Tag Archives: Ivanti

Patching in Federal Government Networks

Posted on by
Reply

Ivanti is committed to our customers who uphold the Nation’s highest commitments. To this end Ivanti believes that the mission our customers fulfill should not be impeded or constrained by the security stance they take. In these security conscious situations, it’s considered both mandatory and best practice for nodes within these networks to be either disconnected or entirely air-gapped.

(Context: A disconnected network can traverse its own internal network/intranet but is disconnected from the broader internet. Conversely – an air gapped environment is even further isolated – being entirely independent with no connectivity to either a larger intranet or internet.)

Despite these efforts – the risk of exploitation is not absolved simply by disconnecting or placing nodes into an air-gapped state. Network isolation of these servers & endpoints is only one aspect within a zero-trust security paradigm that these Sys-Admins have to contend with.

Technical administrators of these environments are still responsible for maintaining their systems against on-going vulnerabilities. The patching of these systems acts as a counter measure against insider threats within these systems. These vulnerabilities are more than the standard Patch Tuesday Windows OS vulnerabilities. A significant majority of these vulnerabilities exist in the 3rd party Application Eco-System. According to The U.S. National Vulnerability Database – Microsoft exploits only account for 15% of total vulnerabilities today.

Ivanti Patching in Federal Gov Networks Blog Embedded Image 2024

Patching these systems can be extremely tedious and time-consuming, but also manually intensive. This time could be better spent performing strategic security measures, or not spent at all. As a result of this lengthy process critical systems can be impacted and left open to vulnerabilities. A report from the GAO (As detailed in Pg. 46 of the GAO Report 16-501: Agencies Need to Improve Controls over Selected High-Impact Systems) shows that this has historically left even critical vulnerabilities unpatched after a significant time period (In the report – several years). To address these issues, Ivanti assists our customers by automating the remediation of the vulnerabilities found within their system, while also providing a record of truth, and reporting to these workflows.

Ivanti’s Disconnected Patching Capability

Ivanti’s product portfolio not only includes its flagship cloud-based Product Suite, and also a strong array of On-Premise based products. Two products worth highlighting for this are Ivanti Security Controls (ISEC), and Ivanti Endpoint Manager (EPM). Both products have On-Premise deployment options which extend into Disconnected and Air-Gapped Use-Cases.

At a high-level, Ivanti services disconnected / airgapped environments via the use of servers placed within those environments. Those servers then act as a repository for OS patches (Incl. Windows, Linux, and Mac), along with 3rd Party Application Patches. Reference this example diagram of a disconnected instance of Ivanti ISEC. In this example, a central environment is used to download and prepare patches for the environment. Then, one-to-many disconnected environment can then be stood up with patches and management provided via a ‘File Transfer Service’. This service can mean two things: either an approved Media Devices to enable transfers when no connectivity can exist, or a staged approach in which connectivity for a Centralized console is alternated between the Internet and a Disconnected Environment. Where approved, this prevents a direct link between the internet and the disconnected environment.

One additional note with this diagram is that both the Central Rollup Console and Connected Environment can also be connected on temporarily, even if only to update definitions in support the disconnected portions of the deployment.

Ivanti Endpoint Manager (EPM)

On the flipside, we can take the disconnected / connected philosophy we mentioned in ISEC and apply it to our EPM product. Like with ISEC an admin can create multiple EPM consoles, or cores without any additional charges. Those cores can be deployed as disconnected or ‘dark’ cores. Vulnerability Definitions and Patches can then be copied from a connected environment into the disconnected environment via the same preferred ‘File Transfer Client’ of choice. This methodology has been proven amongst our customer base who have effectively deployed this into disconnected and airgapped instances for both ISEC and EPM.

Modernized & Automated Patching Workflows

Modernizing the patching process means reducing the Mean Time to Patch, and strategically securing against vulnerabilities. To that end, Ivanti provides Neurons for Risk Based Vulnerability Management – a Vulnerability Management system that provides contextualization around threats (Ex. ‘Trending’ Vulnerabilities or Vulnerabilities could be executed without physical access to the target).

RBVM also provides the necessary patches and remediation for those vulnerabilities. By integrating our Patching and RBVM we modernize patching into a strategic and automated process. Files containing the vulnerabilities deemed most risky can be loaded into solutions like EPM to determine and provide patches. This workflow can still apply even in disconnected and airgapped use cases. RBVM could connect to the Rollup Core while disseminating patches via the process mentioned above.

How Ivanti can Help

Between Ivanti’s EPM & ISEC products, a System Administrator would have full range to patch the Windows, MacOS, and Linux Servers and Workstations within their environments. Patches also extend to 3rd Party Applications in which a significant portion of vulnerabilities originate. Ivanti also has a team of QA testers that validate the patches within its 3rd Party Patch Catalog to ensure no patches will cause a crash to the system. This patching can apply to both connected, and disconnected environments without any additional charges for scaling your Console Server Deployments.

In the case of ISEC – ISEC can discover and patch endpoints both with an agent and agentlessly. ISEC can also integrate with On-Premise VMware ESXi environments and patch ESXi hosts, as well as images and offline VM’s, thus further centralizing and reducing time to patch across the environment. Conversely – EPM provides users with a full suite of Endpoint Management capabilities in addition to patching including Discovery and Data Normalization, OS Provisioning, Software Distribution, User Profile Management, Remote Control, and Integrated Patching and Endpoint Security.

Additional Resources

For further reading, please consider Ivanti’s Product documentation around this subject. These references can provide additional documentation around how to establish:

About Ivanti

Ivanti was created in 2017 with the merger of Landesk and HEAT software. We are a powerhouse IT solution with over 30 years of combined experience. Ivanti finds, heals and protects every device, everywhere – automatically. Whether your team is down the hall or spread around the globe, Ivanti makes it easy and secure for them to do what they do best.

Ivanti is committed to supporting our customers requiring either Cloud or On-Premise deployment requirements. In both of those deployment paths Ivanti’s Portfolio contains accredited solutions including the following certifications: DoD ATO, Army CoN, Common Criteria, DoDIN APL, DISA STIG, DoD IL2 & IL5 Private Cloud, DoD ATO, NIAP MDM PP v4, NIAP Common Criteria, NSA CSFC, FIPS 140-2, FedRAMP Moderate, & SOC 2 Compliances.

Connect with an Ivanti representative today and learn more about how Ivanti can support your MultiCloud initiatives.

People Plus Technology: Building a Resilient Federal Cyber Workforce

Posted on by
Reply

Filling cyber jobs in Federal agencies is complicated – it requires competing with industry salaries, retaining existing talent and navigating the Federal hiring process. It’s a far-reaching challenge that affects every agency – the administration knows that, the Office of Personnel Management knows that, and agency technology and human resources leaders know that. And federal C suite leaders realize how the government recruits, hires and retains people for cyber jobs has to change. In partnership with FNN, our Federal Cyber Workforce guide takes a look at what the government is doing to tackle this problem on a sweeping federal level and also on a more agency-specific level. We also get industry perspective on the technologies that affect cyber workforce resiliency. We hope it provides some guidance and help as your agency works to beef up its cybersecurity, both through investments in people and technology.

 

Carahsoft IIG FNN July Cyber Workforce Blog Embedded Image 20233 Key Rallying Points for a Resilient Cybersecurity Team

“Agencies are currently operating in a high-threat environment, but that doesn’t mean they can’t implement a reasonable amount of information assurance. It may not be perfect, but it doesn’t have to be. The idea is to make it so that adversaries have to work extremely hard to penetrate the infrastructure. The adversaries are good, but agencies can be better with a resilient cybersecurity team, said Mark Bowling, chief risk, security and information security officer for ExtraHop. The key to achieving this is to have a risk reduction perspective.”

Read more insights from Mark Bowling, Chief Risk, Security and Information Security Officer at ExtraHop.

 

Do not Wait for a Breach: Why to Adopt Proactive Approach to Cyber Resilience

“When most people talk about cyber resilience, they’re referring to post-breach recovery — the means, methods and speed with which an organization can get its systems and services back online after a cyber incident. But Felipe Fernandez, federal chief technology officer at Fortinet, views resiliency more holistically. His advice? Agencies need to take a proactive stance on cyber resilience and include not only recovery from breaches but also when their planning for non-malicious threats and other operational disruptions, including those associated with cloud-based services.”

Read more insights from Felipe Fernandez, Federal Chief Technology Officer at Fortinet.

 

Proactively Improve Digital Employee Experience Though Automation

“Digital modernization and the adoption of collaboration tools is supposed to make work easier, especially in a hybrid environment. Employees want the flexibility to be productive in whatever manner best suits them. Unresolved technology issues can impede productivity. In its latest survey of industry employees and IT professionals, Ivanti found that 49% of employees are frustrated with the tools they use and 26% are considering leaving their jobs because of that. Employee experience is a top priority in government right now, and employees are internal customers of an agency’s IT services. By improving their experience your agency can realize gains in productivity and retention.”

Read more insights from Mareike Fondufe, Product Marketing Director at Ivanti.

 

Download the full Expert Edition for more insights from these cyber workforce leaders and additional government interviews, historical perspectives and industry research.

Safe & Sound Schools: Cybersecurity in K-12

Posted on by
Reply

A year ago, IT professionals in K-12 school systems became heroes to their communities when their skills and resourcefulness turned on remote learning for nearly all. But while IT teams were enabling teaching and learning to continue uninterrupted in spite of everything else going on in the world, they were also seeing their systems beset by relentless attacks. More school districts than ever have been victimized by ransomware, data breaches, and other forms of digital malfeasance. While there’s no way to guarantee your schools will avoid all cyber incidents, the preemptive moves you take will make digital and online activities ever safer for your district users. Learn how your institution can adapt to this new environment in Carahsoft’s Innovation in Education report.

 

Closing in on Cybersecurity Stability

IIE Journal October Safe Schools Blog Embedded Image 2021“Traditionally, for good reasons, the conversation in K-12 has been focused on education. The priority for spending has been steered toward academics — getting more support and training for teachers and trying to control the classroom size, for example. Technology, and especially cybersecurity, was a scheduled expense, up there with predictable plumbing problems and textbook replacement, but contained within the IT organization. However, IT — and especially cybersecurity — has now become a strategic element for education. Parents, superintendents, board members and executives within administration have realized that keeping data and systems safe can have a district-wide impact. Experience a data breach or a ransomware event and you’ll suffer damages that strike your budget as well as your reputation: Families will leave your schools to go to the district next door that didn’t have a break-in. That means it has become something that should be part of all decision-making.”

Read more insights from Palo Alto Networks’ Cybersecurity Strategist, Fadi Fadhil.

 

Getting Away from the Ransomware Triple Threat

“Even though it’s now a simple matter to go online and learn how to launch a cyber-attack and buy the tools to do so for just a few dollars, ransomware has become a more complicated process, involving triple extortion. Originally, the idea was that the bad guys would get into your computer system, encrypt your data and tell you that in order to get the data back, you’d have to pay x bitcoins. That was pretty direct; you either paid the money and hoped they’d give you your data or you had backups, because a good backup policy would prevent an attack from imposing any lasting damage. So the criminals revised their approach. They turned around and said, ‘OK, we’ve encrypted your data. Pay this amount to get it back. And by the way, we also stole your data. If you want to prevent this data from being made public, you will pay the same amount of ransom, and this is the deadline.’”

Read more insights from HPE’s Distinguished Technologist in Cybersecurity, James Morrison.

 

The Essential Cybersecurity Service You’ve Never Heard Of

“The cybersecurity threat to K-12 educational institutions has been consistently growing since 2018. Unfortunately, for many schools, efforts to protect against cyber-attacks have not seen similar growth. K-12 public schools became the number one target for ransomware attacks across all public sectors in 2020. Meanwhile, less than a quarter of school districts have anyone dedicated to network security, according to the latest CoSN leadership report. And even institutions with dedicated network security staff may struggle with a lack of funding to dedicate to cybersecurity measures. This poses a challenge for schools that cannot build cybersecurity defenses that match the sophistication of the malicious actors intent on attacking their data-rich networks. Fortunately, cybersecurity help is available, and at no cost. Recognizing that schools, along with other state, local, tribal and territorial government agencies, rarely have the resources they need for cybersecurity, the Center for Internet Security, an international nonprofit, offers essential cybersecurity services through the Multi-State Information Sharing & Analysis Center (MS-ISAC).”

Read more insights from the Center for Internet Security’s (CIS) Senior VP of Operations and Security Services, Josh Moulin.

 

Greatness Awaits: Dump the Paperwork

“Envision this scenario: Requests for payment are sent in via online interface or digitized en masse through a designated service center. The data is vetted to make sure vendors are approved and expenses fall within the expected range or amount. The documentation is immediately tagged for the proper workflow, being approved at each level through a mobile app or computer application. Approvers can be added or removed from the workflow list as staffing or delegation needs change. Those who sit on approvals too long can be notified that the clock is running. Likewise, managers can be alerted when people on their team try to shove payments through without adequate controls or documentation in place. As a result, the right invoices are paid on time, without incurring penalties or losing out on possible rebates offered by the vendors. Any physical space dedicated to holding onto paper documentation can be dedicated to other purposes. On the expense side, schools can eliminate adult arts-and-crafts.”

Read more insights from SAP Concur’s Public Sector Senior Director, Jim McClurkin.

 

Virtual is Here to Stay, so Make It Better

“With the return to the physical classroom, you might think schools should tuck away their Zoom licenses for the next time an emergency strikes. But that would be short-sighted. Educators have seen how technology can play a role in delivering learning options for students who can’t attend in person. Now that K-12 administrators are reimagining and redesigning education, school districts would be foolish not to learn from their pandemic experiences. Their big lesson? Schools need virtual options. They need them for students who, because of physical, emotional or mental disabilities, can’t be in the classroom; who have dropped out just shy of a few credits and really want to earn that diploma; who are working to support their families; who are taking care of younger siblings; or who want to participate in dual enrollment and can’t get the unique classes they need through their own schools.”

Read more insights from Class Technologies’ VP of K-12 Strategy, Elfreda Massie.

 

Start with the End(point) in Mind

“While the concept of zero trust serves as a useful framework for understanding the goal of posting a guard at every entry and maintaining clear lines of authorization and authentication, getting it done is another matter. Somebody has to do the work of implementing endpoint management and security. Consider the challenge of mobile endpoint patching. IT churns through cycles continuously applying long lists of patches, mitigating risks for which there may be no exploit and that may not be in line for attack. According to a recent Ivanti report, “Patch Management Challenges,” 71% of IT and security professionals find patching to be overly complex and time-consuming. And the patching efforts may only address district-owned devices along with the small share of end users with their own devices who are willing to go through the patch process. What about everybody and everything else? The key is knowing what patches are crucial and being able to prioritize patch decisions that are going to provide comthe greatest security. The patch management approach needs to apply threat intelligence and risk assessment. Then it needs to be enabled on all devices — district-owned or not — without the process relying on interaction from users.”

Read more insights from Ivanti’s Public Sector CTO, Bill Harrod.

 

How to Tame the Cloud with One Call

“K-12 professionals are continually trying to keep their heads above water. They’re drowning in paperwork, processes, regulations and general bureaucracy. And they just need relief. If you’ve got 100 different contracts, every time you touch those contracts to manage them, support them, make amendments, check that they meet state and federal compliance guidelines, and more, it increases the total cost of ownership for every one of those cloud products and services. E&I helps you reduce this work, so that you can spend more time and energy in what you love to do, which is helping students learn.”

Read more insights from E&I Cooperative Services’ Vice President of Technology, Keith Fowlkes.

 

Download the full Innovation in Education report for more insights from these cybersecurity thought leaders and additional K-12 industry research from THE Journal.