavlik heritage coming into endpoint manager as well. So there will be probably some differences over time that will start to reduce the CVE imports capability that we showed today. That's also available in endpoint manager security for example. One of the other questions I saw was, is there a way to avoid a patch with flaws in specific software being deployed?

David Murray:                 There is something that's actually available right now in EPM called patch impact analysis. It's a new capability. So for anybody out there that's using EPM, that's exactly what that's designed to do. It's looking at what DLLs, what files a particular patch touches and then is able to kind of raise up and warn people, "By the way, these applications might be affected by this." Enables you to, I guess target your testing a bit more in terms of the systems that you would test those patches on.

David Murray:                 So that's available right now within EPM, if not yet available within security controls. But again, just sort of in line with everything else I just said, that's a technology we'll also be looking to add to the Ivanti Security Controls in the future. Any other questions? Jared, I didn't see any other questions coming in while I was presenting.

Jared R:                             No, I don't see any additional questions.

David Murray:                 Oh, sorry, there was. One other one I saw was, is Patch Intelligence a new purchase? What you're seeing today with what Helen showed around Patch Intelligence, it's part of our Ivanti Cloud. If you look on Ivanti's website, if you've joined Ivanti's events recently, you have heard a lot about Ivanti Cloud. Our plan is to provide additional value for customers from the cloud for their existing on-prem products. We also have a set of capabilities that will be available directly from the cloud. But in line with providing additional value for customers from the cloud, Patch Intelligence is a very good example of that.

David Murray:                 Helen showed the connector that we're adding there right now. We want customers to be able to use that capability. So for any customers that have certain security products, pretty sure endpoint manager security would be one of those. Ivanti Security Controls is another. You will automatically get a subscription to certain feature sets within Ivanti Cloud. That will include Patch Intelligence. So, basically if you buy Ivanti Security Controls, you will also get access to Ivanti Cloud and you will get access to Patch Intelligence.

David Murray:                 One of the questions seem to be asking, "Well, can I just move everything into the cloud and do a migration? At this point in time in the future we will have more than likely a fully available patch solution from the cloud. But right now, what we're doing is providing additional value to customers from the cloud for the on-prem environment. What you're seeing will be available to provide you with additional information if you're using Ivanti Security Controls, is not a migration as such. Hope that makes sense. I think that was everything I had jotted down in terms of questions I saw.

Jared R:                             Great. Without any other further questions, I just want to remind everybody that we will be sending out a recording of this webinar with the slides from today's presentation. Sarah, Helen and David, thank you guys so much and everyone who attended thank you again for joining us and we hope you have an excellent day.

Helen Brown:                   Thank you everyone. Pleasure to be on the call.

David Murray:                 Thanks. Bye.