Ivanti says it will fundamentally transform its security operating model in light of a series of high-profile security incidents involving its products, and announces a comprehensive plan to improve security postures.
CEO Jeff Abbott made the announcement in an open letter accompanied by a video, in which he acknowledged Ivanti's recent security failures and the imperative for the software industry as a whole to adapt to new threats.
Hackers have exploited vulnerabilities in Ivanti products over the past year to launch attacks against the top U.S. cybersecurity agency as well as Norwegian government agencies.
Abbott said the latest batch of critical security breaches and general levels of hostility across the threat landscape should encourage software companies to be more diligent and proactive about product security.
“Recent events have highlighted a reality that we and our entire industry are witnessing firsthand,” he wrote. “We are fighting an increasingly complex and aggressive landscape of threat actors. In many cases, these threat actors have good resources and capabilities at the nation-state level.”
Abbott addressed Ivanti's recent security issues in his letter, emphasizing that the company felt it was important to speak directly with customers about what it is doing to improve its security posture.
“The events of the last few months have been humbling and I want you to hear directly from me about the steps we are taking to ensure we come out stronger and our customers are safer.”
To restore confidence in its security credentials, Ivanti announced that it will review its security operations and outline a comprehensive plan to set a new standard for the software industry and meet new challenges.
Make out-of-the-box security the default in the software industry
This plan consists of four key focus areas around which Ivanti wants to anchor its transformation.
First, there is a commitment to strengthening product security and adopting security-by-design principles to ensure that security is built into every stage of the software development lifecycle.
Ivanti stated that it wants to ease the security burden on customers by improving its ability to provide solutions that are secure out of the box or secure by default. This includes products that Ivanti can manage, monitor and protect.
The second main goal is to elevate your vulnerability management platform. This elevation will involve improving your internal and external research to identify vulnerabilities more quickly.
Another addition is risk-based patching and vulnerability remediation that will reduce the average time to patch vulnerabilities for products that pose the greatest risk to customers.
Ivanti will also provide enhanced support to customers looking to deploy their products securely. Ivanti's community portal will receive some updates, including improved AI-powered search functionality to deliver more curated results to customers, as well as an improved smarter interactive voice response (IVR) system for a more streamlined customer experience. smooth to route calls.
Finally, Ivanti committed to making more adjustments focused on transparency and focused on building healthier relationships with customers. The firm said it will spend more time keeping its clients and partners informed about the latest security trends.
“Customers and partners should expect Ivanti to share lessons learned, and we also plan to continue our customer briefings with third-party experts, launch a dedicated blog series related to the current threat landscape, and host webinars and roundtables to address privacy and security issues with our community. .”
Ivanti will also create a Customer Advisory Council to gather customer feedback on all of the initiatives outlined above, and will announce plans over the coming weeks on how it plans to gather customer feedback on its products, feature prioritization, security concerns, and strategies. decisions about your product roadmaps.
Ivanti Connect Secure flaws detected 250,000 times a day since January
In January 2024, Ivanti disclosed two vulnerabilities that affected its Connect Secure and Policy Secure products. CVE-2023-46805 and CVE-2024-21887, rated high and critical in CVSS respectively, allowed attackers to bypass control checks and execute code remotely on a targeted network.
An analysis by cloud computing specialist Akamai found that Ivanti Connect Secure products were subject to more than 250,000 attacks per day since the initial disclosure of the vulnerability.
In February, CISA issued a warning that hackers were actively exploiting the flaws. The security agency later confirmed that its own systems were affected by a cyberattack that exploited Ivanti vulnerabilities, leading the agency to take two of its systems offline.
Last year, the Norwegian National Security Authority (NSM) confirmed that threat actors exploited a zero-day in Ivanti's Endpoint Manager Mobile (EPMM) solution to breach government software.
The breach, which exploited an authentication bypass vulnerability in EPMM software, affected a platform used by 12 Norwegian ministries and allowed attackers to make configuration changes using an administrative account.