Transcript
Welcome to the first episode of Vodcast with Dan Lahan and myself, Steven Boeming. In this series, we're going to go over topics that were top of mind with customers, with partners, and our own colleagues. Due to the breadth of conversation we could have, we tried to cherry pick some topics per episode, including special guests to shed a light on those topics. Also, we tried to make it not too long to be interactive or intuitive. Topics could be security, functionality, and the like. Topics could be security, functionality, business conversations, or events happening within the market or even within the industry. But before we dive into today's edition, Dan, could you please introduce yourself? Yeah, thanks, Steven. Hello, everyone. Dan Lahan. I'm an account technology strategist working outside from the UK region. I've been here at Avanti, what, 15 years, been a customer previously using technologies from first-line technologies right the way through to sysadmin. So I feel customers' pain. I understand our technologies and work. We're in and around the broad breadth of our products, ITSM through to security and UEM. So yeah, good to be here, Steven. Good. Thank you very much, Dan. And let's hear a bit about you, Steven. A little about me? Well, in the official title, Steven Berthing, Senior Solution Sales Specialist. That's a bunch of S's in a single sentence. But in essence, it will mean I help to bridge between what's business questions and what's a technology outcome. And sometimes the technology is hard to understand for the business, but sometimes the business is not understandable for the technologist. And I try to bridge in between of those. From a background perspective, I've worked as an IT helpdesk guy. I was a sysadmin. We were responsible for delivering and maintaining 35,000 endpoints and anything that comes with it. So like you said, you feel the pain. I also feel the joy on doing some types of this work and the solution we could provide. So yeah, understand the benefit, understand the struggle. So for today, as was said in the invite for today's webinar podcast, critical lessons for security leaders. But then we'd like to make it a bit more practical because that is such a broad conversation you could have within Ivanti, outside of Ivanti together over a cup of coffee, maybe a beer if you're more into that. But for now, more the lessons learned from 2025, focusing on more some of these cybersecurity incidents that happened, impact from vendor consolidation requests and trends that started to arise last year in autonomous endpoint management. Then if we need to talk around cybersecurity incidents, what are some of the things that happened within the UK? What was most memorable for you? It's one of those really, where do we start? You know, you could almost call it the year of the breach, but then every year is year of the breach. Let's be honest. They get bigger, the intensity of them grows, you know, breakfast news in the UK. You don't see many weeks go by where there isn't a CIO scrambling to answer questions about their organization being hit. Probably the biggest one that impacted the UK, I think, was Jaguar Land Rover, a car manufacturer in the UK. Pretty much all operations shut down from manufacturing to getting your car serviced. A friend of mine had a part requirement for their Jaguar Land Rover that just couldn't be fulfilled for months. The scale of it was that big that the UK government got involved. And the reason why the scale was quite so big was that the supply chain industries that supported the manufacturing of those vehicles were also impacted. So smaller businesses were going out of business and real challenges caused by that. I think the big thing that that highlights to any organization, whether you're a hundred users, a hundred devices, right the way up to a huge scale manufacturing organization, is that you're a target essentially. Even a company that was founded called the Cyber Monitoring Center kind of tries to give a level setting to breaches. And they classified this as a three out of five, similar to kind of a large-scale natural disaster. Imagine what a level five could be. You could see real impacts to organizations, perhaps even nations where energy plants, things like that, are taken down. So some really huge ones in the UK. And as well as things like that, retail was really heavily impacted in the UK. So, yeah, there was lots of noise and many of our customers were identifying and citing those businesses as we don't want to be the next one. That's the reason why we are focusing in on our security and improving our security practices. So, yeah, what kind of things were you seeing in your region, Stephen? What have we seen? So much to choose from, I think, actually. I think it's due to some vendors that had some vulnerabilities where stuff had to be done and taken into account for. Then some organizations were not up to speed with patching it. And by that, they got hit. And that caused an enormous storm on what are we doing here? What happened here? Was their data exfiltrated? How could this happen? And these sort of stuff. That was in the Dutch government. You also saw in SMBs or the SMEs happening, data breaches. And it could be like small ones. There's just a bit of data theft, like personal information. And then there will be onwards of that targeted phishing campaign to see if people could be looped into. So, these were the things that kept us most awake as well. Due to my sub-role within Ivanti, I was quite involved in what we had to do as a company to keep the world secure. But that was quite okay how that was handled. I don't think we had such a major incident as Jaguar Land Rover. I tried to think of it, but no. And was there any explanation afterwards on what happened with Jaguar Land Rover? It happened, but a bit of the root cause. Was there any clearance on that? I'm not sure there's been kind of full disclosure on the exact root cause at this time. I mean, a couple of things that you mentioned there around MFA and patching. I think here at Ivanti, sometimes we almost take for granted how easy patching is with some of our solutions. But it's a complex task, isn't it? In some cases to know, I guess, what to patch, when to patch, should we patch? I mean, all these kind of questions. I think a lot of customers ask us day to day. Do you see similar with customers in your region? Well, it's funny you say it, because with MFA, it rings another bell. We had the University of Eindhoven, and they were quite open and transparent on the incident they had, or the event, or the incident. And that one of the recommendations was, or actually not recommendation, but the next day action, enable multi-factor authentication for everybody. So you're a technical university that did not have MFA enabled on all the devices. It was difficult to manage, to maintain all kind of business objections, where security says, why is this an issue? And then, quite strangely, it was good they were open on it, because that also gave people a reflection on what could happen, or happening, and they could make their own good decisions. But other universities within the Netherlands, or high schools for bachelor degrees, also had to run like fire to make sure they would enable MFA, because that was never done. And nobody wanted to be the second one that could overcome this scenario. Luckily, for Eindhoven, they were really quick on, hey, there's a strange thing going on, and they isolated the network. So that, from that perspective, was good disaster management, I think. But it started off with the basic hygiene, which nowadays is also called multi-factor authentication. Yeah, and I think you sometimes take for granted, don't you, things like that. You think if you're a university, you may be adding a little bit more friction for your users with MFA, but they tend to have quite a lot of intellectual property that those students are doing through their degrees, that may well help drive revenue for universities as well. And if you think and look at a lot of the cybersecurity frameworks, they often recommend and suggest these kinds of things, don't they? But often it's, for many organizations, a challenge to understand, what should we do first? You know, some organizations maybe don't walk before, are trying to run before they could walk, I should say. You know, often it's the foundational basic elements that customers need to get a handle on first. And once they've done that, they can mature and advance the capabilities that they've got. You know, a lot of customers talk about next-gen products, AI, things like that. But in many cases, the core foundations of knowing what I've got, where is it, you know, am I at risk, is often a challenge for many customers to confidently hang the hat on the answer that they give to auditors perhaps, which can be quite a challenge for them as well. And then also, who is using it? But who is using it when? Where? You could call that a condition on which condition are our products used, are our solutions used? And should we put a level of access behind it as well? So if you have a machine that was not online for four weeks, do you grant it full access? Or would you mitigate that, like a first update your machine, show who you really are, go buy IT? And from a business perspective, I get it. It's not convenient. You just want to do your work. The laptop was off for four weeks. Just let me do my work, just like I'm at home. But the business risk possess more than at home, open up your laptop and update and reboot. These are the more different things in that one. Within Europe, we have then the initiative directive, in which some countries already have a law for it. So you have the directive for Europe, then each country has to do their own law. How is that in England? Is there an equivalent to NIS2 or does England play along with NIS2? So yeah, I mean, I think a lot of the organizations in the UK have subsidiaries or offices based out in many European countries. I don't think there's too many kind of isolated UK companies. I mean, when you think about UK being part of Europe and Brexit and things like that, some organization chose to completely move their headquarters outside of the UK in the first instance anyway. So yeah, I mean, the UK government have aligned very closely to a lot of the EU directives, to be totally honest with you. So NIS2 is one that we hear of. It's not something we typically hear day to day, but a lot of the common frameworks that we use, things like cyber essentials, are often aligned very closely to those kind of things and obviously ensure the security of businesses, especially with many organizations looking to kind of move to more risk-based approaches. So yeah, we do definitely hear NIS2, probably not quite as prevalent as I know you guys have seen over the last year or so, but we do definitely see it in the UK as well. Okay, and then it makes more sense to map the cybersecurity essentials or the cloud security essentials onto NIS2, which then is the CBW in the Netherlands and you have another version in Belgium and so on. And then to see how could we cross-check this and that it would help. So then you then mentioned that the NIS2 is, there is a discussion going on in the UK, but not as much as we then have on this side of the channel. But NIS2 can then be mapped to cloud security frameworks or cybersecurity essentials or other types of frameworks, ISO 27001, potentially some others as well. What I also learned is the framework will give you a good guidance on how can you be compliant, how can you show your security posture to your customers, to your partners, to those who you do business with. But also sometimes those companies still end up with a vulnerability because some of the basics might have been checkmarked, but not executed upon. In one example, we had a customer that says enable MFA, but not if it was for all users, yes or no. So they only did it for some admins and not for all users. Have you seen those examples as well? Yeah, absolutely. I mean, I remember one from the UK a good few years ago now, but a customer was breached based on the fact that they had local admins on all of their laptops. The customer needed to be compliant and turn that off, but gave a very simple, a simple fix by using one of our products, but giving the admins the ability to elevate whatever they want, which I'm going to be honest, wasn't the most secure, but it ticked the box of the compliance requirement. I think compliance requirements sometimes, especially in the UK, can help you reduce things like your cyber insurance. So there is a real incentive for you to meet those cyber requirements. But in reality, for you to be truly secure, the customers have to go a little bit further. I think these days, and they should, in many cases, frameworks can be the baseline for customers to work from. You made an interesting point, Stephen, about vulnerabilities, you know, vulnerabilities are everywhere for every vendor. No vendor is safe. Someone is out there trying to reverse engineer your product. We've been in that boat as well. We've had vulnerabilities. What can you tell us about those vulnerabilities, Stephen? I know you've been much closer to those than many of us. What have we learned as a business perhaps from those vulnerabilities that we've had? From a business part, time and communication, that's key. So what happened when and how we can help the defenders, that's also a wording that's being used as well. How can we help defenders? How can we help customers' partners to become protected really quick? We do our utmost best to secure the products. We implement secure by design throughout the organization, which is just not two tick boxes, but that's an organizational change. That's a culture change in how you develop software and how you look at doing things. Means you don't deliver that as much features per month as you normally would do, but it's more reliant, it's more secure. But also, we deliver on-premise products. We focus on cloud. We focus on SaaS. SaaS and cloud where we can, but on-prem where we need it to. Also with the current autonomous software entity discussions going on, people are working hybrid. If a vulnerability occurs in an on-premise product, we need to give perspective to work upon it, and the way to communicate that in the world has been called a CVE. In that sense, there's something wrong with the product. You need to fix it, update, mitigate, patch, whatever word you want to use. But the time frame is rapidly going down. So normally you could have a patch that needs to be done in two weeks. If it was high urgent, you had a week. If you had a super high, it could be five days and you should be secure. But nowadays it goes such rapid and patches are being reverse engineered with AI. That's the scary side of AI. You can use it to decompile software and start to understand, oh, that was the security issue the vendor fixed. So this should be my attack path. So if a patch comes out, your time window goes down to 72 hours already, what we have seen in the world with some of the latest CVEs we've published. So 72 hours, and you need to tell your business, I need to reboot the server. I need to have some outage. I will fail over, but I need to go, go, go really fast. And some business processes are not ready for that. The change authority board has to make a decision. The change decision board has to make a decision, and from a security perspective, it's like, no, no, no, go, go, go now. In the latest events, we had a zero day. So there was something found that was not responsible as close to us. We were not aware of, despite all the pen testing and all the things we tested. That means you have minus one day to apply a patch, and still you see customers out there, and that's information we get from intelligent services, and we get from national cybercrime security centers. Even after a week is such a threat actor active, people still haven't patched. And that's really good to then get NIS2 back in the game, saying you need to be compliant. That means basic cyber hygiene. You apply such a patch within so much hours. Because now if you don't do it, sure, that's fine. That's your business decision. But now, just like with Jaguar, it starts to impose a business risk in an entire supply chain behind it, where eventually the government has to step in to make sure those companies don't fall over. And I think sometimes that's what people in IT need, isn't it? They need a reason to say we have to reboot. I spoke to a large bank a couple of months ago, and they were, 90% of their project were actually aligned around security. Everyone in IT, that wasn't. Anyone in IT should be responsible for security, was the kind of words they gave us. But the reason why was the CIO didn't want to be the next Jaguar, Land Rover, the next Marks and Spencers in the UK. They really didn't want that. But they now had a reason to maybe wake that change approver up at the weekend, where, you know, change approvers don't work weekends, do they? They're off on the golf course. I don't know where they might be, you know, if they're enjoying their free time, but they now had a reason perhaps to change that process where, you know, there could be a red flag thrown up. We need to reboot that server. We need to deploy the patch to fix whatever it might be, because there's just such a big focus around security for many customers now. And I think maybe NIS2 in your region is helping some of your customers to have that sort of pragmatic conversation to say, we might have to disrupt some of our IT services every once in a while to get some of these fixes out, because AI has helped the attackers. We don't have all the capabilities from AI in all of our regions of IT, do we? And every single capability that companies need today to fix those problems. But yeah, it sounds like in that case that NIS2 might be helping some customers in some cases to push things through quicker than previously. And as well, if the business leaders, the CEO or the director or whatever, if the business leaders are not putting cyber hygiene and cybersecurity as a first and foremost, like best practice, they could be held personally accountable for the security risk and the security damage that follow through not patching. So that's what NIS2 goes into. So normally, if the company wouldn't do, it is the supply chain. Yeah, sure. But now in some roles, the top senior manager will be held personally liable or accountable for that was happening. So that's giving the most buzz to many executives or leaders in a company. So, curious to see where that will end up with. But to mention, we published those CVEs and that was not always nice for people to know and to be, but we've been rigorous transparent. We found something, somebody found something for us. We shared it with you so you can defend yourself and learn from it. Also, each time when another vendor publishes a CVE, we read through it to see, can we learn from this? Can we learn from a technical perspective, from a communications perspective, if there was something to it? Or it could be in a component we might use in one of our 80 products. How could we then be susceptible for this or we're secure for this? Also from some of the happenings, and of course, that's in hindsight and afterwards, it's always easy speaking. But if some vendors published in 2023, a CVE for the stuff that was happened, instead of keeping it under the carpets and just doing regular software updates, we might not have had such a severe CVE back then. Yeah. And I think if you mentioned about almost us understanding what other vendors are having in terms of vulnerabilities, the threat actors out there are doing exactly the same, aren't they? They aren't necessarily doing it manually either. They're using technologies out there. They find one problem in one vendor, they will go to every other vendor's technology and try and perform the same actions. Essentially, they're looking for the best bang for their buck, aren't they, the path of least friction to breach you as a customer through whatever maybe perimeter technologies that exist out there. I think that's for me why it's really important. We have started to speak a lot more over the last couple of years about things like exposure management, but customers have often focused very much on their internal network for discovery. Some customers are still trying to grapple with it to understand what's out there. If you're an organization that acquires lots of businesses, you might not really know what's out there in your corporate sites that well. You might not be that confident, but technologies like external attack surface management, those types of technologies that give you the hacker's eye view, I think are really key looking forward into 2026 perhaps now, things that many of our customers are interested to look at because having the knowledge of what a hacker can see on your network in the first instance can hopefully help you to fix some of these things potentially before the hackers do because they've got one simple gain and that's to monetize you as a customer to steal your data, to told you to ransom and things like ransomware. Is it best to pay the hackers? Probably not. Is it simpler in some cases rather than a total system outage? Who knows? But there are technologies that are there and I think that can help you into 2026 for many of our customers. And you know, we'll be speaking to many of them if we haven't already around exposure management, but I think that's one way in which customers can start to shift their mindset and hopefully advance their security practices potentially above and beyond just those frameworks that they've historically had to look to but to give a greater level of control and security for many organizations. And it's good you mean the external attack service management. So that's the hackers external point of view to be more specific. I think because that's the outer side. So those are the walls of your castles. And if you have clouds, you have multiple castles up in the air with multiple walls you want to get into and if you have acquired companies, you might have gained another 10, 20 castles you might have. But how would you then afford the internal organization because the external viewpoint that's great, but still you could be hit from inside. How would you then help? Customers partners to see what they have. How would you go for that one? Yeah, so I mean when you start to think about your internal network, you know, internal networks are almost a little bit different than they were previously, aren't they? You know, internal networks, maybe have extended out into home networks as well with VPNs and customers, end users connecting into their corporate sites. So visibility is always going to be key there, you know, understanding every asset that exists in your corporate network. If you think about some of the well-publicized breaches in in Las Vegas, one of the breaches came from a Windows PC, which was sat running some sort of IOT device and essentially was breached through an admin credential on that device and MGM Grand. I think it was, you know, a very public breach. It only takes one poorly managed device, poorly patched device and somebody could be entering into your network through there. So for a traditional kind of on-premises corporate network, visibility is key, you know, detection of all machines that sit on your network, maybe controlling access to the network as well, you know, not just allowing any person to come in and plug their laptop in or plug an IOT device in. If you can have the gates internally on your network as well, just to say what can or can't connect, you're going to be in a much stronger position. I think that should be standard, shouldn't it really? I think. Yeah, and you mentioned how visibility on the machines that are connecting to it. Would we also have to look at the software that's then being used and utilized? Yeah, I mean, that's the thing. I mean, if users introducing their own software is always a big risk, so let's avoid that in the first instance, but equally if you've got 150 software titles sat on a machine, do you need them all? Are they still in use? You know, the more apps you have on your device, the more things you're going to have to patch and fix. So if you can remove software, which is either unused or unrequired and that's another place to be as well. So yeah, having just knowing what devices out there isn't the main the only thing knowing who's using them and what software is being used day-to-day will really help you to remove some of the noise around what you need to fix. And I think that's the important bit as well, you know, customers need it as simple as possible to make sure that you can secure everything on those devices. So the holes, the gaps that are out there that could be breached are much more than ever before. If we would summarize these types of actions, it's like discover what you have, device and software information. When you need something that helps you assist, like, okay, why do we need this? Do you still need to use it? Is something broken? Can we fix it? Then get an advice, providing recommendations. And then potentially we could automate the way as well for you to enhance the speed of patch. Enhance the speed of your discovery and make sure only those who need to have access would have access. Would that make sense? Yeah, absolutely. I think the key bit there is automation that you mentioned there, you know, many customers want these things to be as automated as possible, you know, remove as much human effort or the risk of human mistakes throughout there. You know, IT need to have things not given to them, but it needs to be easy to consume. You know, there's lots of data out there, lots of devices out there, but the easier and the simpler that these things can be brought together in a single view is always really key, I think, for customers. We hear in the UK often that, you know, many organizations are still fairly siloed. You know, the server team's got their own technologies. We fix it with this. We monitor it with this. You've got the endpoint team who have their technologies and that's all cloud-based because most endpoints are cloud-based. You've then got a service desk team who have to try and figure out if there's a problem on either one of these technologies or something is impacting their endpoints. But yeah, none of that data comes back to us. We've just got a remote control solution and an incident managed solution, you know, there's so many disjoins between those types of silos. And again, if we think about a security incident, those types of silos are really catastrophic. You know, you need to be able to react quickly. But if you genuinely can't answer a simple question like who's got that device, who owns that server, you're not going to be able to shut it down or remediate it, whatever you need to do in that instance. So I think having a common hidden sheet, a single pane of glass is definitely important for those customers as well in there. So thank you Dan for the pleasant conversation. With that, we conclude today's vodcast, which for us was the first one to make, which I enjoyed, new technology, new things to do, new interfaces, all good. For the next time, we already have envisioned some new episodes with new topics. But if you're listening to this or you're viewing this one and you might like, I'd like to understand more on this particular item or this product. I'd like to see some more in-depth within 15 minutes. That's kind of like the time span we want to envision for. Feel free to drop it in the chat or send it afterwards to us and we'll make sure it gets covered. So for the next time, we already got three episodes ready to go. One of them, Dan, you want to pronounce the first one or me to do it? Yeah, I'll take it. So yeah, we've mentioned assets quite a few times and devices and discovery. So we're going to have one session which is going to cover ITAM and elevating what's your CMDB to full asset management and kind of how to bridge that operations gap between the business. What else we thinking then Steven? We mentioned a lot on assets, asset information, but also how to manage them. We talked a lot around AI and security and basic hygiene. Nowadays, the new terms are autonomous endpoint management bringing some of these things actually together. So put a full episode on autonomous endpoint management. Is it then devices managing themselves? We help you to demystify what it actually is and how AI will help you instead of put a burden on your team. And yes, we keep the human in the loop. On top of that, there's another episode we envision that's not just modern device management, but also mobile threat defense because managing a device is not securing a device and we're going to explain how that works in the mobile world. So with that, thank you for listening. Thank you for viewing and I wish you a pleasant day.
