Ivanti says it will fundamentally transform its security operating model in light of a series of high-profile security incidents involving its products.
CEO Jeff Abbott made the announcement in an open letter with an accompanying video, in which he acknowledged Ivanti’s recent security failings, and the imperative for the software industry as a whole to adapt to new threats.
Vulnerabilities in Ivanti products were exploited by hackers over the last year to launch attacks on the top US cyber security agency, as well as government agencies in Norway.
Abbott said the latest batch of critical security breaches and general levels of hostility across the threat landscape should promote software companies to become more diligent and proactive about product security.
“Recent events have underscored a reality that we and our entire industry are witnessing first hand,” he wrote. “We are battling an increasingly complex and aggressive landscape of threat actors. In many cases these threat actors are well-resourced, with nation-state level capabilities.”
Abbott addressed Ivanti’s recent security problems in his letter, emphasizing that the company felt it was important to directly speak to customers about what it is doing to improve its security posture.
“Events in recent months have been humbling, and I want you to hear directly from me about the actions we are taking to ensure we emerge stronger, and our customers are more secure.”
To restore trust in its security credentials, Ivanti announced it will overhaul its security operations, outlining a comprehensive plan to set a new standard for the software industry and meet new challenges head on.
Making secure out of the box the default in the software sector
This plan consists of four key focus areas around which Ivanti wants to anchor its transformation.
First up is a commitment to bolster product security and embrace secure by design principles to ensure security is embedded into every stage of the software development lifecycle.
Ivanti stated it wants to alleviate the burden of security on customers by improving its ability to provide solutions that are secure out of the box, or secure by default. This includes products that can be managed, monitored, and secured by Ivanti.
The second core goal is to elevate its vulnerability management platform. This elevation will involve enhancing its internal and external research to identify vulnerabilities faster.
Another addition is risk-based patching and vulnerability remediation that will reduce the average time-to-patch for product vulnerabilities that pose the biggest risk to customers.
Enhance your privacy and security with a DDoS mitigation system
Ivanti will also provide enhanced support for customers looking to deploy their products securely. The Ivanti Community Portal is set to receive some upgrades, including improved AI-powered search functionality to provide more curated results for customers, as well as an improved Smarter Interactive Voice Response (IVR) System for a smoother customer experience for routing calls.
Finally, Ivanti committed to further transparency-focused adjustments centered around building healthier customer relationships. The firm said it will dedicate more time to keeping its customers and partners in the loop on the latest security trends.
“Customers and partners should expect Ivanti to share lessons learned, and we also plan to continue our customer briefings with outside experts, launch a dedicated blog series related to the current threat landscape and conduct webinars and roundtables to address privacy and security topics with our community.”
Ivanti will also set up a Customer Advisory Board to get customer feedback on all the initiatives outlined above, and will be announcing plans over the next few weeks about how it plans on gathering customer input on its products, feature prioritization, security concerns, and strategic decisions on its product roadmaps.
Ivanti Connect Secure flaws targeted 250,000 times a day since January
In January 2024, Ivanti disclosed two vulnerabilities that impacted its Connect Secure and Policy Secure products. CVE-2023-46805 and CVE-2024-21887 - rated as high and critical in the CVSS respectively - enabled attackers to bypass control checks and remotely execute code on a target network.
Analysis from cloud computing specialist Akamai found Ivanti Connect Secure products were targeted with over 250,000 attacks per day since the initial disclosure of the vulnerability.
In February, CISA issued an advisory warning that hackers were actively exploiting the flaws. The security agency later confirmed its own systems were affected by a cyber attack exploiting the Ivanti vulnerabilities, leading the agency to take two of its systems offline.
Last year, the Norwegian National Security Authority (NSM) confirmed that threat actors exploited a zero-day in Ivanti’s Endpoint Manager Mobile (EPMM) solution to breach government software.
The breach, which exploited an authentication bypass vulnerability in the EPMM software, affected a platform used by 12 Norwegian ministries, and allowed the attackers to make configuration changes using an administrative account
