Ivanti has become more and more of a security vulnerability over the past year as its software has been repeatedly riddled with vulnerabilities. The Ivanti CEO, Jeff Abbott, acknowledges the problems and states that a transformation has begun to improve security. The question is whether this transformation will come in time to regain the trust of customers and partners or whether the company is already at an insurmountable breaking point.
The number of Ivanti vulnerabilities are sky rocketing in 2024. In August 2024 alone, IT teams added another three Ivanti patches to their to-do list. The company made a bad name for itself in July 2023 due to a zero-day in the company’s Endpoint Manager Mobile (EPMM) service. The vulnerability affected governments and organizations worldwide and was discovered by the affected Norwegian ministries.
Since then, the company has been under a magnifying glass. Yet even without a magnifying glass, it is noticeable that something is just not right; at least 14 vulnerabilities have already been reported this year. In the spring, Ivanti CEO Jeff Abbott defended the terrible-looking state of security at the company in a video. However, Abbott does seem to recognize that the number of vulnerabilities is getting out of control. The video is, therefore, primarily a preview of how Ivanti will transform – and hopefully improve.
‘Making secure-by-design the standard’
Abbott acknowledges that the current security situation at Ivanti is unacceptable. The company will invest significant funding to improve the situation. He states, “This plan is backed by significant investment and has the full support of our board of directors and everyone at Ivanti.”
Ivanti wants to improve the situation by leveraging the secure-by-design principle. So, security will have a central role from the beginning of product development and is integrated into all aspects of Ivanti’s technologies. Abbott explains: “This proactive stance will be the foundation of our commitment, enabling us to improve protection for our customers and stay one step ahead of emerging threats.” A stronger emphasis on security is one part of the announced four-step plan. Another part focuses on monitoring product security even after development, for which resources will be freed up for research.
These goals let one wonder what the commitment to security was in recent years. After all, releasing secure software out-of-the-box is not a side issue organizations can only think about when things go wrong. Organizations’ awareness of the necessity of security is demonstrated by baking the secure-by-design principle into the corporate structure very early on. Since resources for researching vulnerabilities and monitoring the threat landscape are also only now being released, resources that are needed to instill a proactive attitude, priorities seem to have been elsewhere in recent years.
Regaining trust
The first two investments remain mostly behind the scenes. Where customers can see immediate results is in the support for eliminating vulnerabilities. For example, the company pushes to get all customers onto the latest version of the platform, where additional features will be added, such as an AI search feature, to get more targeted results when searching for information about a vulnerability.
According to Abbott, this transformation is critical to regaining trust with customers and partners. Finally, the fourth step clearly shows a focus on rebuilding relationships. For example, the company is committed to sharing more information and knowledge with customers based on the idea that an approach of transparency and honesty is most valued by customers. He stresses that the transformation will take time, but is absolutely necessary to prevent further damage.
Time-consuming and dangerous
A transformation takes time—time that does not exist when the security of internal data and the secure digital environments of companies and governments are at stake. Of course, the fact that Ivanti services are known to contain zero-days and easily exploitable vulnerabilities on a regular base lures additional attention from hackers.
Moreover, patching the long list of vulnerabilities is a time-consuming task. For the vulnerability that hit the Norwegian government, the Cybersecurity and Infrastructure Security Agency (CISA) recommended isolating all VPN services completely from the internet. This is to make sure no backdoors get left behind. Otherwise, the hackers could regain access to systems previously broken into after the patch was implemented. This fear did not arise overnight but is a reaction to the recommendations Ivanti made to restore security to online environments.
Security teams have a hell of a job fixing these particular vulnerabilities. In addition to the administrator password, the saved API keys and passwords of every local user connected to the service must also be reset.
Comprehensive portfolio
The software offered by Ivanti is additionally highly connected to companies’ digital environments. As a result, performing an update can put pressure on an organization’s continuity, causing updates to go into a process of procrastination. An attractive scenario for hackers. This is because the software provides access to important online spaces of organizations where there are many opportunities for spying, data theft, or the introduction of malicious malware. Moreover, Ivanti has dealt hackers another interesting card in recent months. Several times, vulnerabilities were publicly disclosed without a patch being ready. This gave hackers a free playground.
The words of the Ivanti CEO have not yet borne fruit. Time and patience are demanded and, at the same time, tested by customers. In any case, it seems that Ivanti is behind in implementing important security principles. As a result, Ivanti is now at a breaking point. On the one hand, resources must be directed to fix what is broken; on the other hand, resources are needed to ensure that what is still being released is not broken. Those resources must come from customers with whom the company has suffered a breach of trust. Can all that be solved with the limited crisis management shown so far?
Also read: Zeroday in Ivanti software exposes mainly Western countries