Transcript
Today we are going to be talking about Beyond the Patch. Really, patch management focuses a lot on, you know, trying to get patches remediated in your environment. But one of the things that always comes up is the heavy reporting needs of this process. You get asked all kinds of questions from all different sources. You've got to provide audit information and remediation information and all kinds of trails of information about what gets remediated in your environment. That's what we want to talk about today. With me today, for those of you who don't know, my name is Chris Gettle. I'm Vice President of Product Management for Ivanti's Endpoint Security Products, which includes our patch management solutions. With me today is Susan, who is our Principal Product Manager. She's been working very closely with my team to build out the Ivanti Neuron's reporting capabilities and patch was the first target of building out that functionality. So Susan, thank you for joining us today. No worries. Chris, I think you have to start calling me the analytic authority man. And there's a reason for that. I have more than 10 years of experience in analytics and AI and for the last four years I've been involved with Ivanti. I birthed the analytics and dashboard solution we're about to see. And to top it off, I have a master's degree in data science. I think I kind of earned the name of analytic authority. You definitely have more authority in that space than I do. I just have very specific domain knowledge, which is my value on today's call. That's absolutely. So for those of you who haven't been on an event with the GoldCast platform before, just a little bit of housekeeping. In the UI, you're going to see the slides here in the middle. You'll also have access to chat and Q&A. And in between there, there's a docs section. Underneath that, you're going to see some content there that's available for you. One of those is a link to our Ivanti live series. So this is coming up in the month of May. It's going to be coming out to a variety of cities around the globe. And we're going to be out there to talk about the Ivanti strategy, vision, direction, product-specific improvements, and other things that we're doing. I will be at several of those, especially the U.S. events, talking about exposure management, which brings together patch vulnerability and many other things to really understand that overall exposure to your organization. And of course, reporting will play a big part of that as well. Today's conversation is going to jump through a couple of things. We're going to talk first about the importance of analytics, especially as it relates to patch management within the Neurons Patch experience. And then Susan is going to do a demonstration of the reporting capabilities of the product. This is a set of capabilities that we've launched over the last couple of releases, and we've got more coming that additional enhancements from a reporting perspective. Alongside that, Susan's team has also been working on creating this great dashboard designer capability within the Neurons platform that can take advantage of the different data sets that we have, including patch. So Susan and I are going to have a little face-off after we do some demonstrations. I'm going to be challenging Susan with progressively harder analytics problems, and she's going to build us some dashboard elements to show how you can build out the right level of data and visibility for your organization's needs. Susan, sound good? Sound good, sound good. So well, before we go into the challenge, Chris, why is analytics so important for patch management? Why did you invite me to work on it in the first place? So I've been in this space for a little over 20 years now, and traditionally reporting has accounted for roughly 40% of all feature requests that my product group gets in their products. The reason for that is hey, great, you've got a canned report that does most of what I need, but I need this additional column, or I need it sorted in this way, or I need you to pivot the data in this sort of way. So then we go from canned reports into more dashboarding and custom reporting and all sorts of other things, and then the ability to save off those reports because you need an audit trail for 13 months or notify different people with the right level of details, so email reports and other things like that. Reporting is a very heavy part of the patch management process, even though we don't often talk about it that much. So as we looked at the reporting needs of our customers, we decided to take a step back, do a survey, and figure out what are the main things driving your reporting needs, and we really found that there were four types of questions that our customers get asked on a regular basis. I need to know the state of devices in my environment, so give me a report that can tell me devices, what's missing, what's installed, and more information about that. What date was it installed? Are there vulnerabilities tied to it? Things like that. Then there's the opposite of that. I need to know about a specific patch. So if you are worried about today's work that you're doing around the patches that just released this week, you've got an OS update that's resolving a zero-day vulnerability. If you want to do tracking specific to that update and the status of it across your environment, you need to be able to say show me the status of a specific update, in this case the April OS update for Windows, and tell me how many machines have that missing or installed. That gives us the ability to understand those two pivot points, device-based, patch-based. The third question that often comes up is around the operational side of things. So if I'm deploying patches out and I run into a problem, we need to get deep into what failed, where did it fail, what were the error codes, what type of it. So we've got deployment-based or operational-based reports that we need to be able to generate. If I'm the server administrator and I'm patching a business application that has the OS, it's got SQL, it's got other web components, each of these may have different administrators that I need to work with to resolve an issue. So if I did the OS update and then I tried to patch SQL and it failed, I'm going to have to communicate with that SQL DBA and make sure that we're on the same page as to exactly what I deployed, where I deployed it to, and what the failure was, so that team can work together to resolve that deployment issue. Now comes the next part, and this is kind of the evolving part of where we're going. This shift from operational to exposure-based mentality. We need to be able to identify the risks to our environment, how long we've been exposed to it, and be able to show when things were remediated. So the security team has been doing more of this type of reporting in vulnerability management solutions for years. The patching side is really heavily making the shift over to the same type of reporting because we need to work together and communicate the same level of data. I'm guessing many of you on here today have been asked for this type of information from your security team. You've had to export reports, do some additional massaging of data to get to that answer for them. That's one of the things that we want to change about how we're approaching reporting in the Ivanti Neurons patch experience. So the fourth pivot point that we've added in there is the ability to generate reports based on a vulnerability. A CVE-based report. So rather than me having to go and figure out if I've got a vulnerability that happens to span multiple platforms and even multiple applications, I don't want to have to figure out all the applications that vulnerability is tied to and then generate a report on all those applications. Just let me ask for that specific CVE. If that CVE happens to be both in the Apple OS and the Windows OS and also the browser, it's a shared component across all of those, that one CVE should be able to show me all of those different patches across all the different devices that's affected. So that is the fourth pivot point that we've added into the cloud-based reporting that isn't traditionally in patch management solutions that you would see on the market. They're usually additional reports that you would have to generate or customize after the fact. Now it's more out-of-the-box. So that's four of the kind of critical pivot points that we've got. Now if you look at the screenshot there, we've got a whole bunch of reports here and we're going to see that in the demo. There's a summary level and a detailed level of each of those four types of questions. But we have a ninth out-of-the-box report. This is more ROI-based. Give me credit for the things that I've done. Those of you who are always trying to report on compliance, first of all, the compliance reporting experience in Neurons for Patch is we've got a lot of customers who are giving us great feedback on that. We've had some banking customers that took it directly into their FDIC audits with their auditor. They went through it and showed them what they could see. We're getting really good reviews on that. It's based on that type of exposure based reporting where every update is calculated against your SLA from its release date to install date. Not from your operational, this is the day I started patching, this is the day I ended patching. So it's a different mentality once again. But even with that, you've got this challenge of everything that I've done, I'm still always chasing that compliance bar. So this last report here, this maintenance report is giving you some feedback on all of the activities you've been doing. Over the last 90 days, 180 days, even year, how many patches have I deployed? How many vulnerabilities have I resolved? How many known exploited vulnerabilities have I resolved? For those of you trying to push your organization to say, hey, yeah, let's keep doing our regular monthly maintenance, but we also want to do things like weekly updates for critical applications like browsers that update more frequently. We want to do zero day response. This type of reporting will be able to show you, hey, we started doing this three months ago, and since then, we've been able to push more patches faster, resolving more vulnerabilities and specifically more known exploits in a faster time frame by doing that. So this report is more giving you credit for the work you've done, not reporting on the current state of the environment. And that becomes very important when we're having conversations about that return on investment of what activities you're doing within your organization. So that's the importance of this. Now, canned reports are one thing. The other thing that Susan and team have been working on, and we're going to demo for you today, is taking that data into the custom dashboard designer and now allowing you to customize even more widgets, ways to view things, and ways to customize that view to different personas within your organization. Susan, did I miss anything? Not at all. Not at all. That sounds really good. I especially love how you talk about the report in the full pivot. So how about now let me share everybody how it looks like. Absolutely. You should be able to share your screen. Okay. All right. Okay. So like Chris said, it's very easy to create a new report. So all you have to do is click to create a new report. And this is where you can see the nine reports Chris just mentioned about. If you're not familiar with it, you just started, you can definitely see the preview. It will give you a very good idea how the report looks like and what information consists. There are nine of them, but for this report demo purposes, let's pick the patches by device summary report to give everybody a sense of how it looks like. And the next step of creating a report really is just to give the report a name. All right. Let me try, say, Susan demo. Demo. And here we have an option. You have options. You can do PDF, CSV, Excel. Let's do a PDF for this demo. And then this is where I think a lot of the power of our reporting tools come out is you have so many ways to filter your report to exactly what you want. We even provide what I think is the closest thing to time travel, which is to report a state in the past. So for demo purpose, why not? Let's pick someday in last week. And for devices, you can filter on a device name, device group policy name, very full filtering capability. But for this purposes, let's choose all devices. And you can also do patches filter specifically. I think it's very useful to able to just look at the missing patches. And in addition to that, just like Chris mentioned, from advisory, KB number, or even patch group name. If you just want to see a specific patch or group of patches, you can also see that as well. But for the demo purpose, let's just pick all patches and then submit report. Then that is really it. It's very easy to generate a report and in a good fashion, like any cooking show. Here is how I look. It's been generated. We have a report overview where you can really see the filter you apply. So you don't have to keep remembering what filter you apply to a specific report. We also provide counts like the number of devices in the report, missing patches. Like Chris said, this is a good way to showcase your progress. And in terms of the report body, we have key information like the device name, platform, patch configuration. And the key for this one is the number of missing patches for each of devices. And we didn't stop at there. Like Chris said, it's also export, CVE are also a key part of the patch management. We even show you the number of known exports for that patch if they were missing. So very full information in our report. We even have good visual highlights to showcase the items that have no export. So it's easier for you to get the information you need right away. For those of you familiar with how we do a lot of our content around Patch Tuesday, you're probably used to this format. We had our design team that was working with Susan look at the things that we were doing and try to bring that risk-based focus even into the reporting. The way things are sorted, the use of color, of highlighting, of that icon showing that there's a known exploit in there. All of these things were designed to draw your attention to the highest risks first and help you to filter the noise down to what's my most concerning items. Now this being the summary-based report, we're seeing each machine, how many missing patches, and how many of those missing patches have a known exploit in them. If I were to do a detailed version of this, I would see that first workstation, the JKR Work 05, that would be kind of the top line of that, and then it would break down into all 17 of those missing patches and more information about it, like how many vulnerabilities are missing for that and so on. So whether you need a summary level or that more detailed level, you have the ability to generate a report very quickly and easily and get to the essential information you need and, again, have that risk-based approach so everything is bubbling up the highest risk first. All right. Absolutely, Chris. And just like you said, this is just a first step. This is the CAN report. And if you want more flexibility into the information you provided, like Chris said, we also have a dashboard designer option. Oops. Did not pray enough to the demo god. Give me a sec to refresh this. So we also have a dashboard option where you can create your own dashboard and own chart to present the information you need. I'll show you an example. It really is as easy as counting to one, two, three. So you create a new dashboard. You can give it a name. I'm going to be using the same name again. Okay. Give the name, the dashboard a name. Then you can go straight into creating a new chart. For our dashboard designer, we provide two data sets. The first data set is the device patch scan, and that is where Chris said it's the view into from CVE, advisory, patch, and devices. So this information, and this is also one thing we're really proud of our feature here, is we tie those data sets for you already. We did all the preprocessing. We joined the tables together so you can have one view into one data set. And the second data set we have is the deployment history. That's what Chris mentioned. It was the operational data set to see if the deployment failed or not. For this next demo, how about I'll start with the devices patch scan data set. You know how the report I just showed you, it shows you the number of missing patches per device. How about we do a more visual presentation of it? The report is good. It's well formatted. But what happens if I want to communicate that in a chart? I'm going to show you how to do it. So you pick the data set. In this particular case, how about let's choose a bar chart. We just want to show the number of missing patches per device. And then step three. Step three is pretty much where you drag and drop your fields into the correct fields. And this is once again what I said. We preprocess all the data for you. You really don't have to worry about anything except just to drag and drop. So in this case, let's go for a horizontal bar chart because it shows the name better. And this is also me to show you that our dashboard is so flexible. You can even choose the orientation of the bar chart. So for example, now let's say I want to see the name of the devices. So we can have device name as the y-axis. And then I want to see the missing patches. That's it. Very simple. And we already have the missing patches field for you. So all you have to do is drag and drop. This is the time when people, if you're new to analytic, this is probably the point where you get a bit, you know, don't know, a bit confused is what is the aggregate? Aggregate really is just a math. What kind of math are you doing to the data you're presenting? In this case, we are counting the number of missing patches for each device. So we are not finding the maximum. We are not, you know, we're not adding up the number. We are counting. So in this case, count this thing is the good choice here. And just like that, you easily create your first bar chart. But of course, this is an information is not that presentable yet. We probably want to focus on the top ten, top ten highest number again, others is so flexible. You can easily do that. So all you have to do is first I want to count filled sorted by the miscount. And I want it to be sorting ascendingly. And then I just pick ten. I just want those top ten. And voila, just like maybe ten clicks or less. You have your first chart whistle representation of the devices with the most number of missed patch. Isn't that easy or not, Chris? That seems pretty straightforward. That's cool. But let me ask you this. So we have a lot of rich data in our platform. You showed me two of the highest level values right now. I got devices and how many missing patches on them, right? That's pretty simple. What if I wanted to know more about the specific exploit types that are missing in my environment? Absolutely. And this is where I keep mentioning it because we did a lot of work in the background and we pretty much joined the view from CVE to advisory to patch to device. And you can easily do that via our same device patch scan data set. In this case, how about we do a different type of chart? Pie chart. And I can show you the number of devices in number of missed device in each exploit type. How about that? So to do that, you can really think about, you know, first of all, think about what you can break down your pie chart by. In this case, well, we want to see the CVE exploit type. And then the next question is, well, you know, what are we counting? In this case, you actually have option here. You can just see you can just count in total number of devices. Or in this case, I think you really want to see, Chris, is the number of missed device. And just like that, you drop it into the value. And again, we are just counting the number of devices here so we can stay with the default option, count this thing. And voila, you have a beautiful pie chart showing you the number of missed devices. That means devices have not patched installed with the exploit type. And if you want to get even fancier, you can. We can say we can see the null value because not everything has the exploit type. So we can even filter it by the exploit type and say I only want to see the non-null one. And voila, you can see that in this demo environment, remote code execution is the most common exploit type by the number of devices who haven't been patched. Here is another one. We have a fairly rich deployment history part of the patch management solution. I can see a list of all the deployments that have been occurring. I can even see kind of a top ten, like here is the most common deployment issues that have occurred. One question that I've been getting is, okay, show me deployments across time. Show me the last 30 days of my deployment history and give it to me in a visual format so that I don't have to scroll through a whole bunch of data and try to make sense of all that. Like how much am I deploying on a regular basis? All right. I mean, Chris, you are going easy on me, aren't you? We can definitely do that. In this case, we will make use of the deployment history data set. Since you want to see a breakdown by time, you have an option to be bar chart and line chart. In this particular case, because we do have weekends, where weekends we normally don't have as many deployments, so if you do a line chart, you will see a pretty bad drop. So in this case, let's choose go back to bar chart. And again, here we can say you mentioned deployment by day. And then there's where I want to highlight the super powerful chart we have option on the date. So for example, for the date, you can choose how often you want to count what is the granularity of your deployment you want to see. You mentioned it's the last 30 days. So in this case, I think per day is appropriate. But for example, if you probably a little bit too zoomed in for what we want. Yes. But for example, if you want to view it's the last year, for example, then you can probably a month or week will be more appropriate. So you have the options here. So let's say we stick with the time by day. Then the next one we want to see is we just want to count then we want to say you did mention you want to see a breakdown by status, isn't it? So we can easily drop the breakdown by deployment status. And the last one is, well, what we are counting, right? We're just counting the number of deployment with the different deployment status on a daily basis. So in this case, I think it's quite straightforward. We're going to be using the deployment ID as an aggregate. And just like PV example, we are really just counting the number of deployment here. So count this thing is the good choice here. And there you go. You have your first line chart as a bar chart that shows that. But we still haven't filter it to the last month. I remember you said that, Chris, you want to see the last month and then filter again, you know, time. I remember when I working with other analytic tools, which I shall not be named. Time is always a difficult field to work with. I know only a lot of time you have to work. You have to parse the day into the white format before you can manipulating them. Manipulate them. It's always a bit tricky, but not here. We did all the preprocessing for you so you can just easily say, I just want the last month. You don't need to worry about anything else. And then now you can see the chart for the last month and it will automatically be the rolling last month. But that's not it yet. Chris, this show you the fail and success next by each other. I also want to see the total number of deployment by day. Not only I want to see a breaking down by success or failure. I also want to see how it looked like as a total. And for that kind of requirement, we can also do that. So all is just a little click on the customization to say I want to stack them. I literally want the number of success and fail to stack on each other so I can see the total and just like that. You can see, for example, in this particular case, I can see on, say, for the 10th, for some reason we have more failure than normal and we can see we have last 30 days, three spikes in deployment. As easy as that. Excellent. And that honestly, as you were talking through this, I'm like, OK, we just had patch Tuesday yesterday. I know many of you on here today are probably watching that first pilot group of users getting patched right now. You could dial this in to look at the last 24 hours on an hourly basis. That's kind of cool, Susan, that we can dial this in or out very quickly and easily. Absolutely. All right. So our customers get asked a lot of very specific questions. So this next one is an example of that type of granularity. So let's say that I get a question about what are the number of failed deployments within the last 12 hours specifically. Let's go and look at that. But I want to know what devices failed and what patches specifically. OK. Well, we can also do that, Chris. We love our data visualization, but sometimes all you really want to do is get a table of data. And as you can see here, we have two different type of table for you to choose from. In this case, let's just stick with the normal table because you just want a flat list. And even with that, we can have two more. You can have aggregate and raw aggregate, meaning you're counting something. For example, if I just want a number of the failed deployment in the 12 hour, you use the aggregate mode here. You want to see the actual list. So we will go with the raw record. And then that is where you can go crazy and drop all the columns you want. So in this particular case, how about we want to see the deployment day. We want to see the device name. We even want to see, for example, which patch that failed. You can absolutely do that. After that, you specifically ask last 12 hours which is another chance for me to showcase how flexible our time filtering is. I just demo the simple option, the last 30 days. Well, last 12, as you can see, is not a default option in there. But fair enough. We have advanced filtering capability. And this is where, you know, we talk about natural language all the time. This is a very good application of it because all you have to say is type last 12 hours. You don't even have to count what the last 12 hours is. Somebody do the work for you. And you get an instant feedback that, oh, yeah, this is exactly the time I want 12 hours ago. That will be about the 8th. April 8th. And you save that. And then you also mention you only want to see the failed. Absolutely simple to do that. All you have to do is deployment status filter and we equal to failed. That's it. And then on your dashboard you can have an ongoing list of the last 12 hours. The number of failed deployment in the last 12 hours. Awesome. You know, Susan, we could probably keep going all day long about more and more questions on this, but we are at time. I've got a couple of questions that came in here that I wanted to tackle for the audience and then we're going to wrap up. I think it's safe to say, though, that you are absolutely an analytics authority. So you definitely win that badge today. Thank you. Thank you. But Chris, you're not by yourself. I will start to call you the security savant from now on. There we go. All right. Our first question from the audience. Dunro asked this question. Is this reporting capability available for EPM customers? So this is the Avanti Neurons, the cloud platform reporting capabilities. So for on-prem customers, the way that you'd be able to take advantage of this would be if you're investigating the migration to Neurons, there is a hybrid SKU that lets you continue to use the on-prem product alongside the cloud product and be able to push data from on-prem to the cloud. So that would be kind of the starting point for your journey to cloud. But this is specifically the reporting capabilities for the Avanti Neurons patch management experience. Now, this same reporting feature set is going to be expanding out to a number of other product modules within the Neurons platform. So those of you who are using Neurons, if you're using it for inventory, discovery, healing, other things like that, we will be adding more and more out-of-the-box reporting to this. But the CAD report or the dashboard designer, if you saw there were already dashboard data sets for devices. And didn't we have people as well, Susan? Got it. So yes, that is how on-prem customers would be able to take advantage of this. Next question was for the RBVM platform, one of our other cloud platforms. So Jim, we're looking at, so RBVM has some very rich dashboards and analytics capabilities over there as well. This is for the Neurons side. We're going to be looking to bring in more and more of the RBVM dashboard type elements into this as well. And down the road here, we will have a path for RBVM customers who want to get into the broader Neurons ecosystem to be able to look that direction as well. But that's going to be a little bit further out. Excellent. Well, thank you all for joining us. And Susan, thank you. This was a great demonstration. I loved to see how much flexibility the reporting has. We've spent a lot of time in the past three quarters getting all of this in place and launching the first couple of sets of reports. I'm extremely excited to see what more you guys are going to be doing. So I hear we're going to be doing things like scheduled reporting, the ability to email reports, and the ability to create your own custom report template as well in the future here, right? Absolutely, Chris. The emailing, scheduling, that is something you should be seeing in our next release, the .tune in the April release. So pretty soon. And our own custom template where you can say, I want to export specifically this number of columns of data in a regular basis. That is also on the roadmap, Chris. Excellent. Thank you, Susan. And thanks, everyone, for joining us here today. And we're looking forward to seeing you at the Avanti Live events. So again, go ahead and click on that link if you're interested in coming out and seeing us this summer. We'll be coming to several cities in the U.S., Europe, and globally. So hope to see you there. Thank you, everybody.