Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Seven Essential Steps to Vulnerability Management: Learnings from the Ivanti Exposures  

Detecting Compromise and Resolving a Potential Breach

by Amanda Bevilacqua , US Claims Operations Leader
Published

In light of the most recent Ivanti vulnerability, the importance of a robust vulnerability management strategy and incident response plan has never been clearer. 

The Ivanti vulnerabilities, particularly CVE-2024-22024, unveiled on February 8th, 2024, serve as a stark reminder of the relentless nature of cyber threats. These vulnerabilities, which allow unauthenticated, remote attackers to access Ivanti devices and penetrate internal networks, underscore the urgent need for comprehensive defense and incident response mechanisms.

This scenario exemplifies why a multifaceted approach to vulnerability management and incident response is essential—not only to patch existing vulnerabilities but also to detect and mitigate the impact of potential breaches.

While patching is pivotal in protecting your environment from vulnerabilities, there are other steps that are necessary to mitigate new and evolving threats. At Resilience, our expert Claims Team is not only responsible for processing claims but identifying data trends that help break down the state of cyber risk, to build resilience against filing a claim. 

To help our clients stay resilient against Ivanti and any future vulnerabilities, US Claims Operation Lead at Resilience Amanda Bevilacqua created a list of action items that will help organizations quickly determine whether they have been compromised. 

1. Analyze All Systems

Beyond immediate patching, conducting an exhaustive analysis of all systems is crucial. While patching is essential in preventing a compromise if one has not occurred yet, patching will not remediate an ongoing compromise. Look for signs of compromise, including unusual web traffic, misplaced data, or unfamiliar files and processes. Early detection of these red flags is crucial for prompt investigation and mitigation.

2. Review Network Traffic 

As part of analyzing systems, take special care to analyze network traffic. Look for unusual amounts of data being exfiltrated, network traffic in unusual ports, suspicious activity on administrative accounts, or any other unusual login behavior. Pay close attention to any network traffic in countries where the organization does not operate.

3. Look out for Suspicious Login Activity 

Suspicious login activity is a strong indicator of compromise. When observing login behavior, watch for dubious login efforts or other network activity that seem to be particularly probing– for example, if a user is failing MFA several times or looking for workarounds to log in. It is also critical to note where logins are happening and keep an eye out for any locations where the company would not expect an employee to be. If all employees are based in the US, user login from another country should be immediately flagged. 

4. Look for Lateral Movement 

Monitor any activity within the company’s VPN and keep careful track of behavior that indicates lateral movement through networks and systems. Be wary of administrative accounts and their activity, and watch for a spike in requests or read volume in files. Keep track of any data that is found in a location that it should not be and note any unusually large or compressed files. 

5. Analyze Logs

Log clearing is a common tactic used by threat actors to cover their tracks. Check for missing logs which can indicate compromise. To effectively monitor logs, an idea of what information should be present in order to notice anything missing is a necessary baseline. Be aware of what data should be listed in the logs, and pay close attention to any gaps in time or missing data.   

6. Leverage Endpoint Detection and Response (EDR) tools 

Accessing an endpoint via a vulnerability is a common strategy advanced persistent threat actors use as it does not trigger antivirus solutions. EDR tools are designed to identify strange behavior and generate data about processes, actions, network connections, and more. Though EDR alerts can feel noisy, they are essential to monitoring and investigating hundreds of end-points. 

7. Respond As Soon As Possible  

If you think you have spotted any of the above indicators of compromise or any other suspicious activity, activate your incident response plan and investigate it immediately. The faster suspicious behavior is identified and investigated, the better the chance of containing the incident before it turns into a full-blown encryption event. 

“Oversharing is what our claims experts want to see– we want our clients to report things to us,” said Bevilacqua. “Business leaders often look back, and, hindsight is 2020. There can be a lot of red flags that go under the radar that could indicate something is happening. Always report suspicious activity– the faster that this is done, the better the chances of a positive outcome for the organization.” 

If you are a Resilience client, connect with our Claims and Incident Management team as early as possible after identifying any of the above red flags– a false alarm is always better than missing a potential compromise. Our experts can help you review your system, determine if further action is needed, and connect you with resources to help prevent a larger incident. 

You might also like

New insights on the evolving threat landscape, from our 2025 Midyear Cyber Risk Report 

The cybersecurity world is experiencing an unexpected paradox in 2025. While cyber insurance claims in the Resilience portfolio dropped by 53% in the first half of the year—suggesting that organizations are getting better at preventing attacks—the financial damage from successful incidents has actually increased. Our latest 2025 Midyear Cyber Risk Report reveals that when cybercriminals […]

The seven places you should be looking when building your vendor list

In our first post, we established why comprehensive vendor discovery matters and how most organizations approach it incorrectly. Today, we’re diving into the practical mechanics: the seven data streams that can reveal vendor relationships hiding in your existing systems. The key insight is to start with data you already have rather than surveys or questionnaires. […]

How to get people to care about security when they don’t report to you

Getting executive sign-off on a new control? Hard. Getting peer buy-in on security initiatives when they don’t report to you? Harder. In modern organizations, cybersecurity professionals often find themselves in the ultimate matrix of organizational challenges: you need buy-in from every department within the organization – operations, sales, HR, and finance – but none of […]

Why vendor discovery matters now (and how most organizations get it wrong)

The average enterprise relies on hundreds—sometimes thousands—of third-party vendors to operate. Yet when security leaders are asked for a complete inventory of these vendors, the response is often a patchwork of spreadsheets, outdated procurement lists, and educated guesses. This vendor blindness isn’t just an operational inconvenience—it’s a critical business risk that’s becoming increasingly expensive to […]

The healthcare cybersecurity crisis that’s costing organizations millions in damages

The U.S. healthcare sector faces an unprecedented cybersecurity crisis. With 168 million healthcare records breached in 2023 and ransomware attacks surging 32% in 2024, the industry confronts threats that have evolved beyond data theft to sophisticated campaigns capable of paralyzing critical patient care infrastructure. Despite these trends, cybersecurity often receives insufficient leadership attention. A 2025 […]

Your cyber insurance policy could be a target

Organizations invest heavily in cyber insurance policies to shield their businesses from evolving threats, but many overlook a critical vulnerability: the security of the insurance policy documents themselves. While these policies are designed to protect you from cyber threats, they can become powerful weapons when they fall into the wrong hands. Over the past year, […]