To Ivanti’s Valued Customers and Partners, 

Our organization strives to produce the most secure solutions for Everywhere Work. Events in recent months have been humbling, and I want you to hear directly from me about the actions we are taking to ensure we emerge stronger, and our customers are more secure. 

We and many others in our industry have witnessed, firsthand, the increasing complexity of the threat landscape and the specific evolution of threat-actor tactics. This activity has brought one of our products to the forefront of conversation regarding recently reported security incidents. We have responded by working diligently to protect and support our customers, and we are taking a very close look at our own posture and processes to ensure we are well prepared to address the current landscape. 

We will use this opportunity to begin a new era at Ivanti. We have challenged ourselves to look critically at every phase of our processes, and every product, to ensure the highest level of protection for our customers. We have already begun applying learnings from recent incidents to make immediate improvements to our own engineering and security practices. And there is more to come.

We are now executing a plan that accelerates security initiatives already underway and implements improved practices to anticipate, prevent and protect against future threats.  We have engaged the industry’s most recognized security and product development experts to support the Ivanti team’s review and to provide best-in-class execution guidance, ensuring we meet our commitment to you, so that your organization can work easily, securely and with confidence. This plan is backed by a significant investment and has the full support of our board of directors and everyone at Ivanti.

Our Path Forward

We are committed to a broad shift that fundamentally transforms the Ivanti security operating model.  This includes:

  1. Revamping core engineering, security and vulnerability management practices to ensure our current products are secure, and that customers have the resources needed to deploy them securely for their organization. 
  2. Ensuring all products that we create embrace secure by design methodology, with security considered as a key factor at every stage of the software development lifecycle.
  3. Formalizing partnerships with key cyber-defense agencies to make sure Ivanti products, and the lessons we learn in creating them, uplift the entire security ecosystem.
  4. Sharing information and learning with our customers – and actively soliciting feedback so that we continue to meet their needs. 

Below I have outlined our initial focus areas, and you should expect that they continue to evolve as we make progress towards our goals.  

The challenges we face are not unique in the software industry and we are committed to taking the necessary steps to lead the way for others. Threat actors are constantly evolving — know that we will be too.

On this journey we have placed customers at the center. Your interests and partnership will always be our priority, now and in the future.

Sincerely, 

Jeff Abbott 

Our Plan for the Future of Ivanti

1. Bolstering Product Security and Embracing Secure by Design Principles.

  • Adhering to Secure-by-Design: Our focus is on embedding security into every stage of the software development lifecycle, with robust processes that anticipate and preemptively address potential vulnerabilities from product inception to deployment and beyond. Our approach will entail rigorous threat modeling exercises, ensuring that security is ingrained as a foundational element of our products. This proactive stance will serve as the cornerstone of our commitment, enabling us to enhance protections for our customers, and stay ahead of emerging threats. 
  • Optimizing Products for Security and Customer Trust: We are already strengthening the overall security posture of our product portfolio. This includes accelerating the stack modernization of our Network Security products (Ivanti Connect Secure, Policy Secure and ZTA) with a variety of isolation and anti-exploit technologies to reduce the potential impact of future software defects. We are committed to maintaining the latest underlying operating system on our Network Security products and are integrating further hardware-based protections and remote monitoring and support options to increase protection for our customers.
  • Alleviating the Burden of Security for Customers: We will be enhancing our capabilities to provide solutions that are secure out of the box (Secure by Default) and building products that can be optionally managed, monitored and secured by Ivanti.  We will work with our customers to determine the appropriate level of monitoring and management responsibility based on their product line and industry segment.
  • Prioritizing Customer-focused Security: We are redirecting resources and making new investments focused on product security across the organization. This includes growing our product security teams, creating dedicated, collaborative engineering-security pods, and driving a proactive approach to threat modeling, security reviews, and increased penetration testing methodologies across our product portfolio.  

2. Elevating our vulnerability management program.

  • Internal and External Research to Identify Vulnerabilities: We are committed to improving processes and collaboration around vulnerability discovery to better enable us to quickly identify, remediate and report security issues across Ivanti’s portfolio. To this end, we are intensifying our internal scanning, manual exploitation and testing capabilities, engaging trusted third parties to augment our internal research and facilitating responsible disclosure of vulnerabilities with increased incentives around an enhanced bug bounty program.  
  • Risk-based Patching and Vulnerability Remediation: The objective of this heightened vulnerability management program is to promptly discover and address any potential issues. While this may naturally cause an initial spike in discovery and disclosure, we are making additional investments in engineering resources, technology and workflow processes to support a risk-based approach that will reduce average time-to-patch for product vulnerabilities that pose the most risk to customer systems.

3. Providing enhanced support for secure product deployments in the field.

  • Accessibility of Security Resources and Documentation in the Community Portal: Customers should expect community portal enhancements in the coming months, including improved search functionality powered by AI to allow for more curated results based on the specific products that a customer uses. This will include information on patches and documentation. We will also be improving customer security engagement with the implementation of a customer-focused feedback lifecycle, and other user experience upgrades focused on the application of security best practices in customer environments.
  • Deploying an Improved and Smarter Interactive Voice Response (IVR) System: We are committed to providing our customers with the support they need quickly and effectively. In the coming months we will have implemented an AI-powered Interactive Voice Response (IVR) system that will improve the customer experience for routing calls, alerting customers to security-related information on their product, and automatically open support cases upon request.
  • Working with Customers to Upgrade to the Latest Platforms: As we work to improve the security of our latest releases, it is also important that our customers are able to benefit from these improvements by running on our most supportable and secure platforms. We are working with customers to reduce friction – be it contractual, technical or financial - to facilitate adoption of the latest and most secure solutions and security enhancements that are built to protect against the current threat landscape.
  • Overcoming Practical Impediments to Security Hygiene for On-Prem Devices: We understand that the real-world administration of enterprise networks balances practical realities and constraints. When customers require a fully on-prem solution, we are committed to helping them operate within these limits without compromising system security. In the coming weeks, we will be working with on-prem customers to communicate lessons learned and best practices for operating their solutions in the current environment. 

4. Sharing information with our customers and community.

  • Information Sharing and Transparency: Healthy customer relationships are central to our company’s success, and our robust engagement with and feedback from customers throughout this incident has yielded tremendous mutual benefit. We want to ensure this continues. Customers and partners should expect Ivanti to share lessons learned, and we also plan to continue our customer briefings with outside experts, launch a dedicated blog series related to the current threat landscape and conduct webinars and roundtables to address privacy and security topics with our community.
  • Creation of a Customer Advisory Board: Each of the initiatives above needs to be guided by customer input and tuned with customer feedback. We will institutionalize this process and will be announcing plans in coming weeks to gather customer input for the benefit of product development, feature prioritization, security concerns and strategic decisions about our product roadmaps.