Insurers Are Taking a Hard Line on Ivanti: Should Customers Be Concerned?

The problems with security vendor Ivanti are well documented, and now cyber insurers are stepping in. Phil Muncaster investigates

It’s been a tough year for endpoint management vendor Ivanti. The past 12 months have seen multiple zero-day vulnerabilities come to light in its products, many of which were exploited by sophisticated nation-state actors to compromise government agencies. For a cybersecurity vendor, that doesn’t make for good PR. Then came an admission from the CEO of insurer Coalition that, for a long time, the company has refused coverage to Ivanti customers who don’t put the appropriate mitigations in place.

This raises two key questions. Are insurers right to impose such conditions on businesses using popular enterprise-grade products? And what can corporate IT customers do to insulate themselves not only from compromise, but potentially also risk related to their insurance policies?

How bad is it?

The US Cybersecurity and Infrastructure Security Agency (CISA) began warning about state-backed exploitation of vulnerabilities in what are now Ivanti products (since Ivanti purchased MobileIron) in 2020. These include mobile or endpoint device management products, which have become an increasingly popular way for organisations to manage a highly distributed post-pandemic workforce securely. Unfortunately, they also present an appealing target for threat actors. CISA explains that “Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices.”

In August 2023, it was revealed that Chinese threat actors had exploited the zero-day bug CVE-2023-35078 in the Ivanti endpoint manager mobile (EPMM) product to compromise multiple Norwegian government agencies earlier in the year.

Then, in January 2024, it emerged that Chinese threat actors had been exploiting two more zero-days (CVE-2023-46805 and CVE-2024-21887) in Ivanti products for at least a month. These impacted the Connect Secure VPN product and policy secure network access control (NAC) offering. When it finally released patches for these, Ivanti also issued fixes for two new vulnerabilities, one of which (CVE-2024-21893) had apparently also been used in live attacks. Then, a further bug was discovered a few days later. The revelations forced CISA to order federal civilian agencies to disconnect the products. It also emerged that the agency itself had been compromised.

“Being committed to security and being good at it are two very different things. Ivanti is most certainly not the latter” Joshua Motta

Unfortunately, there was more to come. Connect Secure vulnerabilities were disclosed and patched by Ivanti in early April 2024, with CVSS scores ranging from 5.3 to 8.2. As a VPN product, Connect Secure is an attractive target for threat actors, according to Akamai’s director of security technology and strategy, EMEA, Richard Meeus.

“VPN appliances are among the most heavily targeted endpoints for any organisation, and the most effective defence for customers will always be to promptly apply the patches provided by the vendor when released,” he tells Assured Intelligence. “When organisations act quickly, they reduce the opportunity for exploitation.”

In fact, the UK’s National Cyber Security Centre (NCSC) warned in recent guidance of the security risks posed by perimeter-based products like VPNs, which it says are increasingly favoured by threat actors as defenders close down other avenues for attack.

“Knowing that they are less likely to be able to rely on poor passwords or misconfigurations, they are increasingly looking at products on the network perimeter (such as file transfer applications, firewalls and VPNs), finding new zero-day vulnerabilities in these products, and waltzing right in. Once a vulnerability is known, other attackers join, resulting in mass exploitation,” the guidance explains.

“Finding zero-day/new vulnerabilities might sound highly advanced, but many of these are well-understood classes of web vulnerability and are trivial to find and exploit.”

A tough line on risk

For its part, Ivanti CEO, Jeff Abbott, recently promised to begin “a new era” at the firm focused on embracing secure-by-design software development principles, increasing product security headcount, and adding isolation and anti-exploit technologies to reduce the impact of software defects. He also committed to improving the vendor’s vulnerability management programme, enhancing customer support for the secure deployment of products, and boosting information sharing and transparency.

However, this wasn’t enough for Coalition CEO and co-founder Joshua Motta.

“Being committed to security and being good at it are two very different things. Ivanti is most certainly not the latter,” he wrote in a feisty LinkedIn post.

“Exploitation of Ivanti devices has long resulted in numerous claims across the cyber insurance industry, and we’ve long declined to offer coverage to organisations using vulnerable Ivanti appliances without appropriate mitigating controls. Its high time vendors are held accountable and get serious about security.”

Coalition is arguably one of a new breed of insurers committed to taking a more proactive role in shaping their policyholders’ security posture. It’s a movement characterised – among other things – by more granular “pre-bind contingencies”  or conditions that must be met before coverage can be issued. For Ivanti Connect Secure, it may include things like applying multi-factor authentication (MFA) and updated patching. It’s an approach that also means reaching out pre-emptively to existing policyholders to alert them to risks in their environment and share best practice mitigation steps to take.

As a case in point, Coalition’s Motta had this to say following the CISA directive on Ivanti: “Coalition, three whole weeks ago, gave what I would describe as an entirely routine directive to all Coalition policyholders to disconnect or otherwise isolate all Ivanti products. We even personally contacted every affected policyholder and offered forensics and remediation services at no cost.”

But could this proactive approach to cyber insurance set a concerning precedent? Might insurers be eroding the autonomy CISOs have to manage security according to their organisation’s specific cyber risk appetite? Not so, says Adam Pilton, a former police cybercrime detective and now cybersecurity consultant at CyberSmart, who sees it as a positive trend for businesses.

“It is great to see that some insurers are willing to insure businesses that choose to use Ivanti products and have mitigating controls in place. These insurers demonstrate that they understand cybersecurity is all about risk management. There is no sure thing when it comes to security, nobody is ever 100% safe,” he tells Assured Intelligence.

“Although the motivation for these controls is most likely to be for the insurers to manage their own risk, it does promote stronger cybersecurity controls for businesses, and I suspect, over time, those that have implemented such controls for their Ivanti products will branch out and increase security controls across their network.”

Taking precautions

In the meantime, organisations shouldn’t feel overly pressured by their insurer to change their vendor roadmap, according to Rik Ferguson, VP of security intelligence at Forescout Technologies.

“What’s the answer? Well, it certainly isn’t about jumping from vendor to vendor, hoping you land on one that doesn’t suffer from vulnerabilities, zero-day or otherwise. That’s a fool’s errand,” he tells Assured Intelligence.

“Although the motivation for these controls is most likely to be for the insurers to manage their own risk, it does promote stronger cybersecurity controls for businesses” Adam Pilton

“The answer lies in building a defensible infrastructure to begin with. Understand all the assets you protect and the communication flows between them. Effectively segment your network. And practice account identification and authorisation hygiene through the principles of need-to-know and least privilege.”

Ferguson also urges organisations to dynamically monitor their environments for emerging vulnerabilities and any anomalous behaviour which could indicate a breach.

“If the compromise of any single device in your environment can lead to catastrophic consequences, then you need to thoroughly revisit your underlying assumptions and architectures,” he concludes.

There are plenty of insurers around who won’t be as hands-on with policyholder risk management as Coalition – for right or wrong. However, as claims mount from arguably preventable customer breaches, it will be interesting to see if their approach changes.

Ivanti was contacted for comment on this story. We have not yet received a response.