Mental Models for Continued Security Issues
2–12–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, February 12, 2024, and I suspect that many of us are still recovering from what was quite a good game for this year’s Super Bowl, whomever you were rooting for, or whomever you had your eyes on.
As far as news, we have a bit of more of the same but some new framing that I think is worth discussing - particularly for executive audiences - so let’s dive in.
Newest Ivanti Zero-Day
If you’re anything like me, you’re also tired of hearing about new Zero Days with Ivanti products. I’m sure they’re tired of hearing about it, too.
But, unfortunately, we have to continue to pay attention to these issues because of the severity of the vulnerability and the risk they pose to companies who have these devices unpatched in their environments.
The latest zero-day (the fifth this year, if you’re keeping track) was reported as CVE-2024-22024, which was discovered by the research team at Watchtower Labs. There’s also a bit of a snippy back and forth from the Watchtower team, who believe that Ivanti is taking credit for finding this vulnerability “as part of our internal review and testing of our code”, even though Watchtower appears to have proof that they, indeed, found it, and reported it. Perhaps they were co-discovered?
Regardless, this vulnerability it has a “High” CVSS rating of 8.3, and while Ivanti notes they “have no evidence of any customers being exploited” there are Proof of Concepts available and it surely won’t be long.
But that’s not what I want to focus on. What I’d like to focus on instead is some of the reasoning and mental models that might be useful to situate vulnerabilities like this.
It might feel like Ivanti is suddenly having a bad time with all these zero-days - and they definitely are. But, it’s not like these products are ‘suddenly’ inherently less secure - these vulnerabilities were always there, it’s just that we now know about them (and so do the bad actors).
Indeed, this is a common pattern when high-complexity, low-maturity organizations begin to build security programs in earnest. The common pattern is that additional security investment is made in things like vulnerability management or endpoint detection and response or improved firewalls or updated email security.
And the result of spending the additional money? More findings, more security issues, which seems counter-intuitive, particularly given that these security efforts are expensive.
Why does it seem like the more we spend on security, the more issues we have? It’s not that we’re less secure, but rather it’s that now know insecure we really were, and can make additional choices on how to manage down these security risks.
More findings as a result of more tools is very common, and the feedback loop that it should trigger is one that assesses these newly discovered risks like any other - for likelihood, impact, and overall risk and applies a risk treatment plan that’s in alignment with an organization’s strategic business and cybersecurity goals.
Unfortunately, it doesn’t always work out this way, because the additional findings seem like things are moving backwards, but in reality, we have just developed a much better sense of where we really are.
Similar things happen when vulnerabilities are discovered in a particular appliance (Ivanti, this week, but the same thing also happened to MoveIT and is happening to support systems - like how Okta got breached - which happened again this week to a support system at Juniper networks. Threat actors look at these patterns, too, and we need to ensure that our defensive capabilities can keep pace.
Sometimes progress simply starts with awareness. After all, you can’t manage risks you don’t know about - true for Ivanti, and true for me & you.
Fundraising
From a fundraising perspective, another respectable week, with over $14.5B in committed capital, led by a $10B first close in Brookfield Asset Management’s second energy transition fund.
Another example of focused investment by a team with a proven track record still being able to generate large commitments. While some will certainly struggle, it appears that others are not having a hard time staking those dollars.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://labs.watchtowr.com/are-we-now-part-of-ivanti/
https://krebsonsecurity.com/2024/02/juniper-support-portal-exposed-customer-device-info/