Deny by Default: How ThreatLocker Delivers a Zero Trust Security Framework.

The best zero-trust cyber protection system controls the spread of ransomware at source
6 April 2022 | 495 Shares

Source: Shutterstock

As a concept in cybersecurity, Zero Trust is certainly coming from the right place. Zero Trust in its simplest form is providing users, machines, and network devices with least privilege. Local administrator accounts are disabled, machines are limited to specific applications that can run on them, and they can connect to each other over specific ports. These are a few of the ways a Zero Trust architecture can help to protect your network.

The major plus-point in a Zero Trust network is that there is a good chance that zero-day attacks will be either prevented or contained. In combination with other measures, like SSO and strict password policies, to name just a couple, Zero Trust fits into the modern business technology ethic of agility – the ability to pivot and scale according to security demands without cybersecurity teams applying the brakes.

We have been lucky enough to speak to Ben Jenkins, Director of Cybersecurity at ThreatLocker, about all things Zero Trust and how the ThreatLocker cybersecurity suite helps companies find balance: levels of permission vs. denial and the capacity to be agile vs. a mindset that resists change for security reasons. Ben’s first steps into a cybersecurity career were in the Managed Service Provider (MSP) space, where security has to be tight, yet highly controllable at scale – a good grounding for the modern CSO.

The business-focused approach to Zero Trust begins, he said, with the people in the company: “We allow users to be able to do exactly what they need as part of their job and limit them from being able to do anything else that presents a threat. This often means limiting them from anything that they do not need in order to do their day-to-day tasks.”

ThreatLocker achieves this through various mechanisms, the most apparent being Allow Listing, which only allows the files/applications previously approved to be able to execute. It does this through a policy list with a layout very similar to a firewall. You can afford to be granular with the policies, applying them to individual machines, groups, or even organization-wide. BYOD can also be supported, blocking any BYOD from accessing any file/folder locations unless they have the ThreatLocker agent running.

Whether an infected device is brought into the business unintentionally or an attack is made against the company intentionally, the ThreatLocker solution is here to protect your users and their data. When Malware is able to access data, it will often replicate itself across the networked devices to inflict more damage. ThreatLocker’s Ringfencing solution is able to prevent this.

A prime example of this would be Powershell. Powershell is a powerful tool that IT administrators use to maintain environments, But threat actors also use it to attack those very same environments. It is common for threat actors to use Powershell to call out to offsite servers, download ransomware to local machines and then execute on that machine. ThreatLocker Ringfencing tool enables IT Administrators to allow applications like Powershell to run, but limits how these applications can be used against them by blocking access to the internet, other applications, and even files and folders.

Like any cybersecurity toolbox, there are several aspects to ThreatLocker’s capabilities: Allow Listing, Ringfencing, Elevation Control, Storage Control, and the latest tool, Network Access Control. While tools like Antivirus, perimeter controls, and the like are still used in today’s networks, they are not mitigating against every attack. “Zero Trust  architecture, Zero Trust mindset, and utilizing Zero Trust  tools such as ThreatLocker is realistically going to be the best way to protect yourself against any threats that are coming into your network, known and unknown.”

There’s a practical demonstration (embedded above) given by Danny Jenkins, CEO of ThreatLocker, whereby an infected client machine has a Desktop folder protected from the ransomware that’s otherwise left to rampage over the machine. It’s a neat visual representation of ThreatLocker’s deny-by-default method of protecting all elements of an IT stack paired with ThreatLocker Storage control, limiting applications and executables from accessing certain file and folder locations. TheZero Trust mindset is looking to change how cybersecurity policy is written and implemented and how it functions in an increasingly threatening environment.

You can learn more about ThreatLocker’s methods and the platform’s features by heading over here.