Ivanti commits to secure-by-design overhaul after vulnerability nightmare
CEO addresses whirlwind start to 2024 and how it plans to prevent a repeat
Ivanti has committed to adopting a secure-by-design approach to security as it gears up for an organizational overhaul in response to the multiple vulnerabilities in Connect Secure exploited earlier this year.
CEO Jeff Abbott penned an open letter to Ivanti's customers and partners this week, saying "events in recent months have been humbling," before detailing the various changes Ivanti plans to make.
"We will use this opportunity to begin a new era at Ivanti," Abbott's letter reads. "We have challenged ourselves to look critically at every phase of our processes, and every product, to ensure the highest level of protection for our customers.
"We have already begun applying learnings from recent incidents to make immediate improvements to our own engineering and security practices. And there is more to come."
Among the many changes to come at Ivanti HQ, one that will immediately catch the eye of security pros is its commitment to security by design – an approach the industry has long called for to be the norm.
"Our focus is on embedding security into every stage of the software development lifecycle, with robust processes that anticipate and preemptively address potential vulnerabilities from product inception to deployment and beyond," Abbott explains.
"Our approach will entail rigorous threat modeling exercises, ensuring that security is ingrained as a foundational element of our products. This proactive stance will serve as the cornerstone of our commitment, enabling us to enhance protections for our customers, and stay ahead of emerging threats."
The focus on bettering product security will also involve an acceleration of a stack modernization program across Ivanti's network security products, which is already under way, and among other moves, integrating an appropriate level of remote monitoring that aims to take the burden of security off customers.
Ivanti's vulnerability management program is also a target for improvement, with the vendor funneling additional resources into improving detection and ultimately the time it takes for patches to reach customers.
Keen followers of the issues it experienced earlier this year will remember some customers waited weeks for patches to arrive. This was because Ivanti's staggered patching strategy involved prioritizing the most-installed versions, with users of less popular ones having to wait longer than others.
The intent to reduce time-to-patch will come as welcome news to Ivanti customers, as will the plans to alleviate them of some of the security burden.
On-prem customers should also expect Ivanti to contact them in the coming weeks to work on securing their deployments while balancing practical realities and constraints, which the vendor understands are part and parcel with real-world network administration.
That's all part of a broader effort to provide customers with better support for securely deploying their solutions in the real world. We're told that AI is being applied all over the place to further this goal, from Ivanti's customer portal's search functionality to an AI-powered Interactive Voice Response (IVR) system to improve customer experience calls.
The final pillar of Ivanti's security overhaul will be focused on transparent information sharing, to which the vendor committed to a greater degree. There are also plans in the works to create a customer advisory board to institutionalize the user feedback process.
"We have engaged the industry's most recognized security and product development experts to support the Ivanti team's review and to provide best-in-class execution guidance, ensuring we meet our commitment to you, so that your organization can work easily, securely, and with confidence," Abbott says in the missive.
"This plan is backed by a significant investment and has the full support of our board of directors and everyone at Ivanti."
Abbott's letter goes into more extensive detail about the vendor's plans or you can listen to him explain it for himself in a six-minute video.
How we got here
Ivanti first disclosed the main vulnerabilities that led to widespread exploits of Connect Secure and Policy Secure on January 10, including at the US national cybersecurity agency (CISA), which eventually ordered all federal agencies to remove Ivanti kit from their networks.
- Cybercrime crew Magnet Goblin bursts onto the scene exploiting Ivanti holes
- Ivanti discloses fifth vulnerability, doesn't credit researchers who found it
- Ivanti devices hit by wave of exploits for latest security hole
- Ivanti releases patches for VPN zero-days, discloses two more high-severity vulns
Within a week, experts said if the original mitigation Ivanti released for CVE-2023-46805 and CVE-2024-21887 wasn't applied on the day of disclosure, there was a good chance some users were already compromised.
We know the two vulnerabilities were exploited as zero-days as early as December, Mandiant's incident response data suggests. This was carried out by a group it tracks as UNC5221 – one of eight groups the security giant says were actively exploiting the flaws, but the only one to do so before Ivanti's disclosure.
Many of the other groups, tracked using various monikers, were attributed with some confidence to China-based espionage teams. A smaller proportion of the significant compromises came from financially motivated crews, likely trying to launch cryptomining operations, Mandiant says.
While cybercriminals were having a field day with the vulnerabilities, customers were effectively left as sitting ducks to sophisticated attacks while the vendor scrambled to release patches, the first of which didn't come until three weeks after the initial disclosure.
The mitigation released along with the initial disclosure was the only lifeline afforded to customers since Ivanti's internal integrity checker tool (ICT) was also found to be unreliable at detecting compromises. Ivanti instead told customers to use its external ICT, but security agencies later said this too wasn't to be trusted.
Customers were left either with a mitigation to apply, which CISA later said was bypassed in some cases, or to just rip their kit out until a fix became available. The latter is the approach the security agency took, instructing all federal agencies to disconnect their affected Ivanti kit from their networks, offering a deadline of just 48 hours to carry out the work.
Vulnerabilities added to its Known Exploited Vulnerabilities (KEV) catalog typically come with a deadline of at least a couple of weeks, for reference.
With patches being released, it seemed all was nearly over, but as Ivanti released the first round, it also disclosed an additional two high-severity vulnerabilities, one of which was exploited as a zero-day.
Granted, they were fixed alongside the previous two – the ones that started the whole mess – but it was hard not to feel for the vendor's security team who must have been well and truly under the cosh at the time.
With all patches now available, the exploits should be behind all Ivanti customers. However, after all that, it feels a little harsh to mention that four more vulnerabilities in Connect Secure and Policy Secure were disclosed this week – none of which have been exploited yet, according to current evidence. ®